A recent audit of websites by the well-known Online Trust Alliance has revealed something that many consumers have long suspected. Financial institutions are the least trusted when it comes to cybersecurity. Although the results are no doubt coloured by the inherent fear that many consumers have when it comes to the security of their money, it should still be a worry for banks which have long struggled with issues around online trust. A full 65% of the websites operated by 100 of the major U.S. banking institutions failed to meet the criteria for best practice when it comes to privacy and security as set out in the 2017 Online Trust Audit and ‘Honor Roll’ exercise.
Online Trust Alliance’s audit involved an analysis of a site’s consumer protection elements, site, server and infrastructure security, and privacy and transparency disclosures. The alliance also evaluated sites in terms of past data breaches and vulnerabilities.
The audit, which was conducted in April and May 2017 and examined over 1,000 top websites did however reveal some good news. A full 52% of sites which enjoyed high traffic numbers are rated as trustworthy as far as their cybersecurity and security measures are concerned. But the flip side of the security and privacy equation is worrying – 46% of the sites simply failed to meet the criteria of the assessment.
Some of the contents of the report were scathing when it came to the levels of compliance with international norms around privacy and security. One such comment reveals just how much work these financial institutions have to do to meet consumer expectations; “Their failures were attributed in part to the revised failure threshold, increased number of data breaches, observed site security vulnerabilities and inadequate privacy disclosures.”
Craig Spiezle, founder and chair emeritus of Online Trust Alliance, that the failures of financial services companies as far as online trust is concerned should be a wakeup call for them and that they should make every effort to increase their commitment to consumer protection. He also noted that the results are especially “ironic,” considering recent legislative efforts to roll back the 2010 U.S. Dodd-Frank financial reform law, which could greatly weaken the Consumer Financial Protection Bureau.
More bad news for online trust
The bad news didn’t end with the astounding failure of financial services companies to live up to their responsibilities as far as privacy and security are concerned. The report by the Online Trust Alliance also revealed that a paltry 27% of this group earned top honours for cybersecurity and privacy. This represents an enormous drop-off from 55% in 2016. The mind boggles that as cyber threats increase, financial services companies seem to have been plagued by complacency.
It’s even more puzzling given the fact that more and more governments are putting in place legislation and policing mechanisms around privacy and security. In June, the British government announced that it would be overhauling the legislation governing these issues in order to comply with the provisions of the EU General Data Protection Regulation (GDPR). This even in the face of the pressures of the upcoming exit of Britain from the EU. The question needs to be asked is whether or not the U.S. is entirely committed to the increasingly stringent global requirements regarding security and privacy.
A ’reasoned’ response?
The findings of the report did not go unanswered by the financial services sector. Doug Johnson, Senior Vice President of payments and cybersecurity policy at the American Bankers Association questioned the report’s findings, noting how other independent research organisations have found that banks “have fewer breaches” than companies operating in many other sectors. To an independent observer this might be seen as a ‘Straw Man’ argument that deflects from the real question. Why would financial services companies perform so poorly?
It’s not a question of comparisons, it’s a question of best practice something that financial institutions in the U.S. clearly need to at least pay lip service to. And it should be noted that the operations of many of these financial services companies are not limited to the continental United States. The ripple effects of noncompliance with global best practice for privacy and security could affect markets far from U.S. shores.
Misery loves company – It’s not only financial services
Financial Services companies need not feel alone. In another startling finding, the report also examined the top 100 U.S. federal government sites. The results were a cause for concern. Of those top sites, 60% failed to meet the criteria of the study – hardly an encouraging statistic. Even more worrying is that only 39% landed on the ‘Honor Roll’ in 2017 – compared to 46% in 2016.
Some reason for cheer
For consumers, it wasn’t all gloom and doom. The study on which the report was based found that of the top 100 consumer services sites a full 76% met the criteria for inclusion on the prestigious ‘Honor Roll’ The sites included those in social media, travel services and (somewhat surprisingly – matchmaking. The 500 online retailers also performed well with over 50% achieving ‘Honor Roll’ status.
Also, the Online Trust Alliance study found that adoption of web security protocols that protect online interactions from redirection—HTTP Strict Transport Security, Always on SSL or HTTPS Everywhere—jumped from 29.8% of sites to 52.2%.
Adoption of web app firewalls jumped to about 68.1% of sites Online Trust Alliance analysed, compared to 35.8% last year.
The way forward for online trust
So, what does this mean for both financial services companies and government in the United States? Despite the assurances of industry spokespeople, it is apparent that, at least as far as financial services in that country are concerned more needs to be done to reassure members of the public (and private watchdogs) that they are focused on the issues. If not, these organisations run the very real risk of further hurdles when it comes to dealing with global organisations that comply with international standards with regards to security and privacy. It’s readily apparent that U.S. financial services companies are slipping backwards in terms of global standards. A new focus may be required to arrest that slide.