The cost of data breaches: An insight into the financial sector and reputational risks
Finance is one of UK’s 13 national infrastructure sectors, which by definition means the country depends on this sector to sustain and keep day-to-day life operating smoothly for all of its citizens. The amount of money and data an institution handles, and how essential it is to the economy (especially for ransomware, which assumes businesses can’t afford loss of access to their data) make financial firms an attractive target for cyber attackers.
A cyber attack on a financial institution can have wide-reaching impact, especially if multiple countries depend on the function that institution provides. As an example, in 2020, the European Central Bank’s real time gross settlement system at the time, TARGET2, was disrupted for almost 11 hours, causing a failure of all payment transactions. Considering that every five days, TARGET2 processes nearly the GDP of the euro area, protecting TARGET2 from cyber attacks and building resilience becomes of utmost importance. Depending on the affected institution, even a few hours of downtime could bring the market to a halt.
Cyber security as a global concern
It would be a mistake to suggest that only institutions on the international level are targets. Based on the April 2024 Global Financial Stability Report by the International Monetary Fund (IMF), the highest targets within the global financial sector are banks, insurers, and asset managers. To prevent instability in global finance, the IMF stresses having proactive policies in place along with information sharing across borders to collaboratively assess risks from cyber threats.
Based on a 2023 survey by the Bank of England, the threat from cyber threat actors is a shared concern; 80% of participants (which include banks, insurers, and asset managers) cited a cyber attack as one of the top five risks to the UK financial systems – the most cited factor among others like geopolitics (66%) and inflation (57%). Along with ongoing conflicts in neighbouring Russia and Ukraine, plus long-term consequences from the pandemic, cyber security remains a top concern for executive leaders seeking to stay ahead of the threat.
Read on to learn more about the cost of data breaches and strategies for mitigating the risks – to keep your financial institution protected as best as possible when attackers inevitably come knocking on your door.
The cost of data breaches
The losses that come from cyber security attacks can affect multiple aspects of a financial firm, including profits, reputation, and the ability to meet government regulations. Due to the precarious economic environment, a potential effect could include destabilizing the UK’s economy as well.
Loss of profit
Last year, IBM reported that the average cost of a data breach for a UK business in financial services was 5.3 million pounds, versus an average of 3.4 million pounds across all industries. At 55% higher than the norm, this difference indicates there’s more at stake when financial industries suffer a cyber attack. Taking this effect compounded, the IMF cites a global loss of $2.5 billion across the financial industry since 2020, with institutions in advanced economies (e.g., the UK) exposed more than emerging market and developing countries.
Adding to the financial cost due to loss of profit are the significant fines from not complying with government regulations. Institutions found in severe violation of the General Data Protection Regulation (GPDR) can face a fine up to 20 million euros, or 4% of their total entire turnover from the previous fiscal year. The high cost of this penalty signals the importance of protecting people’s data, as part of essential operations of running a business.
Loss of reputation
Protecting data is not just a government mandate; it’s also an expectation of consumers. In a survey by McKinsey, over 85% of consumers want to know what a company’s data privacy policy entails before doing business, and nearly half of the surveyed consumers will consider a competitor if they’re unable to understand a business’s policies. Especially in the finance sector, where sensitive information (e.g., a bank account number) is held, or where crucial activity (e.g., processing a transaction) is run, customers want and expect the highest standard of protection.
When a public data breach happens, customers may lose faith in the ability of an institution to properly handle their data, resulting in a loss of reputation. While quantifying this loss directly can be difficult, an indirect indicator can be measuring how much an institution’s stock price falls after news of a data breach – and sometimes the effects last years after. In the infamous Equifax data breach of 2017, Equifax’s stock price dropped 18.4% just after several days. Six years later, Equifax is still paying the price; in 2023, the UK regulatory body, Financial Conduct Authority, fined Equifax Ltd over 11 million pounds for failing to protect the data of its UK consumers.
Impact on the economy
In addition to the cost of profit and reputation by stock price, a financial institution may find itself struggling to maintain liquidity. Such a struggle would not be welcome, especially in this current higher risk-free interest environment, as the Bank of England states in its December 2023 Financial Stability Report. If the post-cyber attack loss in consumer confidence triggers a reaction that causes everyone to withdraw their money at the same time, banks could find themselves insolvent.
With the finance sector being one of the UK’s national infrastructure sectors, if the impact of cyber attacks becomes widespread (e.g., an attack on third-party software that affects multiple institutions), a domino effect can threaten the UK's financial stability.
Strategies to mitigate the risks
Although the stakes are high for a financial firm, institutions can significantly reduce their attack surface by adopting, at the minimum, essential cyber security practices. As the Information Commissioner of the UK, John Edwards states, “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.”
Consider incorporating the following strategies to protect your financial institution, the information of the people you serve, and ultimately, the economy of the UK.
Start with leadership
Decision-makers who understand the importance of cyber security naturally prioritize it, and the effects are clear. IMF researchers found that firms with board members knowledgeable in cyber security had better cyber security governance—a top-down strategy to integrate cyber security into operations. Taking this fact one step further, the UK government found that improving cyber security governance tends to drive the fastest advances in an organisation’s resilience. Sending a message on what’s important to the company will drive immediate action to ensure the right strategies get executed.
Assess your stance
Knowing your baseline will inform you of the difference between where you are and where you need to be. You might start by achieving industry-standard baselines, like installing (and updating) anti-malware and implementing multi-factor authentication to protect your accounts.
Keep in mind that since the cyber security field evolves as new technologies (and attacks) emerge, assessing your baseline should be periodic and tracked over time. Two complementary ways of achieving this include vulnerability assessments, where you’d discover and prioritise flaws in your most important assets, and penetration testing, where you’d simulate attacks attempting to gain access to your systems in real-time. With vulnerability assessments, you’re building your defences, and with penetration testing, you’re putting your defences to the test.
Respond and recover
When you do end up hacked, time is key; do you know to what extent your financial institution can withstand a cyber attack—one that renders your systems inoperable? Minimizing the down time as much as possible is crucial for financial institutions, given their role in the economy. Step one is having plans in place, and from there, you could actually test it, starting with a paper exercise and beyond. Small and medium firms can follow the National Cyber Security Centre’s guide on Cyber Security Response and Recovery; you could also bring in cyber security consultants to help you create tailored solutions that meet your requirements.
Educate your employees
While addressing cyber security might come from a top-level directive, it takes a team to understand the strategy and execute the vision. Investing in cyber training for your staff will pay off, as phishing and stolen or compromised credentials were the top initial attack vectors, according to IBM’s Cost of a Data Breach Report. Especially in this age of generative artificial intelligence, phishing attacks will come faster and with higher sophistication. Educating your staff to recognise tactics will empower them as your frontline defence.
Share your experience
With multiple firms relying on the same third-party software and attackers increasingly targeting them as vectors, the need for transparency becomes more important. Sharing data helps institutions across the finance sector (and beyond) be prepared, learn from each other’s lessons, and regain control from attackers.
Transparency benefits both the UK and the global community. After all, the cyber domain has no borders, and stolen funds can (and do) move across regions. Only international cooperation can hunt the attackers down. In fact, the National Crime Agency, together with the FBI, recently took down LockBit, the most prolific Ransomware-as-a-Service organisation in recent history. As Home Secretary James Cleverly promises, “The UK has severely disrupted [LockBit’s] sinister ambitions, and we will continue going after criminal groups who target our businesses and institutions.”
Putting it together
In this current economic environment, protecting your financial institution means securing your customers’ assets, meeting government regulations, and protecting the economy of the UK and beyond. By adopting cyber security best practices—from assessing baselines to developing a recovery plan—you’ll be preparing yourself to detect, withstand, and quickly recover from a significant cyber attack. By sharing your data with international partners, you’ll know you’ve done your part to protect global infrastructure from cyber threats.