Just over one year ago our email inboxes were spilling over with requests from companies asking for our permission to continue being sent messages on anything and everything, as GDPR set in. Now that time has passed, and things have settled down, have things been as bad as people initially predicted?
There have been a number of high-profile cases of GDPR fines in the news of late, most notably British Airways and Marriott International. British Airways were responsible for diverting user traffic to a fraudulent site, where cyber attacks lay in wait to harvest the personal data of more than 500,000 customers. Marriott International’s fine however, was down to a failure to undertake enough due diligence when acquiring leisure company Starwood, who in 2014, had their systems compromised. The subsequent exposure of customer information was not discovered until 2018.
In Marriot International’s case, a security audit to detect basics such as ensuring servers were secured and customer information was encrypted should have taken place prior to combining systems. Furthermore, the scope of analysis should have gone beyond the traditional view of transactions and reservations and focused also on loyalty programs, a gateway used by hackers to penetrate the network.
However, a read of the ICO’s enforcement action website soon reveals that it is not just the large firms being hit with fines. In fact, as of 26 July 2019, there are 125 incidents of regulatory enforcements on a range of companies ranging from exposure of customer data to direct marketing messages without consent. Therefore, regardless of size, as risk managers, it is no longer possible to say, ‘That’s an IT issue’.
The trend in the ORIC International dataset is as anticipated. Pre-GDPR saw an influx of near miss events as processes and systems were scrutinised ahead of the new regulation, and whilst the first wave of post-GDPR fines and breaches are still to come to a head, the number of risk events relating to loss of data is certainly on the rise. The big challenge for financial services firms and indeed any firm alike over the next few months, is not only knowing where their data is and identifying who has access to it, but ensuring that the appropriate indicators are in place to assess vulnerabilities before they turn into a breach. The world’s most valuable resource is no longer oil, but data. The data your company holds is an asset and has a value. Whilst the possible financial fine is easily calculated, the reputational loss and potential loss of future business are not.
The use of the ORIC data and key risk indicators can help firms to pre-empt potential threats, identify common causes and better quantify potential losses. If you’d like help in discovering how to produce analytics or reports to help you better understand the data and how you can learn from it, please contact us at enquiries@oricinternational.com