Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Consult Hyperion forecasts banks to face fines totalling €4.7bn in first three years under GDPR

June 2017 by Consult Hyperion

A new report from Consult Hyperion, commissioned by
AllClear ID, forecasts that European financial institutions could face fines
totalling €4.7 billion in the first three years under the new General Data
Protection Regulation (GDPR). This forecast is conservative and excludes
compensation claims, costs associated with lost customers, damaged reputations and senior executive resignations.

The report GDPR: Banks, Breaches and Billion Euro Fines forecasts the number of data
breaches in the European financial services sector over the next three years and
corresponding fines under GDPR.

Data Breach Forecast and GDPR Fines

Type of bank / Total number of banks / Forecast average fine (millions) / Forecast breaches / Estimated fines (millions)

 Tier 1 / 32 / €260 / 2/3 / €666
 Tier 2 / 75 / €48 / 6 / €288
 Tier 3 / 5000 / €5 / 120 / €600
 Total Year One = €1,554m
 Total Over Three Years = €4,662m

Under GDPR financial penalties for a data breach are substantial. Institutions can
receive fines of up to 2% of the previous year’s global annual revenues for a
first offence and 4% for repeat offences where the regulator has previously ordered
remedial action. There are also possible criminal penalties for executives deemed
responsible.

GDPR’s 72-hour breach notification requirement means managing and responding to a
data breach in an open and effective manner is critical. Regulators have significant
discretion in the level of penalties they can levy, and are required to take
planning, customer notification and mitigation into account in the decision.

“The highest risk item in the GDPR is the 72-hour breach notification requirement,
and banks are not mitigating this,” said Tim Richards, Principal Consultant,
Consult Hyperion. “Data breaches are an unfortunate fact of life for financial
institutions, and our analysis suggests that there have been no fewer than 27 data
breach incidents among European Tier 1 banks in the last decade, with some banks as
multiple offenders, potentially liable for fines at the 4% level. This indicates an
8% chance that any Tier 1 bank will suffer a data breach in any given year. These
figures, we believe, are conservative, and banks are not prepared for the
consequences under GDPR.”

To compound the issue, new European regulations such as PSD2, ePR and AMLD4/5 will
mandate institutions hold more data and make it available over open interfaces, just
when data loss becomes especially dangerous.

With less than a year before GDPR goes live the report advises banks to take urgent
action to meet GDPR and other legislative requirements to avoid financial and
reputational loss.

The report offers pragmatic advice to financial institutions to mitigate the risk of
a data breach and ensure compliance. Three key crucial elements are required - the
expertise to deal with breach-specific issues including identity theft, the
specialised manpower to handle the volume of queries generated when the breach is
publicised, and the infrastructure for secure communication channels to notify
customers.

“A poorly managed customer notification in the wake of a breach makes you look
like a fool. Financial institutions are myopically focused on preventative measures,
ignoring the importance of the resilience. History tells us that companies that have
dealt with data breaches poorly have seen loss of customers, reduced earnings and
board level resignations, while those with a prepared plan and a managed response
have sidestepped these issues,” said Bo Holland, CEO, AllClear ID. “GDPR raises
the stakes even higher. With only 72 hours to react, financial institutions that
have not invested in response readiness will face the most serious fines and
collateral business damage.”

The figures were compiled from an analysis of historic data breach figures, adjusted
for the size of financial institution. GDPR sanction levels were then applied to the
data. It was assumed that breaches were at the lower end of the GDPR fine scale,
which is €10m or 2% of global annual turnover.

The full report can be downloaded here:
https://www.allclearid.com/business/resource/banks-breaches-billion-euro-fines/


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts