Data security in financial services has become a matter of survival. Financial services consumers are increasingly concerned with how their data is protected. A startling 70% of consumers will stop doing business with a company after a cyberattack. Loss of consumer confidence in conjunction with regulatory fines and penalties is a solid one-two punch for any business, but 78% of consumers are most protective of their financial data.
Banks and financial service organizations need to focus on covering their assets and their customers’ data. This article looks at the different privacy regulations and the ways data-centric security helps meet them.
Key Players in Financial Data Protection
When it comes to financial data protection a few important names appear repeatedly. These affect almost all organizations doing business in the United States and many abroad. Sarbanes Oxley (SOX), Payment Card Industry (PCI), General Data Protection Regulation (GDPR), Gramm-Leach-Bliley Act (GLBA), and California Consumer Privacy Act (CCPA). Even though they cover slightly different areas. They have several similarities. By meeting the requirements for one compliance mandate, an organization can often meet most, if not all, of the requirements for others.
Sarbanes Oxley (SOX)
– Focuses on the overall integrity and security of financial reporting and data handling. These standards require internal controls to be documented, tested and utilized consistently for financial reporting, which requires protecting the data integrity of the accounting information that goes into these reports. All changes to financial information must be tracked and accounted for to maintain SOX compliance.
Payment Card Industry (PCI)
– Focuses on protecting customer data and the confidentiality and integrity of all payment card transactions for a business. Meeting this standard requires verification by audit to ensure that controls are in place and are being followed consistently.
General Data Protection Regulation (GDPR)
– Focuses on protecting consumer information and empowering them to make informed decisions about how this data is collected and shared. To meet GDPR, organizations need to understand what data they collect and how it is stored and shared. Even though this is a European regulation, the requirements apply to any business that handles data of European citizens or residents.
Gramm-Leach-Bliley Act (GLBA)
– Focuses on the need for financial institutions to protect customer information. GLBA targets sensitive personal data including social security numbers, credit history, and account numbers. Organizations that fail to comply with GLBA face significant financial penalties from the Federal Trade Commission (FTC)
California Consumer Privacy Act (CCPA)
– This regulation covers very similar territory to that covered by GDPR. It also focuses on consumer data and gives consumers the ability to understand and control how their data is handled. The most significant difference here is that it applies to organizations doing business in California and has a gross annual revenue of over $25 Million.
Penalties for Non-Compliance
Failure to be compliant has direct consequences for financial organizations often in the form of fines that persist until the problem is resolved.
|Compliance Framework||Penalty For Non-Compliance|
|● Delisting from stock exchanges|
|● Jail for executives if non-compliance is due to negligence|
|GLBA||● Fines to the organization|
|● Fines to officers and directors|
|● Jail time and revocation of licenses|
|PCI||● Monthly fines of $5000 to $100k until compliance restored|
|● Restriction on the ability to accept payment cards|
|GDPR||● Fines up to 20 Million Euros or 4% of global annual turnover, whichever is greater|
|CCPA||● Fines of $2500 per incident|
|● Ability to be sued by consumers for any actual damages resulting from non-compliance|
The Future Is Unknown
The regulations listed above are just the starting point. As technology, data collection, and cybercrime evolve; future compliance mandates will appear. As consumers become more concerned about how their data is handled, states and nations consider new regulations. While nobody can be sure what these new regulations will specifically contain, it is sure to focus on consumer data security in some form.
Preparing for this unknown future requires organizations to lean into data-centric security making data the focal point for security practices. Data-centric security starts with identifying where all of the critical data resides. To protect data, organizations need to know what it is and where it resides. After identifying the data, a data-centric security model classifies it for risk to determine appropriate security controls. These controls focus on access, encryption, and threat detection to protect the data and guard against being disclosed or altered inappropriately.
Controls in Combination
Using a data-centric approach to security requires a holistic approach because many controls work best in tandem. This is because there is overlap in how they work. Integration is crucial for optimal data protection.
Access management controls are the first piece of this system. They are put in place to limit who can view or alter the data. These controls should focus on ensuring individuals have only the access they need to complete their duties. Building these controls should be done with scaling and future-proofing in mind, rather than assigning individual access, using role-based access to manage individual permissions efficiently.
The second component is encryption. It is put in place to guard against data being viewed or altered by those who should not have access. Using encryption controls, the data is completely unusable and unalterable by those who do not have access to the key. Using access controls to limit access to the key strictly is crucial for making encryption functional.
The final component is threat detection to identify misuse of access or inappropriate attempts to access data. Threat detection works with the access management and encryption pieces to gather expected access information to make these determinations. This control is an essential piece of the data-centric security model as it limits the impact of those who have stolen credentials or insider threats attempting to steal data.
Prepare for Challenges Today, Tomorrow, and Beyond
While many security solutions may provide encryption or access control services, Sotero bundles it all into a cohesive package. With an end-to-end encryption solution, Sotero is the only solution that can keep data encrypted throughout its lifecycle and only decrypted if the user has the correct user privileges. Sotero is not just for protecting structured data such as databases or spreadsheets but can also safeguard unstructured data such as PDFs and word documents, ensuring that all of your data is safe.
If you are interested in learning more about unstructured data protection, schedule a call today.