Banks continue to be widely trusted by consumers to be secure and good stewards of their most intimate information. A new survey highlights however, that the majority of banks either has weak security and data privacy policies, or is weak in one of the two areas. The introduction of the General Data Protection Regulation next year may disclose just how porous bank defences are, with considerable negative consequences for banks and insurers – 74% of consumers say they would consider shifting to a competitor on a breach.
As breaches become more common in cyberspace, resulting in more and more consumers’ personal, and private, information ending up on the street – consumers end up finding themselves in considerable uncertainty and, if unlucky, left behind with time consuming problems. While a number of sectors, and companies, have suffered considerable reputation damage from breaches, others continue to enjoy relatively positive consumer sentiment about their relative safety.
In a new report from Capgemini, titled ‘The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer and More Secure’, the consultancy firm explores in how far financial services institutions, banks and insurers, have developed their defences, as well as the perception of consumers about the industry as a whole. The study involved 7,600 consumers across eight countries, as well as interviews with 183 senior security and privacy professionals from global banking and insurance organisations.
The research highlights that there are considerable gaps among a large number of banks and insurers surveyed. As it stands, around 29% of those surveyed have both strong data privacy policies and a strong security framework in place. 31% of respondents however, are weak in both categories, with the largest chunk of respondents particularly weak in terms of the strength of their data privacy policies.
To get a better sense of what distinguishes the pace-setters out from the laggards, the firm asked respondents to identify their respective capabilities and procedures across a number of key security and data policy parameters.
While 29% of those surveyed were shown to have relatively strong security and data privacy policies in place, few of the respondents (21%) say that they are highly confident of detecting a data breach. Almost the majority of respondents (49%) say that, when a vulnerability is found, it takes between three months and a year to patch. Few of the respondents (40%) have a robust and fully automated cyber threat intelligence capability at their disposal.
The research also found that a large number of respondents continue to retain customer data even after the customer has moved elsewhere – which, if the reason for the move was a data breach, may continue to incite customer ire as well as risk (further) exposure. Few of the responding institutions (21%) update their data consent clause when they refresh their data policy.
While the study highlights that banks and insurers leave much to be desired when it comes to cyber security and data privacy policies, they continue to attract considerable trust from consumers, at 83% of consumers surveyed. Alternative payment providers come in second, at 49%, while e-commerce firms, which have seen mega scale breaches, come third on 28%.
Telecom firms, retailers, social networking sites and FinTech firms are all seen as untrustworthy by the vast majority of respondents. While banks have thus far continued to enjoy positive perception from consumers – the stark reality of breaches in the industry will need to be disclosed from next year within 72 hours of discovery, as part of the General Data Protection Regulation regulations.
Security concerns, particularly when trust is broken, results in 47% of consumer respondents being deterred from using a digital channel. Unsecured websites were found to be the primary reason for not using a digital channel by 29% of respondent comsumers for insurance, 32% for banking and 31% across all websites. Unsecured mobile apps were the primary reason for a consumer not to use the digital channel in 31% of cases for insurance and 35% for banking.
The potential misuse of data was cited by respondents as the most concerning however, with 40% of respondents not using insurance digital channels on the basis of the risk and 33% avoiding baking on basis of the risk. The firm notes that addressing the respective concerns, or mitigating the creation of such concern in the future, would create considerable benefits for financial services firms – not least because transaction costs online are 43% lower than at a branch.
Banks also risk losing customers if it becomes clear that their security or data use policies are lax and/or intrusive. The report notes that across all respondent countries, 74% of consumer respondents say that they would switch institution if there was a data breach at their current provider. In the UK this rose to 80%, while in the Netherlands it fell to 58%. Germany and Spain too are particularly concerned, at 83% and 90% respectively – in Spain this is partly the result of data breaches in recent years.
Mike Turner, Global Cybersecurity Chief Operating Officer at Capgemini, says, “Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100% secure. While banks are evolving to combat the sophisticated threat cybercriminals pose, public understanding of the threats and challenges remains low.”