Computer failures and cyber attacks | Should we keep copies of our bank statements?

Bank accounts and online investments are a real revolution. But with cyber attacks on the rise, network outages, Interac service faltering, should we consider going back and keeping our paper statements?

Posted at 5:00 am

Isabelle Dube

Isabelle Dube
The press

One reader, Jean-François, was startled to see “nonexistent account” displayed in red when attempting to open an online session.

When trying again, the same message came up. Jean-François may not have seen his life in front of him, but in a flash he saw all sorts of places where evidence of the account’s existence could be found.


On the phone, a consultant from the financial institution told him it was a computer failure. Much to his relief, a few hours later Jean-François was able to find his online account and all his investment details.

In a world where everything is virtual, where the risk of cyberattacks is skyrocketing, where the Interac service is down because of Rogers, should we keep copies of our bank statements anywhere other than on the bank’s website?

Should we keep copies?

“This digital transformation story is good, but we need to retain ownership of our data. And that’s something you don’t acquire because it’s too easy to move to cloud computing and Google Drive,” says Alexandre Fournier, founder of Crise & Résilience, a company specialized in cyber crisis management and business continuity, in an interview .

“When it cuts out to the outside world, whether it’s financial institutions, access to email, or the Microsoft environment, you have to have that capability of autonomy,” he continues.


All the specialists interviewed agree that there is no such thing as zero risk. But financial institutions have to follow stricter rules than SMEs and insurance companies, they say.

The Financial Consumer Agency of Canada (FCAC), which has a mandate to strengthen Canadians’ financial literacy and oversee bank compliance, says it’s good practice to keep copies of bank statements and other financial documents. “Whether on paper or in electronic form,” explains Léonie Laflamme-Savoie from the ACFC.

“Consumers can choose the method that suits them based on their preferences and technological skills,” she says.

Regardless of the method, the most important thing is to make sure these documents are kept in a safe place, safe from scammers.

Leonie Laflamme-Savoie, ACFC

Financial institutions surveyed on this issue point out that customers are not required to keep copies of their bank statements. “However, it is good practice for the member/client to keep a copy of bank statements and investment statements, regardless of the medium,” agrees Chantal Corbeil, spokeswoman for Mouvement Desjardins.

Alexandre Guay from the National Bank adds that customers who wish can save the electronic copies.

At BMO, advisors also recommend regularly glancing at your bank statement, whether paper or virtual, to review the day’s banking transactions. “It’s important to keep track of your day-to-day transactions. It can save us a lot of trouble,” says Marc Dionne, Regional Vice-President, Retail Banking, BMO Bank of Montreal.

The “3-2” method


Specialist Alexandre Fournier recommends making three copies of the declarations on two different media in order to be prepared for all eventualities.

Specialist Alexandre Fournier recommends making three copies on two different media: on the institution’s website, on the computer and on paper. Or on the institution’s website, on the computer and on a USB flash drive or external hard drive. The ideal, he emphasizes, is that the key is not kept next to the computer.

The copy must be outsourced. If your house burns down, if you lose your laptop or your access to Google Drive, you’ll have that third copy on a physical key so you can recover your data.

Alexandre Fournier, founder of Crisis & Resilience

“When you go to the cloud, you have no assurance that you will be able to access your data overnight, whether due to an involuntary or voluntary situation. »

Can our data disappear forever?

All the specialists interviewed agree that there is no such thing as zero risk. But financial institutions have to follow stricter rules than SMEs and insurance companies, they say.

It is more likely that it is due to theft, manual error, improper handling, or an employee deleting a specific customer’s data, and not all data will be affected.

Patrick R. Mathieu, computer security specialist and co-founder of Hackfest

“It would not be impossible for a customer of a financial institution to temporarily lose access to their data (e.g. online), agrees Pierre-Luc Pomerleau, partner at VIDOCQ, a risk management company. However, it must be understood that the customer’s data would not have been lost with all the mechanisms in place. These may be temporarily unavailable due to an incident, however the financial institution would make every effort to restore service and access to data as soon as possible. »

“Banks are highly secure organizations known for their advanced cybersecurity and privacy practices,” says Mathieu Labrèche of the Canadian Bankers Association.

In July 2022, the Office of the Superintendent of Financial Institutions (OSFI) released the final version of Guideline B-13, outlining its expectations for risk management related to technology and cyber risks.

The Bureau is currently conducting a public consultation and awaits public input on risk management, particularly in relation to third parties to consider the transfer of data from one cloud service provider to another. The consultation period ends on September 30th.

The press contacted seven financial institutions. Only Desjardins wanted to explain that his customers’ data could not disappear overnight because it is stored in multiple places, both in their secure centers and externally.

“We have backup mechanisms that cover disaster scenarios and aim to minimize the impact of a major outage,” says Chantal Corbeil, Spokesman for the Desjardins Group, which invested $300 million in its security office in 2021, which employs 1,100 experts.

This is part of backup management best practices.

According to security specialist Patrick R. Mathieu, Desjardins and RBC are among the most advanced in the field of technical security testing. The level of preparation is not the same from one organization to another, he notes.

In the event of a cyber attack, data destruction and natural disasters, financial institutions have several mechanisms in place to minimize the negative impact on corporate data accessibility, says VIDOCQ’s Pierre-Luc Pomerleau. The backups are performed at different physical locations in different regions, he explains, while the teams ran simulations upstream to deal with different types of incidents and restore the greatest possible service as quickly as possible.

However, in a more serious context, another problem may arise. “If we take the example of Ukraine where banks are physically destroyed, even if there is a second backup location and it has been tested, employees must be willing to recover the data from the bank instead of being with their family.” , concludes Patrick R. Mathieu.

Leave a Comment