BankThink

Data Insecurity Is a Systemic Threat

As if the financial system needed more challenges, there is a huge one lurking that never goes away: keeping data secure. Because our current market and economic predicament has presented a barrage of other risks that are perceived as more immediate, securing customer and corporate data too often remains at the bottom of the triage list.

In the meantime, corporations continue to suffer major data breaches with discouraging regularity, and the risks are growing faster than our capacity to mitigate them. Therein lies the danger.

The FBI rates cyber attacks as the third greatest threat to U.S. security behind only nuclear warfare and weapons of mass destruction. Recent bank data breaches have been so severe as to merit mentioning in the first annual report from the Financial Stability Oversight Council as a potential systemic threat. As the report notes, these attacks serve as "important reminders that both regulators and firms need to continuously upgrade the resilience of their electronic systems and networks."

Finance is becoming ever more dependent upon the Internet and all other manner of technology for selling financial products and completing transactions. In an era when clients demand more service and quicker speeds, retail banking continues to tilt increasingly towards branchless, paperless, electronic delivery systems.

Just consider paper checks, which are going the way of phones with dials and watches with winding stems — that is, they are becoming a relic that folks will reminisce about over Thanksgiving dinner. Paper checks made up less than 25% of the noncash payments in the U.S. in 2009. The use of checks has declined by $6 billion since 2006 to $24.5 billion in 2009, while total noncash payments have increased by 4.6% annually.

This innovation has many benefits, but there are significant risks. Technology breaches, crashes, and hack-attacks are now commonplace in business, and finance is particularly vulnerable.

Finance is an information business, and information technology has been and is at the heart of the technology revolution. As a result, banks are particularly susceptible to the costs of data security gaps and ruptures.

Every few days there are more revelations of data breaches, and it appears as if these problems are accelerating. The number of hacking incidents through July is outpacing last year, with a 370% hike in the number of records improperly disclosed than in all of 2010. That adds up to a flock of potential black swans.

The Internet was never created to be bullet-proof from a data security perspective, and the current version is easily pierced. Cyber attack is a distinct danger and not enough has been done yet to give confidence that protections will prove effective. Banks may enhance their own security, but remain highly reliant on third-party vendors, which may not be subject to the same stringent security requirements.

Recently, firms in the U.S. have been under "Advanced Persistent Threats" which are conducted with intent by well-funded hackers. Vigilante groups or "hacktivists" have also targeted companies this year as a continuation of attacks in 2010 that were done to protest the suspension of services, such as donations and server hosting, to Wikileaks and retribution to companies that have pursued hackers through legal and criminal proceedings.

Economic losses from hacking, including reputational losses, can be unusually high for a firm that is uniquely affected by a cyber attack. Aside from customers losses and replacement costs, there may also be market costs to victims of cyber attacks. Stock prices can be negatively affected to the tune of 1% to 5% in the days following a cyber attack, which translates into losses of $50 million to $200 million for shareholders of the average NYSE company. Furthermore, being perceived as having less robust security than competitors can be detrimental to the bottom line. According to a recently released survey from Fundtech, 74% of bankers surveyed believe that small- and medium-size business customers would switch to banks that offered better security, another reason to be at the forefront of security upgrades.

As technology morphs further, cloud computing presents additional challenges. Data is coming off the hard drive and moving to shared data mechanisms provided by companies with better than average security, but offering bigger returns for successful hackers. Forrester Research projects that the global cloud computing market will grow from $41 billion in 2011 to $119 billion in 2014.

Of course, individual banks and associations are spending considerable sums to deal with this problem. However, more needs to be done. What should occur swiftly is for government and the financial sector to redouble collaborative efforts, setting high goals for minimizing data privacy and data disruption issues.

The recently updated FFIEC online banking authentication guidance endorses stress tests to highlight potential security breaches, the use of layered security, including strong authentication, out-of-band technology, and complex challenge questions. This guidance in conjunction with customer education and vetting of vendors should be implemented across businesses.

Irrespective of whether such collaboration takes root, financial institutions and their boards of directors need to take these issues extremely seriously. Data security is an issue of potentially systemic proportion.

Eugene A. Ludwig is a founder and the chief executive of Promontory Financial Group LLC. He was the comptroller of the currency in the Clinton administration.

For reprint and licensing requests for this article, click here.
Bank technology Law and regulation
MORE FROM AMERICAN BANKER