Financial Firms Still Don't Grasp Cyber-Security, GDPR Weak Spots - Poll

Editorial Staff

17 December 2018

Sweeping European Union data protection laws are still poorly understood by small- and medium-sized firms in the banking, finance and accounting sectors. Only a few of these SMEs also appreciate the scale of cyber-attacks, a survey finds.

The poll of 1,000 SMEs carried out through OnePoll comes after a survey earlier in 2018 showed that almost half of UK firms were hit by cyber-security breaches or attacks in 2017. The , creates tough new penalties for firms that are deemed to have failed in protecting client data when there is a breach.

The GDPR, which entered law in May, requires firms and other organisations to tighten controls on data kept about individuals in a bid to improve privacy and respect for confidential information. The law has been controversial because some critics argue that it is an unduly onerous burden, particularly on smaller firms. On the flipside, some see it as reminding policymakers to respect legitimate financial privacy – an often sore point for the wealth management sector. (An article exploring different aspects of the regulations can be seen here for example.)

Chris Mallett, broking manager for insurer , which commissioned the latest poll, says that financial companies are too often “the weakest link” in the chain when criminals are trying to access sensitive data.

Separately, Mark Taylor, who helps members of the Institute of Chartered Accountants in England and Wales, said financial firms are particularly threatened. "Firstly they hold a lot of personal information and also they are part of the supply chain for those wanting to target other companies," he said.

"There are also particular vulnerabilities associated with the sector including the growth of flexible working, with staff accessing data on-the-go, and the reliance on third party software suppliers," Aon’s Mallett said.

Another weak spot revealed by the Aon poll is what is called the “bring your own device culture” allowing employees to use their personal computers, smartphones or tablets for work purposes. Such devices can expose companies to the increased risk of a cyber-security breach if data is not properly encrypted and controlled, and yet the poll shows that more than one in four practices in the accounting, banking and finance sector allow this.

In addition, it reveals that more than four in ten are not aware that loss of personal information as a result of a cyber-attack or fraud is a data breach.