Posted at 5:00 a.m.
One reader, Jean-François, was scared when he saw “non-existent account” displayed in red when he tried to open an online session.
Trying again, the same message popped up. Jean-François may not have seen his life flash before him, but in a flash, he mentally saw all the possible places where proof of the account’s existence would be recoverable.
On the phone, an advisor from the financial institution told him that it was a computer failure. To his great relief, Jean-François was able to find his online account and all of his investment data a few hours later.
In a world where everything is going virtual, where the risk of cyberattacks is skyrocketing, where the Interac service is breaking down because of Rogers, should we keep copies of our statements somewhere other than on the banking institution’s site?
Should we keep copies?
“This story of the digital shift is good, but we have to retain ownership of our data. And that’s something you don’t acquire, because it’s too easy to go to cloud computing and Google Drive”, raises in an interview Alexandre Fournier, founder of Crise & Résilience, a specialized company in the management of cybercrises and business continuity.
“If it cuts off from the outside, whether it’s financial institutions, access to emails or the Microsoft environment, you have to have this possibility of autonomy,” he continues.
The Financial Consumer Agency of Canada (FCAC), which has a mandate to strengthen the financial literacy of Canadians and monitor bank compliance, says it’s good practice to keep copies of bank statements and other financial documents. “Whether it is done through hard or electronic copies,” explains Léonie Laflamme-Savoie, of the ACFC.
“Consumers can choose the method that suits them according to their preferences and technological skills,” she says.
Regardless of the method, the most important thing is to ensure that these documents are stored in a secure place, safe from fraudsters.
Léonie Laflamme-Savoie, ACFC
Consulted on this subject, financial institutions indicate that customers are not required to keep copies of their statements. However, “keeping a copy of account statements and investment statements by the member/client, regardless of the medium, is a good practice,” also says Chantal Corbeil, spokesperson for the Mouvement Desjardins.
Alexandre Guay, of the National Bank, adds that customers who wish to do so can save the electronic copies.
At BMO, advisors also recommend taking a regular look at your bank statement, paper or virtual, to review the day’s banking transactions. “It’s important to stay on top of your day-to-day transactions. It can save us a lot of hassle,” says Marc Dionne, Regional Vice-President, Retail Banking, BMO Bank of Montreal.
The “3-2” method
Specialist Alexandre Fournier recommends making three copies on two different media: on the institution’s website, on the computer and on paper. Or on the institution’s website, on the computer and on a USB key or external hard drive. The ideal, he underlines, is that the key is not stored next to the computer.
The copy must be outsourced. If your house burns down, if you lose your laptop or your access to Google Drive, you have that third copy on a physical key, so you can recover your data.
Alexandre Fournier, founder of Crisis & Resilience
“When you go to the cloud, you have no assurance that you will be able to access your data overnight, whether it is due to an involuntary or voluntary situation. »
Can our data disappear forever?
All the specialists consulted agree that zero risk does not exist. But financial institutions have to follow stricter rules than SMEs and insurance companies, they say.
It’s more likely to be theft, manual error, mishandling, or someone inside erasing a particular customer’s data, and it won’t involve all the data.
Patrick R. Mathieu, computer security specialist and co-founder of Hackfest
“It would not be impossible for a client of a financial institution to temporarily lose access to their data (for example online), supports Pierre-Luc Pomerleau, partner at VIDOCQ, a risk management firm. However, it must be understood that with all the mechanisms in place, the customer’s data would not have been lost. These could be temporarily inaccessible due to an incident, but the financial institution would make every effort to restore the service as well as access to the data as quickly as possible. »
“Banks are highly secure organizations, well recognized for their advanced cybersecurity and data protection practices,” says Mathieu Labrèche of the Canadian Bankers Association.
In July 2022, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-13, which outlines its expectations in terms of risk management related to technology and cyber risk. .
The Bureau is currently conducting a public consultation and awaiting public input on risk management, specifically related to third parties, to consider the transfer of data from one cloud service provider to another. The consultation period ends on September 30.
The Press contacted seven financial institutions. Only Desjardins wanted to explain that the data of its customers could not disappear overnight, because they are stored in several places, both in their secure centers and externally.
“We have backup mechanisms that cover disaster scenarios and aim to minimize the impact of a major outage,” says Chantal Corbeil, spokesperson for Desjardins Group, which has invested $300 million in its Security Office in 2021, where 1,100 experts are at work.
This is part of backup management best practices.
Desjardins and RBC are among the most advanced in technical security testing, according to security specialist Patrick R. Mathieu. The level of preparation is not equal from one organization to another, he observes.
In the event of a cyberattack, data destruction and natural disasters, financial institutions have several mechanisms to minimize the negative impacts on the accessibility of the organization’s data, says Pierre-Luc Pomerleau, of VIDOCQ . The backups are done in different physical sites located in different regions, he explains, while upstream, the teams have made simulations to be able to deal with different types of incidents and to restore the most service as quickly as possible.
That said, another issue may arise in a more serious context. “If we take the example of Ukraine, where physically, banks are destroyed, even if there is a second backup location and it has been tested, employees must be ready to go and rebuild the data from the bank rather than being with their family”, concludes Patrick R. Mathieu.