Skip to main content
Feb 15, 2017

Banks and insurers lack data security confidence, survey finds

Firms not doing enough to respond to looming regulation and threats, according to report 

Just over one in five retail banking and insurance executives (21 percent) are highly confident their firm could detect a data breach, according to new research.

The study by Capgemini suggests that while banks are committed to building more robust cyber-defenses, their efforts are lagging behind the sophistication of hackers and a wave of forthcoming regulation designed to protect consumer data privacy: less than half – 40 percent – of executives surveyed by Capgemini say their firm has robust and fully automated intelligence capabilities to identify new cyber-security threats.

Respondents are also slow to respond when a weakness is found, with 49 percent saying it takes their firm between three months and one year to manage vulnerabilities and patch up critical systems.

The report’s authors warn that banks and insurers appearing to have inadequate cyber-security practices will lose business. Sixty-five percent of consumers the firm surveyed view trust in data privacy and security as an extremely significant factor when choosing their bank.

Mike Turner, global cyber-security COO at Capgemini, warns consumers that their faith in banks’ security is mistaken. ‘While banks are evolving to combat the sophisticated threat cyber-criminals pose, public understanding of the threats and challenges remains low,’ he adds.

Data privacy and protection regulations are tightening around the world, particularly in Europe with the European Commission’s forthcoming General Data Protection Regulation (GDPR).

The landmark regulation will come into effect in May 2018 and place stricter restrictions on businesses’ collection, storage and use of EU residents’ data. Under GDPR, firms will be required to disclose data breaches within 72 hours of discovery.

While the regulation comes from Brussels, it applies to any company – regardless of where it is operating – that gathers and uses EU resident data, so many North American companies will need to think about how they obtain consent from data subjects, how they store data and how long they store data for. Multinational companies will also need to examine the legality of transferring data across borders between EU and non-EU member states. 

Capgemini’s research finds that 78 percent of companies surveyed retain customer data even after an individual ceases to be a customer. Only 21 percent update the data consent clause whenever there is a policy refresh.

Both of these practices could be restricted by GDPR, depending on how the data retention and ‘right to be forgotten’ regulations are enforced. The largest fine for non-compliance with GDPR is €20 million ($21.3 million) or 4 percent of global revenue.

The US Privacy Shield, which was negotiated last year by the US Department of Commerce and the European Commission, provides US companies with a GDPR-compliant framework for transferring data. Companies are required to self-certify that they comply with the framework and publicly express their commitment to compliance.

In the US, the SEC has ruled that companies must disclose all material breaches, meaning the intrusion is significant enough to influence an investor’s decision to sell a company’s stock. This has proved to be a loose definition, with only 95 of the more than 9,000 publicly listed companies in the US informing the SEC of a cyber-breach since 2010.

Officials from the US Department of Homeland Security and US Department of Justice last month advocated for greater collaboration between government agencies and the private sector (, 1/17).

Ben Ashwell

Ben Ashwell

Ben Ashwell is the editor at IR Magazine and Corporate Secretary, covering investor relations, governance, risk and compliance. Prior to this, he was the founder and editor of Executive Talent, the global quarterly magazine from the Association of...