5 Risks to Watch With Financial Data Compliance

Table of Contents

Financial institutions face a laundry list of compliance obligations when it comes to business data. Meeting these obligations is far from assured in the age of cloud services, employees working from home and rapid digital change, however.

A bevy of regulations raise the data security stakes for financial institutions. Specific regulations vary according to jurisdiction and market, but many firms must contend with the Gramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley (SOX)California Consumer Protection Act (CCPA)General Data Protection Regulation (GDPR) and industry-led regulations such as the Payment Card Industry Data Security Standard (PCI-DSS).

Yet, more than 40 percent of security professionals and business leaders are not confident that they have adequate controls in place for properly securing their data, according to a recent study by PricewaterhouseCoopers (PwC). If you’re reading this article, you are probably one of them.

There are many data compliance risks that financial institutions must protect against, but five core risks stand out when it comes to data compliance. These five are the data risks that absolutely require attention and systems for minimizing compliance issues.

Risk #1: Incomplete Data Classification

Financial data compliance starts with proper classification. Automated compliance procedures and appropriate access restrictions are only possible if data that falls under regulatory jurisdiction is correctly identified and tagged. Without robust and complete data classification, financial firms cannot track and control regulated data, enable quarantining, apply legal hold or archive according to regulatory mandates.

Despite the importance of data classification, a recent study found that more than 52 percent of data within the typical organization goes unclassified.

This is because much of the sensitive data employees require for their work is performed outside of strictly controlled services such as databases or SaaS applications. Knowledge workers spend a lot of time downloading, manipulating and uploading unstructured data between applications. This browser swiveling creates inadvertent but dangerous compliance and security risk to an organization.


Financial firms usually have a classification procedure in place for obviously regulated data such as bank account information and personally identifiable information (PII), but there’s often room for regulated data leakage if these classifications procedures do not encompass all data within the organization and classify it in real-time.

Risk #2: Shadow IT

While the term sounds shady, most shadow IT within an organization occurs because well-intentioned employees augment IT systems or create workarounds as a means to drive efficiency and get more done. A spreadsheet might be uploaded to Google Drive for easier access while working from home, or a personal mobile device might be used for capturing information during a client meeting.

Even though the intentions behind shadow IT might be benign, though, the effects are not. Unauthorized software and systems pose a significant risk for compliance violation because data accessed or stored in these systems falls outside a financial institution’s watch. Further, shadow IT is not vetted for appropriate security controls. These systems might be secure, but they also might not.

Typically, financial institutions enforce strict policies against the use of unauthorized devices and software applications. Nevertheless, these technologies find their way into corporate organizations, introducing compliance and security risk.

Risk #3: Poor Digital Hygiene

A related but distinct compliance risk for financial institutions is sloppy digital habits among employees.

In the normal course of business, employees typically create or come in contact with sensitive corporate data, some of it regulated. While the majority of this data stays within secure IT systems, sometimes employees might save data in inappropriate places or sidestep specified security protocols through carelessness or expediency. A cell in a spreadsheet is copied outside company systems, for instance, or a file is moved to a local hard drive and then not deleted afterward. Maybe an employee keeps a local copy of a regulated document they’ve created before uploading it to a company account.

There’s wide scope through poor digital hygiene for employees to create a data compliance violation unintentionally, especially with the vast majority of employees working from home for the first time as a result of the Covid-19 coronavirus pandemic. The work-from-home trend might keep employees safe, but it does the opposite for data compliance.

Risk #4: Social Engineering

On the other end of the malicious intent scale is social engineering, a data compliance risk where employees are tricked into revealing login credentials or granting system access that leads to a data breach. There are a variety of social engineering techniques, including phishing scams, code on dangerous websites and business email compromise (BEC), where an employee thinks they are interacting with someone within the company when they are not.

Social engineering is such an effective method for cybercriminals–, it is the leading cause of data breaches globally, according to data from telecommunications and data security provider, Verizon.

While financial firms already know that social engineering is a problem, this does not make it much less of a compliance problem. Bangladesh Bank suffered an $81 million SWIFT fraud attack because of it several years ago. It is hard to protect against social engineering because it preys on human error.

Risk #5: Unauthorized Data Sharing

Finally, a fifth significant data compliance risk for financial institutions is the unauthorized sharing of regulated data.

Regulated data can escape a company in many ways. Employees can share it unintentionally through email forwards or data buried in conversation threads. APIs can expose regulated data to partner organizations or the public at large. Authorized third parties can be granted access to more data than they should, or employee devices can contain software that exposes regulated data to other users or systems.

There’s a number of ways that access to a financial institution’s regulated data can migrate outside the list of authorized users. Unfortunately, it takes only one such exposure to create a compliance violation.

Addressing these compliance risks can take many forms. One effective solution is Qostodian Recon™, a cloud-based data discovery and classification platform that monitors data on corporate networks, public cloud resources, and even employee personal computers. Qostodian™ can also help classify data and provide AI-assisted predictions about compliance threads before they take place. 

A propos de l'auteur

A propos de l'auteur

FR Lorem ipsum dolor sit amet, consectetur adipiscing elit. Etiam eu turpis molestie, dictum est a, mattis tellus. Sed dignissim, metus nec fringilla accumsan, risus sem sollicitudin lacus, ut interdum tellus elit sed risus.

Recommended for you

The high price of trust - the true cost of insider threats new
Organizations spend significant time and money mitigating external security threats.  While these efforts are absolutely necessary. ...
5 best practices for rolling out your insider risk management program
The way we do business is continually shifting. In the last three years, workforces have gone fully or partially remote, data has migrate...
The true cost of non-compliance - can you afford the risk
A tightening regulatory climate As data multiplies, so do the rules around collecting, using, and protecting other people’s personal, ...
Data classification and inventorying - The foundation of regulatory compliance
Succeeding as a business means capitalizing on data, and managing that information effectively means complying with regulations. These gu...
MTL Connect Oct 12-17 2021 Virtual Event
For the third edition of Montreal Connect, we’re happy to announce that Guy Veilleux, Head of Partnerships at Qohash will be speakin...
Qohash Launches New Qostodian Recon™ Product to Help Organizations Discover and Secure Their Sensitive Data
Qohash’s enterprise-grade data discovery technology is now available for mid-sized companies that want to identify and secure sensitive d...

Contact us​

Sensitive data inventory
Meet PII and PCI audits
Ensure GDPR, NYDFS compliance
Improve data governance
Drive SOC 2 certification
Insider threat monitoring
Lockdown endpoints
Detect policy violations in real-time
Expedite investigations
Quantify risk levels for the Board
Defying legacy limitations
What our customers say