Finance Sector Faces Three-Pronged Challenge On Data Security
-GDPR remains the priority but financial services also facing challenge from PSD2 and MiFID II-
In the early days, cybersecurity was much easier; businesses could protect critical information by hiding it behind a firewall on a physical server somewhere that could only be accessed by authorised individuals.
In the last five – or even ten – years however, protecting data has become considerably more difficult and complex. The growing use of smartphones, cloud computing technology, IoT-enabled devices and the availability of information have made it easier than ever for businesses to be exposed online – anywhere and at any time. The simple fact is that in 2017, anyone with a mobile phone could pose a potential threat to the most “sophisticated” of security systems.
Earlier in 2017, we witnessed two of the most devastating cyber attacks of the year: WannaCry and Petya. The WannaCry attack brought down parts of the UK’s National Health Service (NHS), along with Spain’s Telefonica, FedEx and Deutsche Bahn also being hit. Petya, on the other hand, took over a number of computers and demanded $300, paid in Bitcoin. The malware caused serious disruption at large firms in Europe and the US, including the advertising firm WPP, Saint-Gobain and Russian steel and oil firms Evraz and Rosneft, according to The Guardian.
The finance and banking industry, more so than any other – is routinely targeted. In the UK alone, 75 cyber attacks on financial services took place in 2016 – a staggering amount compared to the five that took place in 2014. The Financial Conduct Authority (FCA) acknowledged that cyber attacks were increasing rapidly, year-on-year; five in 2014, 27 in 2015 and 75 in 2016.
But it’s not just cyber attacks that are forcing those in the financial services sector to re-evaluate their defences, but also the arrival of new regulations in the form of a three-pronged assault: the General Data Protection Regulation (GDPR), the Markets in Financial Instruments Directive (MiFID II), and the EU’s Payment Services Directive (PSD2).
Adhering to these regulations – particularly GDPR – might seem like a compliance burden, but it could yet be turned into an opportunity for businesses.
DataRaze’s Commercial Director, Steve Inglessis, discusses how financial services firms can prepare ahead of GDPR – sharing some top tips and highlighting why GDPR is not a compliance burden but, actually, an opportunity.
Know where your data is
While the trio of regulations all present challenges, GDPR is, at the moment, the biggest concern. Statistics from Gartner suggests as many as 50% of companies affected by the regulation are still not in full compliance.
However, according to data from Network Group Events’ 2017 Financial Services Information Security Network, 52% of chief information security officers working in the finance sector have made GDPR compliance an investment priority.
The fact is that the volume of data we create is rapidly increasing – every day we create 2.5 quintillion bytes of data – that data is varied in both size and complexity; both structured and unstructured. As a result, businesses are increasingly data-driven, utilising large quantities of data to better understand business performance, collate insights and identify opportunities to improve. This process typically involves a number of solutions – each collecting, analysing and managing data. Of course, while businesses benefit tremendously from the insights gleaned from the data analysis, often information is scattered across systems – from legacy hardware to cloud-based platforms. Consequently, a unified and holistic view of data can be hard to achieve.
Knowing where your customers’ data is kept at all times is a major step to being GDPR compliant. Traditionally, the view has been that more data equals more value, but this is not the case – it’s about data quality. Also, employees within the business might be using a variety of Shadow IT solutions (i.e. solutions outside of the business’ standard IT infrastructure) to manage data – making it harder for you to understand your current data procedures, as well as exposing your business to potential data security risks.
There’s also the problem of PSD2 to consider. PSD2 will effectively break down the bank’s monopoly on its users’ data – allowing third-party ‘merchants’, like tech companies for example, to retrieve account data directly from the bank – with the consumer’s permission, of course. It means that, with the consumer’s permission, third-party vendors can make a payment for you, rather than you having to be redirected to another service, such as PayPal or Visa.
From the perspective of both regulations, then, how that data is stored and transferred will, therefore, be crucial to ensuring compliance to both regulations. Financial services firms will need to look at maintaining the necessary level of data transparency to fulfil the requirements of PSD2, but also balancing the problem of “sensitive” data and ensuring they have acquired consent from the account holder to distribute information. Both parties – the bank and the third-party vendor – will need to have a clear process.
Taking the time to understand how your business captures, stores and processes data will help to streamline the process and standardise the systems you use. Taking these steps will enable you to assess current risk levels and develop an approach to GDPR-compliant data management. Also, by having good data quality and storage, meeting the requirements of PSD2 will be made significantly easier.
Establish data governance framework
With data volume growing so fast – and GDPR fast approaching – information management needs to change. GDPR states that businesses can only capture data for the purpose it is required, meaning firms will not be able to record information other than that which is stated. Therefore, financial firms need to first establish a data governance framework, one that ensures that only the right, high-qualitydata is collected and for the intended purpose, and then proceed to carefully dispose of data which they do not need.
This will involve updating existing IT infrastructure and improving data security measures, moving to scalable cloud-based solutions to support more streamlined data management in line with new policies. It is vital however, that legacy IT assets and data is completely destroyed and financial firms need to be sure any data disposal is compliant with new regulations.
Enlisting the services of a professional, external data disposal firm, could help with this and ensure any destruction is carried out professionally.
It is important to remember though, that even if you outsource the data destruction, your company is still responsible if this isn’t carried out properly so businesses should make sure they obtain a robust chain of custody to ensure data is destroyed safely and correctly to avoid potential problems down the line.
Remember, good data governance is not just about the collection of high-quality data, but also having a robust, industry-compliant and risk-free data disposal method.
There’s also MiFID II to be accounted for. Under MiFID II, firms are required to store recordings of all conversations related to a deal – even if the conversations do not lead to a transaction – for five years. Also, how that information is recorded is irrelevant. On the other hand, GDPR mandates that personal data should be kept in an identifiable format for no longer than necessary. How do financial services firms balance the two regulatory requirements? Firms will need to regularly review the necessity of the records in light of both MiFID II and GDPR, obtaining consent for recordings where legally required to do so.
Firms must be able to demonstrate that they have kept to the requirements of both regulations. Of course, the record keeping process will need to be regularly reviewed, but thinking about the process now, rather than later, will put businesses in a good position for the future.
Also, firms will need to invest in the right technology that makes the capturing of information compliant under both MiFID II and GDPR. A single solution for call recording – used by everyone in the business – will be absolutely necessary and consent must be acquired for every call.
Protect your data and achieve transparency
Many financial service firms share information with third parties, such as clients, suppliers, regulators or partners but as GDPR puts increased accountability on data processors, the controller/processor relationship becomes even more important.
Should one fail to protect that data in line with GDPR standards, the other will be held accountable too. To ensure ongoing compliance, financial services firms must have a handle on all of its existing data.
This includes data ownership, as well as access and data usage, and record that information in a central location – something that will be increasingly important as PSD2 comes into play. As that data is transferred to a third party, the interaction needs to be recorded and the third party must have a system in place that compiles clear and detailed reports on how the data is being used and interacted with.
Ultimately, while GDPR and other incoming, stricter, data security regulations present a lot of work for financial firms, taking the steps above will pave the way to ongoing compliance, enabling them to increase efficiency and productivity. Companies which are ultimately able to demonstrate better compliance and data security will inevitably gain the trust of customers, as well as avoiding the fines and punishments facing them from May 25, 2018.