5 data security and compliance challenges every financial services firm faces

As the financial services industry faces growing volumes of sensitive data, they must strive to overcome a range of compliance and security challenges

The rapid digitization of finance has rendered traditional perimeter security measures obsolete in many cases. Physical barriers and network firewalls are no longer nearly enough in a world where money is moved around the globe in seconds and potentially sensitive data is coming in from an increasingly broad array of sources. Client demands have also grown in an age when people are used to the convenience of things like instant payments, automated loan approvals, and mobile banking.

These developments have added new layers of complexity that financial services companies need to tackle to continue delivering a customer-centric service without compromising privacy, security, and compliance. In the era of increasingly disparate computing architectures, these challenges start and end with data governance, simply because it is impossible to adequately protect what you don’t know about. A data-centric security methodology tackles the challenge at its source – the rapid proliferation of data.

#1. Tackling the growth of dark data

While most discussions around dark data focus on its untapped value in business intelligence, it is even more important to consider the security risk it poses. Dark data, by definition, lacks proper governance. Complicating matters further is the fact that dark data is growing at a rate many companies are struggling to keep up with. In the finance sector, one of the most common sources of dark data are legacy systems that lack the throughput and compatibility necessary for deriving real-time insights. Moreover, dark data typically stems from lax data management strategies, which is something every financial institution should work to remedy.

#2. Unifying information governance

Many established firms are still struggling to break away from the siloed business model, in which different departments and branches have access to different data. Aside from being a significant burden on productivity and informed decision-making, this also means there is far less likely to be a unified way of governing and protecting that information. While compliance and security policies might apply across the organization, actually enforcing them is a different matter given the disparity between different computing systems. For example, older systems might not support current encryption standards and algorithms.

#3. Protecting complex supply chains

While there is no denying the benefits of online storage and distributed computing, they do open up a new set of risks and challenges. These challenges are even greater for companies that do business globally, due to the more complex regulatory landscape. For example, GDPR requires that all personally identifiable data pertaining to citizens of the EU remains within the borders of the EU. Whether outsourcing data storage or any other operation, financial services firms must conduct extensive due diligence tests to be sure such arrangements do not end up being in breach of local regulatory regimes. After all, increasingly complex supply chains are another favorite attack vector for threat actors like organized cybercrime and state-sponsored attackers.

#4. Clamping down on insider threat

The unfortunate truth is that most cyberattacks come from inside the company. Banks and other financial services firms are among the most common targets of insider attacks carried out by disgruntled employees or by those particularly susceptible to social engineering attacks. When you have huge amounts of data collected and stored across a disparate infrastructure, it is far more difficult to enforce your security policies. The easiest and most effective way to mitigate the risk of insider threat is to adopt the principle of least privilege, whereby employees only have access to the data they need to do their jobs. Comprehensive monitoring will also help by alerting administrators to any potentially risky and noncompliant activity.

#5. Guarding against data loss

Data loss is an omnipresent danger for any company. Data, in its various forms, as an integral and indispensable asset for financial services firms, which also means it is a common target for ransomware and other threats. Even if the data itself is protected beneath multiple layers of security, such as encryption, that doesn’t mean it can’t still be rendered inaccessible. Also, even in situations where the data isn’t stolen, a data loss incident could result in a breach of compliance with data-retention rules, especially if you haven’t taken demonstrable efforts to reduce risk. To counter the pervasive risk of data loss, companies should adhere to the 3-2-1 backup rule or better, in which there are three copies of your data, including two on different media and one copy off-site.