Jeff Judy

Jeff's Thoughts - August 12, 2015

Cyber Security: Not If But When

Let's admit it: no body of electronic data is perfectly safe, including yours.

I am sure you are confident that you are doing the right things to protect your customers' information. Whether you handle most of this technology issue yourself, or rely on third parties to safeguard customer and other bank data, I have no doubt you can sincerely assure your customers that you take protecting their data seriously and are devoting significant attention and resources toward that end.

But sooner or later, you will have to take steps to reinforce your customers' trust in you.

It could be a question of an actual breach related to data from your customers. That doesn't have to mean your own systems were hacked. Most financial institutions rely on partnerships of various kinds, with whom they exchange data, and when those third parties have problems, you have problems. When customers have to replace their credit cards, they remember that they got that card from you.

But even if your customers are not impacted by a direct breach of security, they are much more keenly alert to the risks surrounding their private data than they were a couple of years ago. Information stolen from major retailers, from government agencies, and yes, from financial institutions has made them much less confident in anyone's ability to protect their data, including you.

That means, of course, that you would be wise to take a look at not only what you are doing to protect data, but what your vendors and partners are doing. This is no climate for the complacent. If your security measures need strengthening, make the investment.

And, in the spirit of risk management, invest some serious effort in preparing responses to ugly situations in advance.

First of all, I'd suggest that this is too big an issue to be left entirely to technology staff. Your leadership needs to hold them accountable. How often do the technology experts explain what they are doing to protect data to the leadership team? Yearly? Quarterly? Never?

Second, I'd ask if you already have responses, and plans for rolling them out, for the following situations:

These are not issues you want to handle on the fly, in the high stress, fast paced period immediately following the incident. You want employees to know how to respond to questions before they get asked. And you need to have a clear emergency plan for contacting customers and for framing what you say to them before a crisis of trust hits.

You know that public confidence in electronic data is going to continue to be battered as new incidents occur. The doubt, the worry, the lack of information is perhaps the greatest source of stress and discomfort for customers. Being truly ready to communicate quickly with your customers in trying times is a great way to distinguish yourself from those rivals who will wait until something happens before figuring out how to respond.