Exus Blog Article
Cybersecurity: the elephant in the room for debt collections processes
Cybersecurity has loomed over the retail banking industry and its debt collection processes for years as more high-profile cyber-attacks continue to hit the headlines.
Debt collection records are very sensitive as they contain a significant amount of financial information about customers. This makes retail banks that offer loans, credit cards, and mortgages the perfect target for cybercriminals.
To make matters worse, all companies must report data breaches, which can have a detrimental impact on their reputation. Plus, the introduction of the General Data Protection Regulation (GDPR) in May 2018 means any company or institution that breaches the regulation could potentially face a sizeable fine too.
With this in mind, what is the retail banking industry doing to protect its debt collection processes from cybercriminals – and what else needs to happen sooner rather than later?
Data breaches in finance are on the up
Figures collated for the Financial Conduct Authority (FCA) by UK law firm RPC show the number of successful cyber-attacks on UK financial services firms had risen by 480% in 2018. Some 33 cases came from insurers, 21 from consumer retail lenders, and 11 in retail investment. One of the most notable cases was Tesco Bank, which was fined £16.4 million by the FCA in October 2018 as a result of a cyber-attack that led to £2.26 million being taken from personal current accounts.
Cybercriminals have seen a growth opportunity in the retail banking industry, especially when it comes to attaining sensitive data like debt records. According to a report by Reuters, attacks on bank records are particularly damaging as it isn’t easy to identify which records were accurate and which had been corrupted. Customers regard the protection of their personal data as a priority and will quickly abandon a brand following a major security incident.
When a customer opens up an account with a bank or takes out a loan, they’re trusting them with their personal information and money. When the confidentiality and security element is compromised, the trust rapidly diminishes. This was evident in 2018 when seven UK banks were forced to shut down their systems after cyber-attacks cost them hundreds of thousands of pounds to fix.
Winners will invest significantly in cybersecurity
The Bank of England has recognized the problems and has developed the CBEST framework for banks. The CBEST provides direction on how to conduct a safe yet realistic simulated attack on the people, processes, and technology that compromise an institution’s cybersecurity controls.
Every test is carried out by accredited penetration testing companies with an attack team that replicates the actions of a cybercriminal. The aim is to secretly penetrate defences and be in a position where they could steal or corrupt the bank’s data.
The FCA and Prudential Regulation Authority (PRA) have also created a questionnaire called CQUEST, which covers all aspects of cyber resilience – including:
- Does the firm have a board-approved cybersecurity strategy?
- How does it identify and protect its critical assets?
- How does it detect and respond to an incident, recover the business and learn from the experience?
The answers give banks an idea of how good their cyber resilience is and highlights areas for improvement.
However, following regulatory rules won’t help businesses keep pace with the constantly evolving number of cyber threats. Instead, investing in a proactive response is essential to success. The key priorities should include identifying and focusing resources on the most important data that needs protecting – i.e. sensitive data compiled from debt collections processes.
By 2020, leading banks will have developed cybersecurity strategies involving risk-management protocols and regulatory requirements to protect important areas like their debt collection processes. But for banks and financial institutions that don’t have the infrastructure necessary to meet the demands of cybersecurity, third-party software can become a major asset. In particular, when it comes to debt collection processes.
The key to cybersecurity is to be proactive, rather than reactive. This involves keeping up-to-date with the ever-changing cyber risks and taking action before any breaches become a reality.