GDPR fines could cost banks $5.2bn in first three years
Consult Hyperion report suggests banking sector will incur multi-million euro fines for data breaches
Fines for breaches of the upcoming European General Data Protection Regulation (GDPR) could cost the financial sector 4.7bn euros ($5.2bn) in the first three years, according to Consult Hyperion.
Research conducted by the transaction technology consultants predicts that fines for data breaches covered by the GDPR could cost banks in Europe billion of euros, even before compensation claims, lost business, damage to reputations and so on.
Under the new rules, which come into effect in one year's time, any organisation handling private data of European consumers can be fined up to 2% of their annual revenues for a serious data breach, and 4% for repeat offences.
Consult Hyperion predicts that there will be two or three fines in triple digits for the top tiers of banks in the first three years of GDPR, with around 120 breaches resulting in million-euro-fines.
GDPR's 72-hour breach notification requirement means managing and responding to a data breach in an open and effective manner is critical. Regulators have significant discretion in the level of penalties they can levy, and are required to take planning, customer notification and mitigation into account in the decision.
"The highest risk item in the GDPR is the 72-hour breach notification requirement, and banks are not mitigating this," said Tim Richards, Principal Consultant, Consult Hyperion. "Data breaches are an unfortunate fact of life for financial institutions, and our analysis suggests that there have been no fewer than 27 data breach incidents among European Tier 1 banks in the last decade, with some banks as multiple offenders, potentially liable for fines at the 4% level. This indicates an 8% chance that any Tier 1 bank will suffer a data breach in any given year. These figures, we believe, are conservative, and banks are not prepared for the consequences under GDPR."
To compound the issue, new European regulations such as PSD2, ePR and AMLD4/5 will mandate institutions hold more data and make it available over open interfaces, just when data loss becomes especially dangerous.
With less than a year before GDPR goes live the report advises banks to take urgent action to meet GDPR and other legislative requirements to avoid financial and reputational loss.
The report offers pragmatic advice to financial institutions to mitigate the risk of a data breach and ensure compliance. Three key crucial elements are required - the expertise to deal with breach-specific issues including identity theft, the specialised manpower to handle the volume of queries generated when the breach is publicised, and the infrastructure for secure communication channels to notify customers.
"A poorly managed customer notification in the wake of a breach makes you look like a fool. Financial institutions are myopically focused on preventative measures, ignoring the importance of the resilience. History tells us that companies that have dealt with data breaches poorly have seen loss of customers, reduced earnings and board level resignations, while those with a prepared plan and a managed response have sidestepped these issues," said Bo Holland, CEO, AllClear ID. "GDPR raises the stakes even higher. With only 72 hours to react, financial institutions that have not invested in response readiness will face the most serious fines and collateral business damage."
The figures were compiled from an analysis of historic data breach figures, adjusted for the size of financial institution. GDPR sanction levels were then applied to the data. It was assumed that breaches were at the lower end of the GDPR fine scale, which is €10m or 2% of global annual turnover.