Data Security in Financial Services: Challenges and Solutions – Part 1
Here’s a Case Study from the banking industry that will send shudders down the spines of customers…
Much to its dismay, a national retail bank discovered that as many as two thousand customer records were surreptitiously vaporized by its own employees, a short while before they were to join a rival firm. The ledger of loses included a vast number of records such as the bank account details, financial statements, tax returns, Social Security numbers and allied sensitive personal data.
Data Loss: The Omnipresent Danger
Data, in its various forms, constitutes an indispensable and integral aspect of financial services and banking firms throughout the world. This puts the onus on financial services firms to provide fool-proof security to instill faith in its customers; and also to send out a strong message that combating online threats is a prime objective. After all, it only takes the click of a mouse by a determined hacker to steal cardholder data, account information, transaction information and personal data.
So, firms cannot afford to get complacent at any cost. Moreover, given the fact that most of the information that is produced or utilized by financial services firms is private and sensitive―in addition to being stringently regulated―makes data and cyber security paramount.
In a 2014 report on Cyber Security in the Banking Sector, The New York State Department of Financial Services discovered that close to 90% of the 154 institutions of both local and global standing that they had surveyed notified the existence of an information security framework. There were various measures in place to ensure the smooth functioning of day-to-day activities. Leading this list was Cyber risk management and audits, followed by incident monitoring and reporting; with added impetus on security tools and training.
But there seems to be no let in the rise of cyber-crimes, which have gotten more and more daring with each passing year. Little wonder then that a survey by the Ponemon Institute, which conducts independent research on privacy and data protection, revealed that nearly 45% of senior executives stated their company experiences cyber-attacks hourly or daily. Also, 80% of CEOs believe that good data protection measures enhance brand value.
Despite global IT security spending increasing 11% per year over the past decade, there seems to be much that needs to be done―and on a war-footing. The need for this urgency was necessitated due to the infamous Carbanak malware attack earlier this year, in which hackers played havoc with over 100 banks, spread across 30 countries. The total loss was estimated at a whopping $1 billion.
According to a report titled ‘2014 Cost of Data Breach Study: Global Analysis‘ by the Ponemon Institute, valued at $206 million, financial services firms suffer one of the highest per capita data breach costs per company.
Challenge for Financial Firms: Retaining Customer Confidence
A study by the prestigious Deloitte Center for Financial Services, titled, ‘Transforming Cybersecurity: New Approaches for an Evolving Threat Landscape’, revealed that well before the Carbanak malware attack, malicious cyber-security infractions in 2013 left U.S. financial services enterprises poorer by $23.6 million. Here’s the shocker: This was the highest average loss across 26 industries. Further, this report explained that cyber-crime is on the rise… and steadily. It shows no signs of abating or ceasing―and none of accelerating either.
To prove this aspect, the study notes that a massive 88% of cyber- attacks launched against financial services companies cause severe damage in less than one day. But the contributing factor to this trend lies in the time taken to detect attacks in time. A mere 21% of cyber-attacks are discovered within 24 hours; and out of this, just 40% of organizations manage to salvage the situation within that time period.
The Deloitte report sums it up adequately when it reveals that customer and investor confidence, reputational risk and regulatory impact are far greater losses than monetary considerations.
Financial services firms have their task cut-out. They should aim to meet all the data security issues which occur during daily operations. Here are some ways in which they can meet those needs:
- Safeguarding critical financial data with maximum return and minimum risk.
- Adjusting security postures as external attacks on financial infrastructure and online properties increase and change.
- Meeting the need to protect from the traditional concerns with insiders and privileged users, while also dealing with the additional hazards that compromise of these accounts may bring.
According to Ernst & Young Global Limited, the multinational professional services firm headquartered in London, United Kingdom, owing to the intensity and high visibility of cyber-breaches the world over; there has been a spurt in fresh emphasis from regulators. Data protection requirements, particularly breach notification rules, for organizations are becoming stricter, and enforcement penalties are on the rise.
EY adds that from a company’s perspective, reducing the risk of data loss reduces regulatory risk and helps to protect the company’s brand, strategic business data and intellectual property.
Debilitating Effects of Data Loss
- Brand damage and loss of reputation
- Loss of competitive advantage
- Loss of customers
- Loss of market share
- Erosion of shareholder value
- Fines and civil penalties
- Litigation/legal action
- Regulatory fines/sanctions
- Significant cost and effort to notify affected parties and recover from the breach
Analyzing Cyber Breaches, Thefts and Losses
Verizon’s 2014 Data Breach Investigations Report, analyzed the potential and imminent security threats in 20 different industries and concluded that: “Financially motivated attackers are hyper-focused on gaining access to the money, so it follows that their two primary target industries are the financial and retail industries, where data that easily converts to money is abundant and, all too often, accessible.”
Not just that, the report further expands that within the financial industry itself attackers are determined to gain access to the user interface of the Web (banking) application, even more than exploiting the Web application itself, “… because the application grants logical access to the money. This means they target user credentials and simply use the Web applications protected with a single factor [i.e. password] as the conduit to their goal.”
One quarter of the financial services firms that were surveyed by PwC (PricewaterhouseCoopers) and CIO and CSO magazines for a study titled, ‘The Global State of Information Security Survey 2015’, exposed over 50 security incidents in the last year alone.
An overwhelming 74% of firms declared that they had sniffed out at least one security breach or flaw during that time period. This exhaustive study was based on a survey of a total 9,700 business and technology executives from all across the globe between March and May 2014.
Quite surprisingly, 44% of the financial services firms that participated in this comprehensive survey stated that their current employees had a hand in the Cyber security incidents they had encountered. However, only 35% of the respondents from all industries combined believed that their current employees were behind these incidents. Former employees (28%), hackers (26%) and competitors (20%) comprised the other possible list of meddlers.
The financial services firms surveyed noted a number of ways in which they were impacted by security incidents, including having customer records compromised (34%), employee records compromised (26%), theft of “soft” intellectual property such as processes and institutional knowledge (21%) and personally identifiable customer or partner information (18%).
In the next part of this article, we will delve into risk management, combating targeted cyber-attacks, ways to prevent data loss and more.