New law will hold banks legally responsible for protecting customers
Ireland’s financial institutions could face big fines under new EU cybersecurity legislation which comes into effect in January, an online security expert has warned.
The Digital Operations Resilience Act (Dora) will hold banks and other financial firms legally responsible for protecting customers from online fraud and misinformation.
But Irish banks and financial services companies are not at all prepared to deal with the implications of the new law, warns Nicola Byrne, CEO of Riskeye, a company which monitors the web on behalf of a range of Irish corporates, in order to protect them from online harm.
Financial institutions – and their directors – who fail to protect customers may face fines of up to 2pc of annual turnover or, in the case of an individual, a maximum fine of €1m.
Financial institutions haven’t put resources in place to tackle the harm
While banks have to date focused on network security to protect themselves, Byrne warns that they lack a “whole risk perspective” to understand evolving online threats.
The new law aims to combat sophisticated online scams including the use of social engineering techniques.
Criminals routinely impersonate banks to steal customer details by manipulating people on social media.
Last year’s bank run at Silicon Valley Bank was also fuelled by social media.
Byrne highlighted the “on hold” scam as an example of a crime that falls under Dora. Fraudsters scan social-media sites to find people complaining they are “on hold” on a bank’s customer services line.
Byrne said she is aware of multiple examples where those complainants then received a call from someone claiming to be from the bank, who tricked them into revealing login details – and subsequently stole significant amounts of money.
Under Dora, responsibility for this type of fraud will fall on the bank itself, she said.
“This could actually severely curtail social-media-based customer service by the financial institutions,” she said.
“There is so much data swirling around social media daily, and financial institutions haven’t put resources in place to tackle the harm.
“I sympathise with them. They are being made responsible for what is happening on social-media platforms. But that’s what is coming in January, and they are just not prepared.”