Jan 22 2020

What Should Banks Do in the Aftermath of a Breach?

Between regulations, new threats and PR nightmares, here’s what financial institutions can do to recover from being hacked.

Banks have a deeply personal relationship with their customers by nature. Handling aspects of life such as mortgages, retirement savings and personal loans means that customers must have a higher level of trust in their financial institutions than other businesses. That’s also why security breaches can be particularly devastating to the financial sector.   

Because these stakes are so high, financial institutions must meet particular standards and regulations when it comes to security. Federal banking regulators in March 2005 handed down the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, guidelines that must be followed by financial organizations to protect customer information.

The guidance established standards for safeguarding data as well as steps that banks need to take when they encounter a breach. It requires that banks set up a security breach response program that takes responsibility for making sure any third-party vendors are also following the regulations. Failing to meet these standards can result in stiff fines, in addition to the public relations nightmare that can come from losing the trust of customers.

What Banks Need to Do to Protect Themselves from a Security Breach

Regulations require that banks establish a security breach response program as part of their broader information security strategy. According to the American Bankers Association, the response program must have four key elements: the development of a response team, a customer notification and assistance process, assessment of third-party service provider implications and a relationship with law enforcement. The response team should draw its members from all lines of business that might be affected across the organization.

The team needs to ensure that the proper protocols are in place to handle a breach. What this entails can vary from organization to organization, so getting a risk assessment is a good first step. Banking regulations require risk assessments; not only do they reduce cyber-risk, but also they provide evidence to auditors, should a breach occur, that the bank made a good faith effort to protect its customers.

Emerging technology, regulations and evolving cyberthreats — it’s a lot for bank IT departments to keep track of. This is where deploying a compliance and risk mitigation solution can come into play, particularly for smaller organizations that may not have the IT resources to dedicate to different aspects of cybersecurity.

MORE FROM BIZTECH: Read how financial services firms can improve cybersecurity.

Steps Banks Should Take Immediately Following a Breach

If a breach does occur, there are steps that financial institutions can take immediately to control the damage. Notifying customers that their information may have been stolen must be part of the required response. The notification must be prompt, unless law enforcement believes that disclosing the breach would interfere with a criminal investigation. 

Notifications must include a description of what happened, a phone number where those affected can find more information, a reminder to stay vigilant and encourage customers to come forward if there has been theft, and a description of the steps the organization took after the breach. This is where compliance departments can be an asset, assessing what happened and what needs to change in the future. 

While data breaches might make customers wary, how a financial institution handles itself can help keep them from leaving. A recent global survey by Verizon and Longitude found that 63 percent of customers would avoid using an organization that had experienced a breach for a period of time, but only 29 percent would avoid them for good. The survey also found that transparency is crucial, with nearly 70 percent saying that openness about how their data is being used is important for an organization to earn their trust.

Customers are more concerned than ever about the security of their personal information, and banks hold possibly the most consequential data of all. By complying with regulations, preparing for the worst and being open with their customers, financial institutions can stand strong against data breaches.

phive2015/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT