Cybersecurity has loomed over the retail banking industry and its debt collections processes for years as more high-profile cyber-attacks continue to hit the headlines.
Debt collections records are very sensitive as they contain a significant amount of financial information about customers. This makes retail banks who offer loans, credit cards and mortgages the perfect target for cybercriminals.
To make matters worse, all companies must report data breaches, which can have a detrimental impact on their reputation. Plus, the introduction of the General Data Protection Regulation (GDPR) in May 2018 means any company or institution that breaches the regulation could potentially face a sizeable fine too.
With this in mind, what is the retail banking industry doing to protect its debt collections processes from cybercriminals – and what else needs to happen sooner rather than later?
Figures collated for the Financial Conduct Authority (FCA) by UK law firm RPC show the number of successful cyber-attacks on UK financial services firms had risen by 480% in 2018. Some 33 cases came from insurers, 21 from consumer retail lenders and 11 in retail investment. One of the most notable cases was Tesco Bank, who was fined £16.4 million by the FCA in October 2018 as a result of a cyber-attack that led to £2.26 million being taken from personal current accounts.
Cybercriminals have seen a growth opportunity in the retail banking industry, especially when it comes to attaining sensitive data like debt records. According to a report by Reuters, attacks on bank records are particularly damaging as it isn’t easy to identify which records were accurate and which had been corrupted. Customers regard the protection of their personal data as a priority and will quickly abandon a brand following a major security incident.
When a customer opens up an account with a bank or takes out a loan, they’re trusting them with their personal information and money. When the confidentiality and security element is compromised, the trust rapidly diminishes. This was evident in 2018 when seven UK banks were forced to shut down their systems after cyber-attacks cost them hundreds of thousands of pounds to fix.
The Bank of England has recognised the problems and has developed the CBEST framework for banks. The CBEST provides direction on how to conduct a safe yet realistic simulated attack on the people, processes and technology that compromise an institution’s cybersecurity controls.
Every test is carried out by accredited penetration testing companies with an attack team that replicates the actions of a cybercriminal. The aim is to secretly penetrate defences and be in a position where they could steal or corrupt the bank’s data.
The FCA and Prudential Regulation Authority (PRA) have also created a questionnaire called CQUEST, which covers all aspects of cyber resilience – including:
The answers give banks an idea of how good their cyber resilience is and highlights areas for improvement.
However, following regulatory rules won’t help businesses keep pace with the constantly evolving number of cyber threats. Instead, investing in a proactive response is essential to success. The key priorities should include identifying and focusing resources on the most important data that needs protecting – i.e. sensitive data compiled from debt collections processes.
By 2020, leading banks will have developed cybersecurity strategies involving risk-management protocols and regulatory requirements to protect important areas like their debt collections processes. But for banks and financial institutions that don’t have the infrastructure necessary to meet the demands of cybersecurity, third-party software can become a major asset. In particular, when it comes to debt collections processes.
The key to cybersecurity is to be proactive, rather than reactive. This involves keeping up-to-date with the ever-changing cyber risks and taking action before any breaches become a reality.
To learn more about the future of retail banking and debt collections, take a look at some of our other forward-looking content here.
Get in Touch