Thomas Bostrom Jorgensen
In 2018, one major European bank will experience a data breach so large that the General Data Protection Regulation (GDPR) fine will devastate the organisation, and even put it out of business.
Many may view this as scaremongering. Others may argue that banks systems will prevent these sorts of attacks. Some may say there is no evidence to support such a claim.
Our research, in partnership with Consult Hyperion, indicates this prediction is not just likely, it’s conservative.
The primary reason is that banks are myopically focused on preventing data breaches rather than responding to them.
Banks will be breached. That is inevitable. The speed and quality of response is what will separate the breaches that are catastrophic from those that aren't.
Response, not just prevention
GDPR introduces 72-hour breach notification requirement – where institutions need to publicly notify the regulator about a breach - along with severe regulatory penalties. Institutions can receive fines of up to 4% of the previous year’s global annual revenues.
Once notified, regulators will be focused on protecting their citizens from the consequences of a data breach and demonstrate they are acting in the public’s best interest. Affected customers must be notified “without undue delay”, and given the recent spate of breaches that have been “brushed under the carpet”, such as Uber’s, failure to properly care for customers affected in a timely manner will severely limit regulator discretion when it comes to punitive measures.
Companies that have dealt with data breaches poorly have seen loss of customers, reduced earnings and board level resignations – just look at the Equifax fall-out - while those with a quality response have sidestepped these issues.
When it comes to data breaches, response has become equally as important as prevention.
A vicious circle of regulation
At the point at which losing personal data becomes an expensive proposition for banks, they are simultaneously being regulated to hold more of it and make some of it available over open interfaces:
• PSD2 forces financial institutions to open up access to account data to third-parties
• ePR widens the scope of electronic communications data that qualifies as personal data
• AMLD4/5 require the capture and storage of ever more personal data
So AMLD4/5 increases the scope of customer data to be stored, PSD2 provides new channels to allow third-parties access to some of these data, and GDPR/ePR widens the scope of personal data and impose severe fines if any of this data is exposed without consent.
This vicious circle of regulation creates a huge headache for banks by increasing the risk surface for attacks and amount of data held, while simultaneously introducing enormous penalties for data breaches.
A fire department, not a bucket brigade
European banks have never had to deal with large scale responses publicly, and do not have the resources required to respond adequately.
Banks need to notify all affected customers. Ideally, this should not be done by email or text. Criminals will target customers with email and text based phishing attacks – so communicating using these channels may well lead to further breaches. Postal communication is more secure, but slow and expensive.
The public reporting of breaches, as required under GDPR, will trigger waves of in-bound customer calls. For large banks the number of calls can register in the millions within a 24hr period. And these calls require specialist knowledge about identity theft and remediation services.
Institutions that rely their own general purpose in-house customer services teams will find them overwhelmed by the volume and nature of the customer calls – leading to loss of customers, bad media coverage and reputational damage.
Proper preparation requires planning to ensure the right expertise, manpower and infrastructure is in place to deal with the issues when they occur.
In an emergency, banks suddenly realise they only have a bucket brigade when what they really need access to a fire department.
Counting the cost of GDPR
There were on average 514 verified data breaches globally per year in the financial sector between 2013 and 2016.
Analysis suggests that there have been no fewer than 27 data breach incidents among Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the 4% level. This indicates an 8% chance that any Tier 1 bank will suffer a data breach in any given year.
We estimate the average Tier 1 bank fine will be €260 million and the average Tier 2 bank fine at €48 million. These figures do not include compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.
These figures, we believe, are conservative. Historical data almost certainly underreports the true level of bank breaches.
Data breach forecast and cost
Type of bank
Total number of banks
Forecast average fine
€ 260 milions
€ 666 milions
€ 48 milions
€ 288 milions
€ 5 milions
€ 600 milions
Total Year 1 = € 1,554
Total Over Three Years = € 4,662
Failing to plan is planning to fail
Currently banks believe that preventative measures will protect them and their customers, and any response can be handled in-house - without specialised external support.
We’ve handled over 5,000 data breach response operations, including three of the four largest in history, and vehemently believe this view is misguided.
If European banks fail to protect their customers in the case of a data breach, they will incur €4.6 billion in fines over three years, with one bank devastated by a massive fine in the next year.
A home owner may make every attempt to fireproof their house, but would be foolish to assume this means they do not need home help from a third party in case of a fire. Similarly, bank executives need to ensure that specialised manpower and scalable infrastructure is ready to respond to customers if a breach occurs, even if they believe that the chances of this are remote.
For those that do not take heed, failing to plan for a breach is planning to fail.