When it comes to the financial damage that breaches can wreck on financial institutions, it is not just the outright theft of account funds, rectifying the loss of customer data or even just rebuilding network damage after an attack that can be costly — there are also the regulatory penalties and fines associated with not properly shoring up systems or giving timely notice to impacted customers.
Up until recently, the penalties of enforcement actions against financial institutions worldwide had been on the rise, just as fraud attempts and incursions targeting banks, credit unions, investment houses and the like. In the past couple of years, JP Morgan Chase & Co., Capital One and Morgan Stanley have all been levied multi-million dollar penalties (as well as class action lawsuit judgments) related to security mismanagement that led to breaches or a failure to give appropriate notification to customers about compromises.
Last month, the U.S. Securities and Exchange Commission (SEC) fined Chase $125 million due to employees' insecure practices, namely using WhatsApp and personal email accounts to transact official business, thus not adhering to SEC record-keeping requirements. Additionally, under a separate enforcement action, the Commodity Futures Trading Commission also fined the bank $75 million for the same behavior going back six years.
In August 2020, Capital One Financial Corp was levied an $80 million penalty by the Office of the Comptroller of the Currency for failing to spot and manage cyber risk, resulting in a huge data breach the previous year. More recently, in late December 2021, Capital One announced it would pay $190 million to settle a class-action lawsuit in response to a massive hack on the bank’s cloud network on Amazon Web Services that led to the theft of personal data from 100 million customers in 2019.
And just earlier this month, Morgan Stanley agreed to pay a $60 million settlement in a lawsuit that alleged the white-shoe Wall Street bank had opened up the personal data of more than 15 million customers to exposure by not correctly retiring old computer equipment. (Morgan Stanley agreed to the settlement and has publicly acknowledged that it has made data security practice upgrades, but the bank still maintains that it was not in the wrong, according to court filings.)
"There are a few ways to think about the true cost of mishandled breaches, because while Chase and CapOne may be able to afford nine-figure fines, a mid-market or small FSI [financial services institutions] would be devastated by a six-figure fine," said Guy Moskowitz, CEO of Coro, cybersecurity platform for mid-sized businesses. “Mid-sized financial services institutions must comply with exactly the same regulations as the largest ones, but rarely have the financial and HR resources to quickly identify a breach, respond and report.”
This means the ultimate costs to the smaller financial institutions, which are being attacked “with as much volume and sophistication as the largest ones, are infinitely more damaging, whether we're talking about compliance fines, reputational damage, customer loss or other financial consequences of a mishandled breach,” Moskowitz added.
Right or wrong, however, there is no denying that these breach-related regulatory fines and lawsuit settlements are a consideration — not just from a financial standpoint, but from a reputational one. After all, one could argue that a financial firm’s greatest asset is trust, especially as traditional banks and financial institutions are increasingly feeling competitive pressure from nonbanks and financial technology and payments upstarts.
Despite the fact that these penalties can be expensive and damning, the good news is that these fines (which had been on the rise for several years) apparently have dropped in the past year, according to at least one researcher. Worldwide regulatory action penalties related to not complying with anti-money laundering and data privacy fell last year to little more than half of what they were in 2020, dropping from an all-time high of $10.6 billion that year to $5.4 billion in 2021, according to Fenergo, a compliance technology developer. The overall number of compliance fines assessed fell to a quarter of what they had been — dropping from 760 in 2020 to 176 in 2021.