Singapore data breach could damage banks’ health
banks should watch the fallout from the island’s healthcare-data breach. This could get ugly for them.
The National Electronic Health Record project is taking a pause after hackers stole data on 1.5 million patients including Prime Minister Lee Hsien Loong, who was “specifically and repeatedly” targeted.
Immediate repercussions for banks have already become obvious, with the Monetary Authority of Singapore cautioning lenders not to rely only on full name, national identification number, address, gender, race and date of birth for customer verification.
While introducing additional layers of security such as onetime passwords or biometric identification means additional costs, most Singapore banks have such basic technologies already in place. Their bigger worry should be MyInfo.
In April, Standard Chartered Plc and the three homegrown Singapore banks — DBS Group Holdings Ltd, Oversea-Chinese Banking Corp and United Overseas Bank Ltd — began a pilot programme to tap this statebuilt digital repository of citizen information for know-your-customer, or KYC, checks required to open bank accounts. The idea is to eventually use MyInfo profiles to issue credit cards, home loans and insurance policies.
Every digital customer of DBS is three times as valuable to the bottom line as a brick-and-mortar customer. Singapore’s “Smart Nation” project, which envisions paperless KYC and a cashless society, has made OCBC commit to cutting bank teller jobs in the city by half and retraining the surplus staff for digital banking by 2020.
Should the authorities be forced now to rethink Smart Nation’s security features, investor expectations of shareholder returns at Singaporean banks may also have to be lowered.
The other impact could be on commingling. To enable them to compete with financial technology players, Singapore’s regulators have relaxed post-1998 restrictions on banks’ ownership of non-financial businesses.
DBS has invested in a property marketplace and in a digital platform for buying and selling cars; UOB has gone into holiday planning, while OCBC is pampering new mothers online.
The banks’ primary aim is to own rich and varied customer data. However, following the SingHealth breach, privacy and security are bound to get a closer regulatory look.
It’s one thing for Facebook Inc to hit a speed bump over such concerns, and quite another for systemically important banks in a major financial centre to run into similar issues because of their dalliance with e-commerce.
Now that a widely publicised hack has materialised, other incidents are also coming to light.
The Straits Times has reported that data on 70,000 members of the island’s Securities Investors Association were stolen five years ago — and they came to know of it only this week.
There’s a silver lining in all this, though. To safeguard citizens’ trust and preserve the reputation of its financial industry, Singapore will scale up investments in cybersecurity. That’s good news for startups that will be spawned by initiatives like the one between Israel’s Ben-Gurion University and Singapore’s Nanyang Technological University.
If they’re reading the tea leaves right, banks should set up private equity funds that invest in cutting-edge cybersecurity startups. It would be a far better use of their resources than hawking used cars and diapers.