Computer Failures and Cyberattacks | Do we need to keep copies of our bank statements?

Bank accounts and online investments are a real revolution. But should we go back and keep our paper statements due to increasing cyberattacks, network outages, slowness of Interac service?

Isabelle Dube
Press

One reader, Jean-Francois, was horrified to see “non-existent account” displayed in red when he tried to open an online session.

Tried again, same message popped up. Jean-Francois may not have seen the flash in front of him in his life, but in a flash, he mentally saw all the places where proof of the account’s existence could be retrieved.

On the phone, an advisor from a financial institution told him it was a computer failure. To his great relief, Jean-Francois was able to find his online account and all of his investment data a few hours later.

In a world where everything is going virtual, where the risk of cyberattacks is skyrocketing, where Interac service is breaking down due to Rogers, should we keep copies of our statements somewhere other than the banking institution’s site?

Do we need to keep copies?

“This story of digital shift is good, but we need to own our data. It’s something you don’t get because it’s so easy to go to cloud computing and Google Drive”, raised Alexandre Fournier, founder of Crisis & Resilience, a firm specializing in cyber crises and business continuity management, in an interview.

“If it’s cut off from the outside, whether it’s financial institutions, access to emails or the Microsoft environment, you have to have this possibility of autonomy,” he continues.

The Financial Consumer Agency of Canada (FCAC), which has a mandate to strengthen Canadians’ financial literacy and monitor bank compliance, says it’s good practice to keep copies of bank statements and other financial documents. “Whether that’s through hard or electronic copies,” explains ACFC’s Leonie Laflamme-Savoie.

“Users can choose the method that suits them according to their preferences and technical skills,” she said.

Consulted on this matter, financial institutions suggest that customers do not need to retain copies of their statements. However, “it’s good practice to keep a copy of member/client account statements and investment statements regardless of the medium,” says Movement Desjardins spokeswoman Chantal Corbeil.

Alexandre Guay of the National Bank said customers who wish to do so can save electronic copies.

At BMO, advisors recommend checking your bank statement, paper or virtual, regularly to review the day’s banking transactions. “It is important to be aware of your daily transactions. It saves us a lot of hassle,” said Marc Dionne, regional vice-president of retail banking at BMO Bank of Montreal.

“3-2” method

Specialist Alexandre Fournier recommends making three copies in two different media: on the company’s website, on a computer and on paper. or on the organization’s website, on a computer and on a USB key or external hard drive. Ideally, he stressed, the key would not be stored next to the computer.

“When you move to the cloud, you have no guarantee that you will be able to access your data overnight due to an involuntary or voluntary situation. »

Can our data disappear forever?

All experts consulted agree that there is zero risk. But they say financial institutions have to follow stricter rules than SMEs and insurance companies.

“It is not impossible for a financial institution’s client to temporarily lose access to their data (for example online), supports Pierre-Luc Pomerly, partner at VIDOCQ, a risk management firm. However, it should be understood that the customer’s data would not have been lost if all the mechanisms were in place. These are due to an incident. Access may be temporarily unavailable, but the Financial Institution will make every effort to restore service and access to data as soon as possible. »

“Banks are highly secure institutions, well-recognized for their advanced cyber security and data protection practices,” said Matthew Labreche of the Canadian Bankers Association.

In July 2022, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-13, which outlines its expectations in terms of risk management related to technology and cyber risk.

The Bureau is currently conducting a public consultation and awaiting public input on risk management specifically for third parties to consider transferring data from one cloud service provider to another. The consultation period ends on September 30.

Press Seven financial institutions were contacted. Desjardins only wanted to explain that its customers’ data does not disappear overnight, as it is stored in their secure centers and in multiple locations externally.

“We have backup mechanisms that cover disaster scenarios and aim to minimize the impact of a major outage,” says Chantal Corbeil, A spokesman for Desjardins Group, which has invested $300 million in its security office by 2021, employing 1,100 professionals.

This is part of backup management best practice.

According to security expert Patrick R. Mathieu, Desjardins and RBC are among the most advanced in technical security testing. The level of manufacturing is not the same from one company to another, he observes.

VIDOCQ’s Pierre-Luc Pomerly says financial institutions have several mechanisms in place to mitigate negative impacts on the accessibility of the organization’s data, in the event of a cyberattack, data destruction and natural disasters. Backups take place at different physical sites in different regions, he explained, adding that while upstream, teams create simulations to deal with different types of incidents and restore maximum service as quickly as possible.

In a more serious case, another problem may arise. “Physically, taking the example of Ukraine where banks were destroyed, employees should be prepared to rebuild data from the bank rather than their family, even if a second backup location exists and is tested,” concludes Patrick R. Matthew.