In May 2024, the Office of the Superintendent of Financial Institution’s (OSFI) released its Annual Risk Outlook — Fiscal Year 2024 – 2025 that showed “high impact” cyber attacks against banks nearly tripled between 2022 and 2023 increasing from ten to 28 respectively. These high impact attacks can lead to service disruptions and/or data leaks.
The OSFI, an independent agency of the Government of Canada that reports to the Minister of Finance, is intended to improve public confidence in the Canadian financial system. Financial institutions are expected to report cyber incidents to the OSFI within 24 hours.
ISA Cybersecurity, a leading Canadian cybersecurity-focused solutions and services provider, commissioned Angus Reid to conduct a nationwide survey in English and French. A total of 1,519 Angus Reid Forum members took part answering questions about banking and cyber security.
The data
For comparison purposes only, a probability sample of this size would carry a margin of error of +/- 2.3 percentage points, 19 times out of 20.
That survey revealed 78 per cent of Canadians are concerned about online banking cyber crime. Further analysis showed 76 per cent of respondents were concerned about possible data breaches at their financial institutions, while 22 per cent were extremely concerned.
“The survey results signal an opportunity for financial institutions to boost their efforts to protect and reassure clients at a time when cyber crime against banks is increasing in frequency and complexity and Canadians are concerned about the potential for service disruptions or data leaks,” said Kevin Dawson, President and CEO of ISA Cybersecurity.
The survey also found that over half (53 per cent) of respondents are likely to switch to a different financial institution if their current financial institution had a data breach.
Almost three quarters (73 per cent) of those surveyed said they consider a financial institution’s cybersecurity measures when thinking about switching or staying with their current financial institution.
Nearly one-quarter of respondents (23 per cent) aren’t confident that their financial institution can protect their personal information from cyber threats.
Canadians are open to doing their part to help banks safeguard their data with 95 per cent of survey participants willing to use extra security measures including multi-factor authentication or phone text codes.
Only 54 per cent of survey participants have adopted the use of biometrics to access their financial accounts, with half expressing concern about scammers mimicking their biometrics data.
Of the 46 per cent of participants who have not used biometric authentication to access financial accounts, a full 58 per cent say they are unlikely to consider using it.
One-in-five (21 per cent) of those surveyed would be willing to pay a small fee to get enhanced cybersecurity protection for their accounts and personal information provided by their financial institution.
“Surprisingly, despite increased investments in cybersecurity by Canadian banks in recent years, 62 per cent of those surveyed reported that they rarely, or never, hear from their financial institution regarding cybersecurity practices,” stated Dawson.
“This presents an excellent opportunity for banks to show leadership in educating their customers about how financial institutions protect them – and how customers can better protect themselves,” Dawson added.
The cost
ISA Cybersecurity partners with IBM to help protect financial institutions from cyber threats. Dawson points to IBM’s Cost of a Data Breach Report 2024 that shows Canadian financial service organizations experience some of the costliest breaches, paying an average $9.28 million per breach. The report also found that organizations using extensive security AI and automation reported paying $2.84 million less per breach.
Security AI and automation also reduced the average 277 days it takes to detect and contain a data breach by 54 days.
These findings highlight the importance of integrating AI and automation into the cybersecurity programs of financial institutions in order to reduce both the financial impact and business disruption cyber breaches impose.
There are also steps folks doing online banking can take to safeguard themselves from being hacked including using strong passwords that include a mix of letters, numbers and special characters.
Never use the same password across accounts or services and consider using a reputable password manager to securely keep track of your credentials.
Activate a multi-factor authentication (MFA) like short message service (SMS) codes or authenticator apps on all banking and financial accounts.
Cyber criminals use AI and other tools to create convincing phishing, vishing, and smishing attacks. Check the Canadian Anti-Fraud Centre website to find out about the latest scams.
Secure all of your devices by regularly updating your computer and mobile device software to patch security vulnerabilities and only install anti-malware programs from trusted providers.
Then, there’s steps the federal government is taking in the form of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, that had its first Parliamentary reading in June 2022 and is currently progressing through its second Senate reading.
Bill C-26 would require companies within the financial, telecommunications, energy and transportation sectors to strengthen protections against attacks including establishing cyber security programs to detect serious incidents. Failing to do so would mean facing financial penalties with the possibility imprisonment.
The bill would allow the federal government to direct how private companies in critical industries respond to potential cyber attacks, but that information would not be made public because the bill also prohibits organizations from revealing orders from Ottawa to correct their systems.
A number of civil liberties organizations and individuals made a joint submission to the House of Commons Standing Committee on Public Safety and National Security expressing concerns regarding civil liberties, privacy and democratic freedom infringements.
Their concerns include the fact that Bill C-26 undermines accountability and due process; opens the door to new surveillance obligations; offers no guardrails to constrain abuse; secretly undermines accountability and due process; and provides power without oversight or accountability for the Communications Security Establishment (CSE).
Recommendations include restraining ministerial powers; protecting confidential personal and business information; maximizing transparency; allowing special advocates to protect the public interest; and enhancing accountability for the CSE.
These stricter limits would allow Bill C-26 to meet its objective of improving cyber security across the financial, telecommunications, energy, legal and transportation sectors without compromising personal information including sharing information with intelligence agencies, provincial and foreign governments and organizations established by foreign states.
Dawson stresses the need for financial institutions to adopt cutting-edge AI and machine learning technologies to detect and respond to anomalies in real time while employing continuous network monitoring systems. These institutions also need to provide regular cybersecurity training for employees to ensure they recognize and respond to potential threats while maintaining a robust incident response plan that is tested on a regular basis through tabletop exercises.