Top 10 op risks 2020: data compromise

Sitting atop a trove of personal data, banks make tempting targets for hackers looking to make mischief, criminal rings out to collar data for cash, even cyber terrorists bent on holding banks to ransom.

While the operations and reputation of any bank hinge on accurate and secure data, the possibility of breaches, disclosure or destruction of information seems to be growing. A handful of expensive and embarrassing incidents in the past year highlight the threat, with assailants relentlessly probing for chinks in bank cyber defences.

“The threats continue to evolve. You have an increased need to be in front of it,” says an operational risk executive at a large North American bank. “We saw the big Capital One breach, so it’s certainly not going away.”

Last July, Capital One, the US credit card giant, said a hacker had penetrated the bank’s firewall and got hold of the personal data of 100 million credit card applicants as well as 140,000 social security numbers and 80,000 bank account numbers of existing credit card customers. The incident would cost Capital One as much as $150 million in customer notifications, legal fees and technology upgrades, it said.

In this year’s Top 10, data management, a discrete category in previous top 10 lists, has been folded into data compromise to form a single topic. Although the causes and preventions are different – one requires protecting a firm’s data from external malicious attack, the other the risks of mismanaging or mislaying data internally – the financial and reputational harm can be the same. Last year, data management was eighth on the list.

Banks face an uphill battle in protecting their data. In a March 2019 report, cloud security provider Carbon Black said 67% of surveyed financial institutions had reported an increase in cyber attacks in the previous 12 months, and 26% had been targeted by “destructive” cyber incidents, that is, intrusions that destroyed data.

Several factors are at play. The sophistication of attackers is on the rise. Some may be part of state-sponsored cyber terrorism rings, which can become more volatile in uncertain global times. Others are ordinary criminals seeking to peddle the information for profit.

“What I really worry about is someone taking critical customer data and putting it on the dark web,” says an operational risk executive at a North American bank. Some banks have proactively sent ethical hackers on to the dark web to detect attacks and assess threats.

At the North American bank, the approach to preventing breaches is twofold: it has put in place advanced controls on the most sensitive data and is educating employees on good practices, some as basic as how to recognise phishing to keeping up with the latest software patches. The bank has also begun monitoring employees with access to critical data, including IT teams.

Not all intrusions are virtual, and some are inside jobs. Just last month, Fifth Third Bank said several former employees had manually stolen the information of around 100 customers and shared it with a fraud ring. The bank underscored that the theft was not a cyber breach, “but rather an orchestrated effort by a small group of employees to steal personal information”.

In yet another old-school theft, last September Allianz Global Assistance, the travel insurance arm of Allianz, said a safe containing backup magnetic tapes was stolen. Initially, the insurer said 260,000 customers who had purchased roadside assistance had been affected, but it later emerged that more than 2 million customers who had purchased assistance indirectly through car manufacturers were also exposed.

The other side of data compromise is in-house management. Last year, UK authorities fined Goldman Sachs and UBS millions for transaction reporting lapses, while Citi was penalised in the US for prudential reporting lapses. Data mismanagement underpinned all these cases.

What I really worry about is someone taking critical customer data and putting it on the dark web

Operational risk executive at a North American bank

“Fines tend to be imposed for repeated and systemic failures. To avoid being fined, banks need to periodically test that their reporting logic is correct and that trades are correctly flagged and that all relevant trades are flowing into their reporting engines,” says an op risk executive at a global bank.

The fines for UBS and Goldman were for legacy issues under Mifid I, which was supplanted in 2018 by Mifid II, which banks claim is unduly burdensome. They are lobbying for revisions in the European Union’s targeted review, such as altering the scope of transparency for over-the-counter derivatives and addressing the delays applied to some types of trade reporting.

“Trade and transaction reporting is one of our biggest risks,” says an operational risk executive at a North American brokerage. “It’s something we actively manage through the RCSA [risk control self-assessment] process. We’ve invested to beef up that process.”

Yet another aspect of data management is adherence to the Basel Committee’s principles on risk data aggregation and risk reporting, BCBS 239. Originally conceived as a framework for internal reporting, BCBS 239 is increasingly being applied by regulators to assess the adequacy of regulatory reporting, and in some cases they have fined banks for lapses.

The financial industry appears to be getting the message, with companies investing heavily in cleaning up data that is likely to be modified over the course of time.

“We are maintaining our vigilance around data quality, ensuring clear data elements owners, lineage and data tracing,” says the head of operational risk at a financial markets utility. “Historical data on legacy systems or in central hubs can increase the risk of cyber threats or data compromise.”

Banks are still struggling with technical aspects of BCBS 239 though, according to a study in the Journal of Risk Model Validation. Surveying 29 banks, the study concluded that banks need to make improvements in four areas: master data management, audit trail, metadata management and data validation. It also found that external contractors working on model development, backtesting or any other projects that require the use of data were the primary source of problems in the audit trail.

Click here to return to the index