Significant exposure
The patchwork of breach notification laws that now exist in 48 US states, provide a great deal of exposure for financial institutions. These laws prioritize the security of financial information, and in the event of a cyber breach, require costly internal investigations, significant expenses on outside vendors, and ultimately, notification to the public.
In addition to these state laws, banks and other financial institutions have many unique data protection obligations under the Graham Leach Bliley Act, the Fair Credit Reporting Act and the regulatory expectations of the Federal Trade Commission. Credit unions must also follow the data security requirements imposed by the National Credit Union Administration.
The publicity fallout from a cyber breach entails the risk of massive reputational and brand damage. It is safe to assume that poorly handled breaches result in far higher customer defection rates; in fact, 22% of breached organization lost customers and 40% of those organizations lost more than a fifth of their customer base.*
*Source: Cisco 2017 Annual Cybersecurity Report
Class action lawsuits
The publicity and customer dissatisfaction that surround a cyber breach have spurred a wave of class action complaints against financial institutions big and small. Enterprising plaintiffs’ lawyers relying on a variety of privacy laws have filed complaints seeking billions of dollars in damages. The risk of crippling damages, and the sizeable costs of litigation, often push organizations to settle even in the absence of any clear harm to the plaintiffs.
Regulatory investigations and penalties
State and federal regulators have made one point clear: a significant breach of customer information will result in monetary penalties, onerous corrective action plans, and on-going audits. Whether from federal or state regulators, the regulatory landscape for financial institutions carries an immense amount of risk.