Jonathan Middleton, Manager, Technology and Digital
Policy Delivery Coordination, UK Finance
Recent high-profile data breaches have highlighted the risks that we all face from criminals and the need to ensure our data is protected. The economy relies on an ever more complex and interwoven relationship of organisations, underpinned by technology and data. Customers rely on this to access many of the things they take for granted – from buying goods, to managing their data.
However, this interconnectedness can also create problems. Issues in one organisation hit customers in numerous ways, and then spread out into other sectors of the economy. Issues with electronic payments can impact your ability to buy groceries and train tickets, which can lead to an increased demand on cash machines. Equally, data leaked in one sector hits customers in multiple ways, exposing them to risk of criminal activity. In these moments, the real burden falls not only on customers, but those who are traditionally trusted with people’s money: banks.
GDPR came into force earlier this year, giving individuals greater control of how their data is used, but also providing a framework for when a data breach happens. Firms now have an obligation to alert the regulators within 72 hours, and they can now face fines if a breach takes place. This change does protect customers, but it is also important to reflect on the longer-term impact and cost of these breaches.
Criminals are becoming smarter about how they attack and disrupt our technology services, looking across the whole digital economy for opportunities. Large holders of data have become rich targets, even if they don’t hold people’s money.
If the website you order groceries from, or the app you purchase tickets to music events from, has a leak or gets hacked, banks have to act. Stolen customer data, including names, addresses and card details, can be used by criminals, or sold to others on the dark web. When retailers are hit and card details are stolen, banks are the ones that face the task of stopping criminal activities for a period of time that goes beyond the initial attack. It is not just a question of cancelling cards – there are new cards to issue, communications to be sent out to customers, and anti-fraud team monitoring activity on behalf of customers. The integration of systems amplifies the actions needed to deal with this kind of criminal activity.
A problem for one is increasingly a problem for all. It is not enough to have a secure system, if one is connected to others who may not have a robust system of their own as cyber security and fraud prevention is often configured on an organisation by organisation basis – everyone tries to build their walls individually, and as high as possible. However, this approach does have its limits.
A model is needed that recognises that when it comes to cyber security, the economy is only as strong as its weakest link. An attack on one becomes an attack on all. There needs to be greater cooperation within and between sectors, and a greater understanding of interdependency across the wider economy. Profiles must be configured to include this kind of risk, across partners of all kinds. and wherever customers create connections, as part of operational resilience and risk planning.
The Bank of England Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have released a discussion paper entitled ‘Building the UK financial sector’s operational resilience’. The paper raised the idea of stress testing the financial sector for operational resilience, stating that: ‘The Bank plans to launch a pilot of the approach to stress testing in 2019, which will focus on payments’. This stress testing will help regulators and financial organisations to protect customers from disruption, and lessons learned will be of use to the wider economy.
As the UK looks to be the safest and best place to bank and do business, customers and organisations will want best practice to spread across the economy. With cyber an ever-increasing topic for companies, this should now be a matter of priority for the future of UK Plc.
Economic Crime Congress – 12 December
The Economic Crime Congress is a multi-stream, one-day event bringing together top international and UK experts and practitioners to discuss the key economic crime topics in 2018. The event, in association with LexisNexis Risk Solutions includes dedicated streams that will focus on anti-money laundering, financial sanctions, mortgage fraud, bribery and corruption, terrorism financing and fraud prevention.