Category: Financial

How to Improve Data Security in the Financial Sector

Financial service organizations including banks, wealth advisors, insurance providers and others rely on data to power their business. As a result, they hold vast amounts of highly sensitive, personal information and today, all of it is of course digital. This treasure trove of data makes the financial services industry a highly valued target for cyber criminals and a quick check of headlines prove they have been busy taking what they want from many. From Capital One to Equifax and countless others in between, data breaches across the financial sector are massive both in scope and cost.
High Cost of Data Breaches
As this year’s Cost of a Data Breach Report by the Ponemon Institute again shows, the price tag for falling victim to hackers continues to climb. The global, cross-industry average cost is now $3.92 million – an increase of 12% over what it was just 5 years ago. Driving the rising costs for all U.S. organizations is the lost business that results from a breach including lost customers, system downtime and general business disruption.
Adding further insult to injury, the financial impact of a data breach can last for years, particularly for highly regulated industries like financial services. Long, complex governance processes in which legal fees and fines are dragged out for long periods of time are painfully common. As the regulatory environment continues to evolve, with new state data protection laws such as the California Consumer Privacy Act (CCPA) coming onto the scene for example, compliance challenges and associated fines for financial services and other industries will only grow.
3 Steps to Better Data Security
How are cyber attackers getting in? There are several studies on this and for the financial services industry specifically right now, most point to phishing attacks as the primary culprit. Intended targets include both the institution’s employees and their customers.
Regardless of tactic however, there are a few steps you can take to improve your security posture.

Know your endpoints. Comprehensive asset intelligence equips IT and security teams with the full story of their device population and provides a single source of truth into where your devices are, how they are being used, and whether or not your security controls are working as they should. The 2019 Endpoint Security Trends report found 42 percent of all endpoints are unprotected at any given time and 100 percent of endpoint security agents eventually fail. Timely insight into your users, device fleet, the apps they run, and the data they touch will help you identify blind spots that often represent a breach waiting to happen.

Fortify endpoint resilience. To mitigate risks and potential security exposures, ensure your endpoints are self-healing machines capable of safeguarding distributed data without the need for human intervention. Automated self-healing is critical when it comes to fending off the barrage of attacks you (and your users) face every day. Absolute is already embedded in your devices; you just have to activate it. OEMs, including Dell, HP, Lenovo, and Microsoft, ship their machines with Absolute’s firmware-enabled Persistence™ module. With this unshakable connection to every device, Absolute examines hygiene and compliance drift, regenerates controls and boosts the resiliency of all your endpoints.

Implement the NIST Cybersecurity Framework (NIST CSF). Because much of the high cost of a data breach comes from compliance failures, continuous compliance must become your new normal. Ongoing, flexible checks that adapt to any standard like GDPR, SOX, PIPEDA (among others) are needed to identify and restore critical security controls including AV, encryption, EDR, DLP, VPN and others that cause compliance drift when disabled or outdated. One-way organizations are responding to this continuous need for visibility and control is by adopting the NIST CSF. The repeatable framework supports proactive cybersecurity disciplines and enables scalable operations. For more, read: How to Use the NIST Cybersecurity Framework.

The financial services industry doesn’t have the sole attention of cyber criminals – no industry is immune to attack anymore. But knowing your specific risks is the first step in providing better protection for your organization as well as your customers.
For more information on how Absolute helps financial organizations protect data and remain compliant, see our solution sheet.

GDPR: The Why and How for Financial Services

As data protection breaches have become daily headline news and everyone becomes increasingly sensitive about privacy, the regulatory regime is getting tougher. Data protection laws in Europe are more important than ever before – especially as the implementation deadline of the General Data Protection Regulation (GDPR) looms.
Regulators are subsequently increasingly concerned about the way in which financial services organizations hold and manage data – particularly where the actions of a financial services organization could expose customers to identity theft. But according to a new study by Veritas Technologies, just 2% of organizations are GDPR compliant today, with less than a year to go before full compliance will be required in May 2018.
GDPR: radical changes
The overall aim of GDPR is to make privacy laws fit the needs of the 21st century. There is major emphasis on enforcement as the new regime has increased penalties for breaches, with fines of up to 4 percent of a corporation’s annual global turnover. In addition, it introduces mandatory data breach reporting requirements similar to those that exist in most US States, but with a requirement to report a breach usually within 72 hours.
To describe the new rules as an update or a refinement in the current data protection regime is not accurate. This is not a fine-tuning of the law; a far more fundamental change is taking place. The new rules are much more detailed, demanding and onerous. GDPR is a recognition that there is a political impetus in having new and tougher laws. Many in Europe care much more about data – and especially data breaches – than they did 20 years ago.
Achieving the 72 hour reporting window
To have a realistic chance of reporting a breach in 72 hours (under the new rules) it would be necessary for a security vendor to advise of the breach within 24 hours. The primary responsibility to report a security breach will be on the data controller but most of the breaches we see are the responsibility of a vendor. Firms will need a contractual obligation to make sure the vendor tells them in time so that they can deal with their reporting obligations. Even when you know of a breach you still have work to do to get it into the right format to make a report.
As a vulnerable sector, financial services will have to take special care to put in place adequate policies, procedures and training to ensure breaches are reported within the 72-hour period. Bear in mind that as well as reporting a breach to data protection regulators they may also need to tell financial services regulators, other financial services companies (for example because of contractual requirements you have agreed to) as well as the individuals affected.
The need for a DPO
Another important result of the new rules is that organizations may need to have a data protection officer (DPO) to deal with data protection compliance issues.
In the past, some organizations have not applied enough rigor in their approach to data protection. A few people may have had some training within the company but it’s now likely that organizations will feel obliged to appoint a properly trained DPO. The appointment of a good DPO will be useful when dealing with data breach issues and ensuring that an organization takes a proportionate view of its risk to keep its customers and reputation safe. The DPO should be independent in the performance of their tasks and report directly to the highest level of management.
We know that the new data protection regime will bring considerable responsibility and sanctions for companies that handle data, and financial services businesses are more at risk than most. As such, there will be considerable challenges to comply with the new rules and it will take some time to implement the necessary policies and infrastructure. What is certain today is organizations must start now in order to be properly compliant when the new rules are in place.

The information in this blog post is provided for informational purposes only. The materials are general in nature; they are not offered as advice on a particular matter and should not be relied on as such. Use of this post does not constitute a legal contract or consulting relationship between Absolute and any person or entity.  Although every reasonable effort is made to present current and accurate information, Absolute makes no guarantees of any kind. Absolute reserves the right to change the content of this post at any time without prior notice.  Absolute is not responsible for any third party material that can be accessed through this post. The materials contained in this blog post are the copyrighted property of Absolute unless a separate copyright notice is placed on the material.