GDPR: Will You Weather the Security Storm?

Compliance    | March 14, 2017

You would think that simple and secure communication with employees and customers would be top of any financial services firm’s checklist, wouldn’t you? That the need for confidentiality and regulatory compliance had never been greater? Especially given that financial data has been among the most commonly exposed and stolen in recent breaches. Think again! Our survey last year found that despite 83 per cent of financial services professionals using email more than any other form of communication, 23 per cent either do not use or are unaware of any email and file sharing encryption technology in place.

It’s time for businesses to batten down the hatches, because the General Data Protection Regulation (GDPR) is coming and businesses are worried about its impact. The European Commission has passed new pan-region regulations, which will come into force in April 2018. Businesses that don’t comply with the new laws could face fines of €20 million or four per cent of global turnover – whichever is greater. Fines of this level will have a significant impact on any business. You only have to look at the costs incurred by TalkTalk following its high profile data breach last year (£60 million and counting, and a considerable loss of customers) – and you can see fines like this keeping the CFO awake at night.

We hosted a roundtable event for CIOs and CISOs of financial services companies. Most admitted that they knew something needed to be done about GDPR compliance, but they didn’t know where to start. It was clear from talking to these senior financial services industry figures that companies are wholly aware of the threat posed by cyber attackers and hackers. They have already taken action against it. However, the pressure to reduce costs is a struggle felt by all. Research by TheCityUK Cyber Taskforce (p.11) found that 46 per cent of companies have cyber threats as a key concern to their business, compared to just 10 per cent in the same survey a year earlier.

It’s not just internal email that needs to be covered by the right level of security. External communication with customers need security measures too. Stories of cybercrime and data breaches continue to hit the headlines daily, while consumers are more technically and security savvy than ever. In fact, a recent survey by the US Dept of Commerce found that, 45 per cent of consumers reported that cybersecurity concerns stopped them from conducting financial transactions online.

Financial services organisations should have strong encryption solutions in place that are both manageable for the business and meet the needs and expectations of customers. Banks have continued to resist because they think it is too complicated. Many argue that customers won’t understand how to use more complex security solutions. This simply isn’t an excuse any more. There are plenty of options on the market that have put user experience at the centre. A valuable email encryption solution makes the process simple for both sender and recipient.

The cost of a data breach to a financial services organisation goes far beyond just financial considerations (although with the prospect of huge fines looming as part of the GDPR – it’s certainly a substantial worry). Reduction in customer confidence and reputation damage are an equally expensive contributing factor. For a long time, FS companies have upped their security precautions at the perimeter of their businesses. Now they need to extend this protection to their customers as well. Issues like TalkTalk breach, along with new government powers to snoop in the form of the Investigatory Powers Bill have left customers more worried than ever before about the security of their data. Banks need to act fast to reassure customers and to avoid churn to a more secure rival. Moreover, all FS companies must ensure they are compliant with the GDPR, by embracing encryption of personal data and the whole idea of security and privacy by design, before it hits in 2018.

The General Data Protection Regulation (GDPR) comes into effect across Europe in May 2018,  US and Canadian companies who think it doesn’t affect them are in for a rude awakening – with fines of €20 million, or 4% of your global revenue, whichever is higher!

This article originally appeared in the Global Banking & Finance Review