A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank. "I wish to lodge a complaint against First National Bank in respect to a breach of personal information through their banking application," the client reported to the regulator. "Whilst applying for a home loan through the service, I noticed that I was able to access other individuals' personal information, such as ID numbers, contact details and various financial information, which is visible to other applicants, including my personal information. "I have documented this by way of screenshots and have evidence to support this data breach. I believe my rights in terms of the POPI Act [Protection of Personal Information Act] have been infringed and poses a huge personal security risk," stated the client. "Your e-mail contents have been noted and will be addressed with the responsible party," says a complaints and investigations officer of the Information Regulator in an e-mail.Under South Africa's data privacy law, the Protection of Personal Information Act (POPIA), organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third parties without their approval. FNB has acknowledged exposing the personal information of its clients, saying it is in the process of notifying the relevant authorities, as well as those who have been impacted. While the financial institution has rushed to disable the app functionality in question, it did not disclose how many customers were impacted. Says the bank in a statement: "FNB is aware of a technical error that made the information of certain home loan applicants, such as full names and ID numbers, visible to other home loan applicants who logged in via our digital channels. FNB takes the privacy and protection of customer information very seriously, and the affected functionality has since been temporarily disabled to resolve the root cause of the issue. We are in the process of contacting the affected customers and the appropriate regulator. Customers requiring any assistance can contact us through Secure Chat on the FNB app." FNB recently made sweeping changes to its brand, including a redesign of its popular banking app. The FNB app, introduced more than a decade ago, saw its active transacting base exceed 4.7 million customers, based on results for the year ended 30 June 2022. The data exposure comes at a time the Information Regulator is receiving an unprecedented number of reports about data breaches in South Africa. Speaking during the Governance, Risk and Compliance 2023 conference last week, advocate Pansy Tlakula, chairperson of the Information Regulator, revealed that data breaches are a big problem in this country - much bigger than people think. "Every public body, every private body that has suffered a security compromise or data breach has to notify us - there is no threshold. Even if one person was breached, they still have to notify us. If you look at 500 (it's 564 to be precise), it means that in a month, this country suffers about 56 data breaches - major and minor ones," she revealed. "I think we are one of the highest in the world with data breaches."POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss. Breaching the rules and regulations outlined by this Act can have serious financial implications for the business - repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.Identify the risk treatment criteria that can be applied at the strategic level by FNB, in the above case, to document all risks, where consequences for the firm could be dire, as well as emerging risks that could cause larger troubles in the future if they are not monitored carefully?Write an answer for 15 marks.Risk treatment criteria Four basic options: • risk avoidance or termination; • risk reduction or modification; • risk transfer or sharing; • risk acceptance or tolerance..those are the criteria to follow

Question

GPT-4o mini · Answer

In addressing the data breach incident involving First National Bank (FNB) and the exposure of personal information of home loan applicants, the bank must consider the following risk treatment criteria at a strategic level. Each option presents unique implications for FNB’s operational and reputational health, especially as the consequences for the firm can be severe.

1. Risk Avoidance or Termination

Implementation: FNB should consider avoiding specific practices that may lead to data exposure. This might involve reassessing and terminating certain functionalities of the mobile app that are susceptible to vulnerabilities until comprehensive security evaluations are conducted.
Rationale: By avoiding high-risk activities, such as permitting the sharing of sensitive information amongst users, FNB can prevent similar incidents in the future. Avoidance may also include a halt on new app developments/features until adequate safety measures are adopted.

2. Risk Reduction or Modification

Implementation: The bank must implement enhanced security measures within the app. This could include adopting more stringent data access controls, regular audits of data protection protocols, improved encryption methods, and robust testing procedures for the app.
Rationale: Risk reduction aims to minimize the chance of data breaches occurring. By reinforcing the app’s security framework, including employee training on data privacy regulations (such as POPI Act), FNB can significantly decrease the risk of similar incidents and reassure customers about their commitment to safeguarding personal information.

3. Risk Transfer or Sharing

Implementation: FNB can transfer a portion of the financial risk associated with potential breaches through insurance policies specifically designed for cyber risks and data breaches. Additionally, the bank could partner with third-party cybersecurity firms to leverage their expertise in monitoring and managing data security.
Rationale: Transferring risk via insurance can mitigate financial impacts resulting from potential penalties or lawsuits arising from data breaches. Third-party partnerships can enhance FNB’s security protocols without assuming all responsibilities internally, allowing the bank to benefit from specialized skills and technologies.

4. Risk Acceptance or Tolerance

Implementation: FNB might recognize certain risks as tolerable, accepting that some level of system vulnerability exists, especially in a rapidly evolving digital landscape. This requires careful consideration of acceptable risk thresholds and proactive strategies to monitor these risks continuously.
Rationale: While risk acceptance is inevitable, defining clear limits enables FNB to strategically manage risks that cannot be eliminated. The bank must establish a response plan for when breaches do occur, thus minimizing their potential impact on customers and the institution itself.

Conclusion

By carefully documenting and applying these risk treatment criteria, FNB can create a comprehensive risk management strategy to address the current incident and mitigate future risks effectively. The emphasis should be on not only rectifying the existing issues but also proactively establishing a robust framework to manage emerging threats in the digital banking environment. Ultimately, FNB's aim should be to safeguard customer data and maintain trust while complying with pertinent regulations, such as the POPI Act, to avoid reputational damage and significant financial penalties.