The importance of data security compliance for Banks & Financial Services

For banking and financial services, personal data protection is not just a key competitive advantage, but a precondition for existence on the business market. International and industry-specific mandates for personal and financial data protection are applicable to all public and private enterprises that handle financial data, either as data controllers or data processors.


Conducting due diligence in relation to the company’s own systems or the systems provided by a vendor is a vital step to ensure the security compliance, and to minimise the risks of data breaches.

The most common cyber threats to financial services in 2017 were increasingly account-centric: attacks on personal accounts leading to identity theft and breach of trust between the service provider and the customer. Malware attacks on ATM systems are a rising trend, along with cyber attacks intended to infiltrate the banks' security network and target customers from real employee addresses. Although basic phishing attacks directed at customers are still popular, they offer a lower payoff than a whole system and database takeover.

The core approach to cybersecurity in a financial service institution must include a solid organisational structure and reporting procedures for cybersecurity operations; the experienced chief information security officer; safe networked environment (such as cloud-based web services); and an office culture that embeds cybersecurity awareness in all operations and knowledge flows in the office environment. Regular risk assessments must be at the foundation of data threat mitigation in financial and banking services, no matter the size and business model. Incident reports and reassessment will help build threat models and design prevention strategies. A reactive approach to cybersecurity is no longer enough, and proactive stance is essential for efficient threat prevention.

Encryption and virtual private networks

Data encryption and securely encrypted cloud-based web services for all internal operations is a crucial solution to basic cybersecurity concerns.
There are many virtual private network providers that encrypt all communications, securing a channel of data exchange between all devices within the corporate or personal network. One of them is NordVPN. Read this review about NordVPN service. Although banking malware attacks are decreasing in number, they are becoming more sophisticated: once the hackers gain control over part of the bank’s network, they can easily target customers in bulk by fraudulent emails to steal user credentials. Using virtual private network services to ensure system security is just one of the measures that need to be taken. Two-factor authentication for employee and customer access to all financial and payment services is another.

When a malware attack is directed against an individual user, it is intended to obtain financial data, or commit identity theft. When a malware attack is targeting the employees of a financial service provider, it has a much broader scope of intended damage: from getting access to user database to compromising the entire system and financial resources of the company.

Basic security standards

Basic security standards for financial service providers are adhered to by all global operators. PCI DSS requirements, for example, apply to all companies that accept credit card payments online and ensure that the company that handles financial data complies with the standards for data processing, storage and transfers. PCI DSS standards dictate the minimum requirements for encryption of transmitted data, protection of data storage, monitoring of access to data, restriction of access to customer banking data, and regulate the access authentication to system components. A combination of physical and virtual security methods protect the stored user data from of identity theft, and encryption of transmitted data protects it from being intercepted by third parties.

Social programming

Staff training is another important step in data security strategy. When it comes to financial services, data breaches are most often caused by malicious targeted attacks by experienced hackers. However, human error or negligence is a common cause of data breaches across the world. Staff training is a continuous process that needs to be conducted as part of the due diligence mechanism, to ensure the awareness about accidental malware download and other risks associated with social programming. Each staff member has unique access credentials that have to be updated on a regular business, minimising the risks of being compromised and used for malicious purposes.

Management and reporting

On the management level, it is essential to establish a direct line of reporting. Having a CISO report directly to the CEO may be one of the factors contributing to efficient cyber threat mitigation in major banking and financial companies.

Data breaches are costly, especially for companies that provide financial services, process banking transactions, or engage a third party to process online payment transactions. The average cost of a data breach in the financial industry is $245 per stolen record, making it the second highest after the healthcare sector. This means that depending on the number of individual client records handled by your company, the costs of dealing with the data breach will grow higher and higher. A violation of client financial data will result in massive costs to contain and eliminate the threat: communications and public relations, investigative activities, help desk services, legal expenses, client compensation, and much more. It is evident that taking preventive and risk mitigation measures to avoid data breaches is not just beneficial for the data subjects (clients), but also the reputation and financial well-being of the company. It needs to be reminded that, according to EU GDPR, data breaches have to be communicated no more than 72 hours after discovery. All states in the USA now have laws obliging companies to notify users of data breaches.

It is also true that the faster the breach is identified, the lower will be the cost of its containment. Corporate studies show that almost half of data breaches are caused by malicious criminal attacks, which are a lot harder to identify and contain, and therefore, end up being more costly than, for example, breaches caused by human negligence or system glitches.

One of the main outcomes of a data breach for the financial service provider is the loss of customer trust and, consequently, the loss of customers. For financial service providers, a customer once lost is usually lost for good. For many organisations, communicating your strategy for data security compliance to customers and other stakeholders is a certain way to mitigate the loss of trust in case of a breach.

Finyear & Chaineum

Lisez gratuitement le quotidien Finyear & sa newsletter quotidienne.
Recevez chaque matin par mail la newsletter Finyear, une sélection quotidienne des meilleures infos et expertises en finance digitale, corporate finance & crypto finance.

Read for free The daily newspaper Finyear & its daily newsletter.
Receive the Finyear's newsletter every morning by email, a daily snapshot of the best news and expertise in digital finance, corporate finance & crypto finance.

----------------

Chaineum - Conseil haut de bilan & stratégie blockchain
Conseil en opérations de haut de bilan : ICO STO advisory, levée de fonds, M&A.
Conseil, stratégie & accompagnement de projets en technologie blockchain.
Besançon - Paris + réseau international de partenaires.

Vendredi 15 Mars 2019


Articles similaires