Banks and insurers lack data security confidence, survey finds

Firms not doing enough to respond to looming regulation and threats, according to report 

Just over one in five retail banking and insurance executives (21 percent) are highly confident their firm could detect a data breach, according to new research.

The study by Capgemini suggests that while banks are committed to building more robust cyber-defenses, their efforts are lagging behind the sophistication of hackers and a wave of forthcoming regulation designed to protect consumer data privacy: less than half – 40 percent – of executives surveyed by Capgemini say their firm has robust and fully automated intelligence capabilities to identify new cyber-security threats.

Respondents are also slow to respond when a weakness is found, with 49 percent saying it takes their firm between three months and one year to manage vulnerabilities and patch up critical systems.

The report’s authors warn that banks and insurers appearing to have inadequate cyber-security practices will lose business. Sixty-five percent of consumers the firm surveyed view trust in data privacy and security as an extremely significant factor when choosing their bank.

Mike Turner, global cyber-security COO at Capgemini, warns consumers that their faith in banks’ security is mistaken. ‘While banks are evolving to combat the sophisticated threat cyber-criminals pose, public understanding of the threats and challenges remains low,’ he adds.

Data privacy and protection regulations are tightening around the world, particularly in Europe with the European Commission’s forthcoming General Data Protection Regulation (GDPR).

The landmark regulation will come into effect in May 2018 and place stricter restrictions on businesses’ collection, storage and use of EU residents’ data. Under GDPR, firms will be required to disclose data breaches within 72 hours of discovery.

While the regulation comes from Brussels, it applies to any company – regardless of where it is operating – that gathers and uses EU resident data, so many North American companies will need to think about how they obtain consent from data subjects, how they store data and how long they store data for. Multinational companies will also need to examine the legality of transferring data across borders between EU and non-EU member states. 

Capgemini’s research finds that 78 percent of companies surveyed retain customer data even after an individual ceases to be a customer. Only 21 percent update the data consent clause whenever there is a policy refresh.

Both of these practices could be restricted by GDPR, depending on how the data retention and ‘right to be forgotten’ regulations are enforced. The largest fine for non-compliance with GDPR is €20 million ($21.3 million) or 4 percent of global revenue.

The US Privacy Shield, which was negotiated last year by the US Department of Commerce and the European Commission, provides US companies with a GDPR-compliant framework for transferring data. Companies are required to self-certify that they comply with the framework and publicly express their commitment to compliance.

In the US, the SEC has ruled that companies must disclose all material breaches, meaning the intrusion is significant enough to influence an investor’s decision to sell a company’s stock. This has proved to be a loose definition, with only 95 of the more than 9,000 publicly listed companies in the US informing the SEC of a cyber-breach since 2010.

Officials from the US Department of Homeland Security and US Department of Justice last month advocated for greater collaboration between government agencies and the private sector (, 1/17).


You must be registered to comment.

Please Sign In or Register.

Everything you need to know about cyber-threats but were too afraid to ask - Cyber-security 101 -

To improve an organization’s security IQ, everyone needs to have a better understanding of where the risks are and what can be done to eliminate potential threats. Without solid security education and training, everyone within an organization puts his or her company in jeopardy of a data breach and its potential fallout, which includes costly fines and often a reputation hit.

This white paper will discuss:

  • Cyber-security risks
  • Types of attacks
  • How to prevent and protect yourself from future attacks

Please click here to download the report.


Diligent is the leading provider of secure corporate governance and collaboration solutions for boards and senior executives. More than 3,300 clients in more than 60 countries rely on Diligent to provide secure, intuitive access to their most time-sensitive and confidential information, ultimately helping them make better decisions. The Diligent Boards solution speeds and simplifies how board materials are produced and delivered via iPad, Windows and web tools. For more information, please visit

We use cookies to make our website function properly and deliver our services. By using our website, you agree to our use of cookies, please click here to learn how to manage and delete cookies.