Cyber ​​failures and cyber attacks | Do we need to keep copies of our bank statements?

Bank accounts and online investments are a real revolution. But with cyber attacks on the rise, network outages, and the Interac service faltering, should we consider going back and keeping our paper statements?

Posted at 5:00

Isabelle Dube

Isabelle Dube
The print

One reader, Jean-François, got scared when he saw “non-existent account” displayed in red when he tried to open an online session.

Trying again, the same message appeared. Jean-François may not have seen his life flash before him, but in a flash he mentally saw all the possible places where evidence of the tale’s existence would be recoverable.


Over the phone, a consultant from the financial institution told him it was a computer failure. Much to his relief, Jean-François was able to find his online account and all his investment data a few hours later.

In a world where everything is becoming virtual, where the risk of cyber attacks is skyrocketing, where the Interac service is failing due to Rogers, we should keep copies of our bank statements in a place other than the website of the banking institution?

Do we need to keep copies?

“This digital transition story is a good one, but we need to retain ownership of our data. And it is something that cannot be acquired, because it is too easy to switch to cloud computing and Google Drive “, relaunches Alexandre Fournier, founder of Crise & Résilience, a company specializing in the management of IT crises and business continuity, in an interview.

“If you interrupt from the outside, whether it’s financial institutions, email access, or the Microsoft environment, you need to have that autonomy,” he continues.


All consulted specialists agree that zero risk does not exist. But financial institutions have to follow stricter rules than SMEs and insurance companies, they say.

The Financial Consumer Agency of Canada (FCAC), which is mandated to strengthen the financial literacy of Canadians and monitor banks’ compliance, says it is good practice to keep copies of bank statements and other financial documents. “Be it paper or electronic copies,” explains Léonie Laflamme-Savoie, from the ACFC.

“Consumers can choose the method that suits them best based on their preferences and technological capabilities,” he says.

Regardless of the method, the most important thing is to ensure that these documents are stored in a safe place, safe from scammers.

Léonie Laflamme-Savoie, ACFC

Having consulted on this, the financial institutions indicate that clients are not required to keep copies of their bank statements. However, “keeping a copy of the member / client’s statements and investments, regardless of medium, is a good practice,” says Chantal Corbeil, spokesperson for Mouvement Desjardins.

Alexandre Guay of the National Bank adds that customers who wish can save electronic copies.

At BMO, advisors also recommend that you regularly take a look at your paper or virtual statement to review the day’s banking transactions. “It is important to always be up to date on daily transactions. It can save us a lot of trouble, ”says Marc Dionne, Regional Vice President, Retail Banking, BMO Bank of Montreal.

The “3-2” method.


Specialist Alexandre Fournier recommends making three copies of the statements in two different media to prepare for any eventuality.

Specialist Alexandre Fournier recommends making three copies on two different media: on the institution’s website, on the computer and on paper. Or on the institution’s website, on your computer and on a USB stick or external hard drive. The ideal, he points out, is that the key is not kept next to the computer.

Copying must be outsourced. If your house is on fire, if you lose your laptop or Google Drive access, you have that third copy on a physical key so you can get your data back.

Alexandre Fournier, founder of Crisis & Resilience

“When you move to the cloud, there is no guarantee that you will be able to access your data overnight, due to an unintentional or voluntary situation. ”

Can our data disappear forever?

All consulted specialists agree that zero risk does not exist. But financial institutions have to follow stricter rules than SMEs and insurance companies, they say.

It is more likely to be theft, manual error, improper handling, or someone inside erasing a particular customer’s data and not involving all of the data.

Patrick R. Mathieu, cybersecurity specialist and co-founder of Hackfest

“It would not be impossible for a client of a financial institution to temporarily lose access to their data (eg online), says Pierre-Luc Pomerleau, partner of VIDOCQ, a risk management company. However, it must be understood that with all mechanisms in place, customer data would not be lost. These may be temporarily inaccessible due to an accident, but the financial institution would make every effort to restore the service and access the data as quickly as possible. ”

“Banks are highly secure organizations, well recognized for their advanced cyber security and data protection practices,” says Mathieu Labrèche of the Canadian Bankers Association.

In July 2022, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-13, which outlines its expectations in terms of risk management related to technology and cyber risk.

The Office is currently conducting a public consultation and awaits public input on risk management, particularly related to third parties, to consider the transfer of data from one cloud provider to another. The consultation period ends on 30 September.

The print contacted seven financial institutions. Only Desjardins wanted to explain that his customers’ data could not disappear overnight, because they are stored in multiple places, both in their secure centers and externally.

“We have backup mechanisms that cover disaster scenarios and aim to minimize the impact of a major disruption,” says Chantal Corbeil, spokesperson for the Desjardins Group, which in 2021 invested $ 300 million in its Security Office, where 1,100 experts work.

This is part of the best backup management practices.

Desjardins and RBC are among the most advanced in technical safety testing, according to safety specialist Patrick R. Mathieu. The level of preparation is not the same from one organization to another, he notes.

In the event of a cyber attack, data destruction and natural disasters, financial institutions have several mechanisms to minimize the negative impacts on the accessibility of the organization’s data, says Pierre-Luc Pomerleau, of VIDOCQ. Backups are performed at different physical sites located in different regions, he explains, while upstream the teams ran simulations to be able to deal with different types of incidents and restore as many services as quickly as possible.

That said, another problem may arise in a more serious context. “If we take the example of Ukraine, where banks are physically destroyed, even if a second backup location exists and has been tested, employees must be ready to go and rebuild data from the bank rather than be with their family. “, concludes Patrick R. Mathieu.

Leave a Comment