Financial institutions are among the most regulated businesses in the world. That’s understandable given their role in a key critical infrastructure sector and rising threat levels across the industry. It’s why in the EU, the Digital Operational Resilience Act (DORA) will soon take effect, to improve baseline security efforts in the sector. Yet even as investment in cybersecurity increases, breaches continue to occur. The IMF warned recently that cyber-incidents over the past 20 years have cost the sector $12bn.
As IT infrastructure continues to evolve into hybrid cloud environments, financial institutions may have to revisit their data security strategies. The name of the game must be robust, agile solutions which work everywhere and preserve utility as well as protect critical data.
The data utility challenge
Threat actors are well aware that banks store a huge volume of sensitive personal and corporate data on behalf of their clients. That’s why “extreme losses” in the financial services sector have reached epidemic proportions of late. According to the IMF, they have more than quadrupled since 2017, to $2.5bn.
The challenge for banks is that they need to use this data to better manage risk, track performance and enhance the customer experience – without compromising on security. Among the uses to which it is typically put are:
Fraud detection/prevention: Using real-time monitoring of merchant transactions, banks can better spot when a customer account has been compromised or is being used suspiciously.
Risk management: Predictive AI can analyze historical client data to empower banking staff to make better informed investment and lending decisions. Or they can use it more generally to model risk across day-to-day operations and liquidity (eg cash flow or bad loans).
Tracking sales performance: Including how many and what type of products are sold to customers, how revenue-per-customer looks across various channels, and analysis of cashflow in the business.
Demand-side management: This might include the performance of marketing efforts and predictions around customer lifetime value, as well as predictive analytics detailing customer behaviors, which can feed into product/service personalization efforts.
Financial institutions must typically focus on optimizing their use of data in these ways, whilst maintaining their day-to-day operations – things like processing payments, deposits and loans, opening accounts and much more. There are large volumes of potentially sensitive information to secure here – not just personally identifiable information (PII) such as names and bank account/card numbers, but also business information including IP, and possibly even critical government data.
The regulatory mandate
Financial services companies must do all of this against a backdrop of numerous regional and industry-specific rules and regulations. These might include:
PCI-DSS – The Payment Card Industry Data Security Standard applies to any organization that stores, processes or transfers payment card data. Heavy fines may apply of $5,000 to $100,000 per month for non-compliance.
PSD2 – Europe’s Second Payments Services Directive regulates electronic payments with strict rules for the protection of customers’ private data. Penalties for non-compliance could reach €20m or 4% of annual revenue, whichever is higher.
GDPR – the EU General Data Protection Regulation gives regulators the power to fine organizations that fail to secure customer/employee PII – up to €20m or 4% of annual revenue, whichever is higher.
FFIEC – in the US, the Federal Financial Institutions Examination Council (FFIEC) has strict and mandatory information security guidelines for all federally supervised financial institutions and their subsidiaries. Fines can reach up to $2m.
The regulatory landscape in financial services is part of the reason why data breach costs here are among highest of any sector. In fact, they were second only to healthcare in 2023, with the average financial services sector breach costing $5.9m.
The role of data-centric security
The challenge for financial institutions is that today they’re likely to run highly complex IT environments that span on-premises, private and public cloud systems. That’s because data often needs to be shifted to cloud-based analytics platforms running on data lakes, warehouses or lakehouses, in order to extract business value from it.
Against this backdrop, banks need data-centric security solutions that:
- Can discover data wherever it exists across the hybrid cloud
- Automatically and continuously protect it according to policy, wherever it is and wherever it flows to
- Support utility alongside strong data protection, so the data can still be analyzed and used to drive competitive advantage
- Enable third-party data sharing if necessary to add business value without compromising on security
- Overcome data sovereignty obstacles by protecting data and ensuring that only compliant data is transmitted across jurisdictions
- Include role-based access controls for added security
This is the value of comforte’s Data Security Platform, which also enables financial services firms to meet the strict requirements of PCI DSS 4.0 – around protection, access controls, configurations and audits. Comforte ensures primary account numbers (PANs) are unreadable wherever they're stored, either through encryption or tokenization.