Assignment #3 Part #3
(Group 10 feedback to Scenario 14)
JOJO FERNANDEZ
HAOWEI XIN
HANZHI ZHANG
ZHINING ZHANG
LUOYUAN CAO
Question1
With the authority endowed to regulatory bodies to govern over legislative compliance of financial
institutions, was it ethical for them not to immediately impose penalties to SecureBank? What ethical
frameworks did the regulators use as guiding principle to make this determination, and was this sufficient at
deterring unethical behavior by the bank?
Answer
While it’s true that regulating committees oversee the governance and compliance of publicly trading
organizations, that their focus is safeguarding public trust and ensuring trade is fair and secure to keep the
economy’s health in check, it can be argued that they are also responsible for maintaining the markets by
ensuring businesses can function within reasonable autonomy and maintain sufficient capitalization to
remain operational.
While bankruptcy or closure of companies may not be directly related to penalties imposed by governing
bodies, there can be correlations to their rising operational and insurance costs, which as a consequence,
could be passed on to the public via increase in product prices, potentially contributing to inflation (Özdamar
& Shahin 2021, p.21).
This is not dissimilar to companies not firing staff when they make mistakes, even with significant financial
impacts. Lessons learned and pushing towards innovation for corrective action and prevent future incidents
are valued equally or greater than the financial risks over the long term.
In this respect SecureBank’s self-reporting of their violation and their renewed push towards greater
Transparency has been a result of their commitment to Organizational Responsibility and
Accountability as ethical frameworks, supporting the thesis that reluctance of the regulator to impose
sanctions has proven effective.
Question2
Are comprehensive regulatory frameworks really adequate to encourage financial institutions to adopt truly
proactive cybersecurity measures, or do they risk creating a “compliance culture” that only prioritizes
regulatory checklists over genuine customer data protection?
�Answer
Regulatory frameworks (eg. General Data Protection Regulation aka GDPR) do play a critical role in
enforcing cybersecurity standards. These lay the legal basis for determining liability for data breaches;
however, they may also help cultivate a culture of simply meeting minimum compliance requirements rather
than pre-empting companies to develop comprehensive strategic and proactive policies towards security.
According to (Koyame-Marsh & Marsh 2014, p.2), such frameworks often emphasize non-assertive
measures (e.g. reactive breach notifications), which generally doesn’t promote genuine effective data
protection initiatives.
Moreover, as pointed out in (Gaglione Jr. 2019, p.7), strict regulatory penalties can indeed incentivize
compliance towards regulations, however this is merely a reaction to previous incidents and does not move
towards proactivity. As a result, companies are less inclined to invest in cybersecurity tools that counter
emerging threats. In the same paper, it has been mentioned that to promote truly proactive data protection
measures, regulations must incentivize adoption of contemporary risk management best practices and
promote a culture of continuous improvement, and not just adherence to enforced governance minimum
standards.
Question3
To what extent should financial institutions be held accountable for data breaches resulting from outdated
security policies?
Answer
Financial institutions are often held to account for liabilities that directly caused by system breaches
resulting from human error, negligence or due to a lack of internal controls. As part of every organization's
Corporate Social Responsibility, Data Protection is held to the highest standards, and maintaining
customers’ Data Privacy is the main focus of secured systems (Palmer & Kolk 2021, p.21). Failing to keep
up with security updates could undermine these objectives, potentially failing to identify and prevent
security breaches within systems (Shackeford & Myers 2017, p.32).
Data breaches at any company, especially by financial institutions, can have significant economic impacts,
and regulatory bodies (e.g. GDPR) determine accountability and liability of companies that fail to protect
customer data. Compensation for victims is generally expected and varies according to the severity of risk
exposure and actual damages for the victims. Investing in Breach Insurance helps hedge the company’s
exposure to such risks, so is highly recommended (Solove & Citron 2019, p.3).
�References
Gaglione Jr., G.S., 2019. The Equifax Data Breach: An Opportunity to Improve Consumer Protection and
CyberSecurity Efforts in America. Buffalo Law Review, p.1133.
Koyame-Marsh, R.O. & Marsh, J.L., 2014. Data Breaches and Identity Theft: Costs and Responses. Journal
of Economics and Finance, pp.36-45.
Özdamar, Ö. & Shahin, E., 2021. Consequences of Economic Sanctions: The State of the Art and Paths
Forward. Oxford Academic, pp.1646-1671.
Palmer, M. & Kolk, A., 2021. Corporate Social Responsibility and Data Privacy: Financial Sector Insights.
Business & Society, pp.952-980.
Shackeford, S.J. & Myers, S., 2017. Protecting Financial Sector Critical Infrastructure: Lessons
From the Front Lines of Cybersecurity and Beyond. Minnesota Law Review, pp.2101-2185.
Solove, D.J. & Citron, D.K., 2019. Risk and Anxiety: A Theory of Data Breach Harms. Texas Law
Review, pp.737-786.
