IBM Security’s of a Data Breach Report 2020 reports that the financial services industry suffered the third highest number of security breaches last year, topped only by healthcare and energy. The average cost of a breach: $5.85 million.
It’s not surprising that the financial services sector is the target of bad actors. The industry is well aware of this fact. On average, financial services companies spend 10% of their IT budgets – or $2,700 per full-time employee – annually on cybersecurity measures.
Given this investment, how is financial services nevertheless still among the most vulnerable industries when it comes to data security?
As I see it, there are several reasons.
Security vulnerabilities in the financial services sector
Like many other sectors, financial services has embraced the concept of digital transformation, increasingly shifting to online services, advanced data analytics and infrastructure modernization. Unfortunately, Security Boulevard reports that 74% of the applications that financial services use have security flaws (sadly, a figure actually better than many other sectors).
With so many security flaws at the application level, a breach is practically inevitable. Assuming that prevention will never be 100% effective, organizations naturally focus on response speed. As it turns out, however, companies in the financial services sector often lag behind their counterparts in other sectors. Security Boulevard attributed this to three factors: the use of older applications, the unwieldy size of many financial institutions and the failure of security-focused employees to use best practices in safeguarding data. Case in point: the Equifax breach, which an analysis shows could have been prevented by a more attentive oversight of a common app frequently used by large enterprises, Apache Struts.
While they may have more resources to invest in security, large financial services companies also have at least two disadvantages on this front. Besides the slower response times to breaches, large organizations offer cybercriminals a bigger attack surface. One of the most effective ways for bad actors to gain access to a company’s data is through its employees, and large financial institutions employ a lot of people. A 2016 survey found that 58% of all breaches in financial services were attributable to “insider involvement.” That involvement was usually inadvertent: over 90% of these breaches were accidental, the result of employees falling for phishing schemes or related subversions. Only 10% were intentional, carried out by employees acting with malicious intent.
Data protection vs data monetization
When banks, insurance companies, brokerage houses and other financial institutions fail to protect the data they hold – personally identifiable information, credit-card information, proprietary business information and intellectual property, etc. – it does not impact them alone. It also impacts the bank’s customers.
Accordingly, a host of regulations has emerged over the years aimed at protecting consumers and their data. These include the Payment Card Industry (PCI) Data Security Standard (instituted in 2004), the New York Department of Financial Services Cybersecurity Regulation (2017) and the General Data Protection Regulation (2018). Even the Sarbanes-Oxley Act of 2002 – passed largely before cybersecurity was a threat – is now seen to have implications for financial services’ data-protection efforts.
While obligated to follow explicit guidelines governing the protection and processing of data, leaders in the financial services segment recognize the business value of gathering and sharing even more information than they do now. A trend along these lines that emerged in Europe and has recently taken root in the United States is “open banking.” This is a data-sharing endeavor that provides access and control of customer personal and financial data to third-party service providers.
Open banking helps banks and marketing organizations better understand customers and offer them appropriate products, as well as structure loans based on a fuller understanding of an individual’s financial picture. Consumers benefit from this more complete view of their finances and can take advantage of easy-to-use mobile apps driven by the information-sharing that open banking represents.
Open banking, naturally, is not free of its own security problems. “Bad bots” – software programs employed by cybercriminals – have been unleashed on the APIs that are the basis of open banking, growing by about 30% in the first 6 months of 2020 over the previous year. If they break through, these bots can cause the loss of PII and business data, carry out DDoS attacks, and even execute fraudulent transactions.
In other words, the risks to which financial services organizations are exposed will continue to grow, and along with them the complexity of the regulatory standards to which these organizations are subject.
Addressing data vulnerabilities and data protection requirements
In response to cybersecurity breaches – particularly those occuring inadvertently because employees fall for phishing schemes – many institutions have turned to training as a way to plug security holes. The assumption is that mindfulness of potential threats can head off many of them.
While training is important, that’s not a solution that necessarily scales well, nor can a large financial enterprise expect its thousands of employees to be consistently vigilant. Since technology has created the data-security problem and the resultant regulations, technology should help financial services companies respond effectively and efficiently.
At Sotero, we’ve worked hard to develop an elegant solution that helps on both sides of this equation. As one small example of how we have helped financial institutions encrypt data in a way that helps them conduct business while adhering to compliance requirements, we had a client that needed to move customer data back and forth between Europe and the United States to facilitate proxy voting. The GDPR restricts such flows, as we noted in an earlier blog on a recent decision involving Facebook and the EU. With the help of our solutions, the data remains encrypted while in use and our client stays in compliance with the regulation.
Our products, Sotero Protect a and Sotero Opaque, are designed to accommodate the need to protect data while letting companies take advantage of the business and marketing opportunities that data affords. By keeping data encrypted at all phases – at rest, in transit, and in use – value can be extracted while ensuring sensitive information stays hidden. Want to know more? Get in touch and we’ll set up a demonstration.