Simon Hill, Head of Legal & Compliance, Certes Networks
Financial institutions manage a large volume of sensitive information about their customers. However, the protection of sensitive data in line with regulations, both for banks and other financial services organisations, is currently a big challenge. The way these organisations operate has changed dramatically in recent years. This is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches.
Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years – from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people’s names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.
What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its “largely avoidable” cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.
On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.
The balancing act
To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.
Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.