Most financial services firms and financial advisors take significant measures to prevent a cyberattack, but sometimes even the most diligent can get hit. Being prepared to deal with the consequences of a data breach is critical in case a hacker succeeds in compromising these confidential data.
A couple of major financial services firms are currently going through that unenviable exercise. In late July, U.S. bank Capital One Financial Corp. reported that a hacker stole credit card application data of around six million Canadians and 100 million Americans. And Lévis, Que.-based Desjardins Group revealed in June that a rogue employee leaked the personal data of 2.7 million individual clients and 173,000 business customers. Both firms are now facing class-action lawsuits as a result.
Firms and advisors should have an incident response plan ready so that they could hit the ground running in the event of a data breach, says Naren Kalyanaraman, partner at PricewaterhouseCoopers LLP’s financial services cybersecurity and privacy practice in Toronto. In fact, the federal government’s Canadian Centre for Cyber Security advises businesses that an incident response plan is one of the key cybersecurity measures they should have in place.
A good incident response plan lists the stakeholders who need to be contacted when a data breach occurs. These could be either internal employees or external consultancies who are part of a broad, multidisciplinary group that goes beyond the information technology team, Mr. Kalyanaraman says.
“You need business leaders to participate actively [and] you need legal and privacy professionals involved,” he explains. “You need corporate communications people because if there’s a [breach], customers are going to start reaching out very soon.”
One of the first steps of an incident response plan is detection and identification. Financial services firms and advisors could outsource network monitoring to third-party service providers that will watch for suspicious traffic and help sound the alarm.
The next step is containment; this can be a panicked phase during which firms and advisors need to move quickly. “Sometimes, you may [need to] shut down certain platforms and take them offline,” Mr. Kalyanaraman warns.
This stage is another that often requires a specialist’s services. Forensics experts should take digital copies of the firm’s or advisor’s computers and network before touching anything. The computers and network will become important technical and legal evidence later, so they should be treated like a crime scene, says Daniel Tobok, chief executive at Cytelligence Inc., a Toronto-based cybersecurity consultancy with expertise in cyberbreach response and investigations.
If computers were infected by malware, it must be eradicated from the machines before they’re up and running again. “You install everything [again] so that you’re back to normal and users are back online, minimizing downtime as much as you can,” Mr. Tobok says, adding that this can take weeks for larger companies with complex systems. At the same time, firms and their advisors should work with cybersecurity experts to analyze the digital copies that were taken to investigate the breach to find out who the attackers were and what data they might have access to.
In certain cases, the malware may not have stolen the data directly; rather, it may just have encrypted the data until the firm or advisor agrees to pay a ransom. Advisors who have backed up their data won’t need to. For others, paying ransomware criminals is a personal choice, but Steve Kee, director, external communications, at the Insurance Bureau of Canada (IBC), says that cyberinsurance policies can be effective here. “Some insurance policies include provisions to pay a ransom and the policies may also pay for the services of a negotiator to work on behalf of organizations that are targeted by a criminal hacker.”
As the investigation occurs, it’s also important to keep clients up to date on what’s happening and to be transparent in your communication, Mr. Kalyanaraman says. Those who have suffered a data breach must also control the channels of communication through a central point who checks and verifies information with the investigations and legal team.
Financial services firms and advisors may need to provide protection for customers when revealing the breach – and credit report monitoring is the go-to resource to do that.
“The monitoring will tell you if something fishy is going on,” Mr. Tobok says. Eventually, attempts to use clients’ stolen data to obtain fraudulent credit will show up on their credit reports. “The unfortunate part is that some of that stuff will hit credit monitoring sometimes up to three [months] or six months later.”
Clients aren’t the only people who must be contacted in the occurrence of a data breach. Under revisions to the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect on Nov. 1, 2018, organizations subject to the act must now inform the Office of the Privacy Commissioner of Canada of any data breaches that result in “significant harm,” including humiliation, damage to reputation or relationships and identity theft. Keeping quiet is an offence that could incur a fine of up to $100,000 per violation.
Even small breaches that don’t cause significant harm must be described in a document that needs to be retained for a period of two years, warns Ruth Promislow, a partner at Bennett Jones LLP in Toronto who focuses on privacy, data protection, cybersecurity and fraud.
“This document would be producible in litigation involving the breach in question and would likely be producible in litigation involving any future security incidents,” she says. “This means that the details of relatively minor security incidents could be used against you in litigation down the road involving a breach. Managing each incident properly, no matter how minor, is therefore critical to containing your exposure in the future.”
Having an incident response plan in place and testing it regularly is the first step in managing a breach, but it’s more of an exercise in damage control than anything else, says Mr. Tobok, who has conducted more than 2,500 data breach investigations throughout his career.
“When the horses have left the barn, there’s only so much you can do,” he says, adding that you can’t retrieve stolen data. “You can lock the door again, but those horses are gone.”