Financial institutions face a laundry list of compliance obligations when it comes to business data. Meeting these obligations is far from assured in the age of cloud services, employees working from home and rapid digital change, however.
A bevy of regulations raise the data security stakes for financial institutions. Specific regulations vary according to jurisdiction and market, but many firms must contend with the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), California Consumer Protection Act (CCPA), General Data Protection Regulation (GDPR) and industry-led regulations such as the Payment Card Industry Data Security Standard (PCI-DSS).
Yet, more than 40 percent of security professionals and business leaders are not confident that they have adequate controls in place for properly securing their data, according to a recent study by PricewaterhouseCoopers (PwC). If you’re reading this article, you are probably one of them.
There are many data compliance risks that financial institutions must protect against, but five core risks stand out when it comes to data compliance. These five are the data risks that absolutely require attention and systems for minimizing compliance issues.
Risk #1: Incomplete Data Classification
Financial data compliance starts with proper classification. Automated compliance procedures and appropriate access restrictions are only possible if data that falls under regulatory jurisdiction is correctly identified and tagged. Without robust and complete data classification, financial firms cannot track and control regulated data, enable quarantining, apply legal hold or archive according to regulatory mandates.
Despite the importance of data classification, a recent study found that more than 52 percent of data within the typical organization goes unclassified.
This is because much of the sensitive data employees require for their work is performed outside of strictly controlled services such as databases or SaaS applications. Knowledge workers spend a lot of time downloading, manipulating and uploading unstructured data between applications. This browser swiveling creates inadvertent but dangerous compliance and security risk to an organization.
Financial firms usually have a classification procedure in place for obviously regulated data such as bank account information and personally identifiable information (PII), but there’s often room for regulated data leakage if these classifications procedures do not encompass all data within the organization and classify it in real-time.
Risk #2: Shadow IT
While the term sounds shady, most shadow IT within an organization occurs because well-intentioned employees augment IT systems or create workarounds as a means to drive efficiency and get more done. A spreadsheet might be uploaded to Google Drive for easier access while working from home, or a personal mobile device might be used for capturing information during a client meeting.
Even though the intentions behind shadow IT might be benign, though, the effects are not. Unauthorized software and systems pose a significant risk for compliance violation because data accessed or stored in these systems falls outside a financial institution’s watch. Further, shadow IT is not vetted for appropriate security controls. These systems might be secure, but they also might not.
Typically, financial institutions enforce strict policies against the use of unauthorized devices and software applications. Nevertheless, these technologies find their way into corporate organizations, introducing compliance and security risk.
Risk #3: Poor Digital Hygiene
A related but distinct compliance risk for financial institutions is sloppy digital habits among employees.
In the normal course of business, employees typically create or come in contact with sensitive corporate data, some of it regulated. While the majority of this data stays within secure IT systems, sometimes employees might save data in inappropriate places or sidestep specified security protocols through carelessness or expediency. A cell in a spreadsheet is copied outside company systems, for instance, or a file is moved to a local hard drive and then not deleted afterward. Maybe an employee keeps a local copy of a regulated document they’ve created before uploading it to a company account.
There’s wide scope through poor digital hygiene for employees to create a data compliance violation unintentionally, especially with the vast majority of employees working from home for the first time as a result of the Covid-19 coronavirus pandemic. The work-from-home trend might keep employees safe, but it does the opposite for data compliance.
Risk #4: Social Engineering
On the other end of the malicious intent scale is social engineering, a data compliance risk where employees are tricked into revealing login credentials or granting system access that leads to a data breach. There are a variety of social engineering techniques, including phishing scams, code on dangerous websites and business email compromise (BEC), where an employee thinks they are interacting with someone within the company when they are not.
Social engineering is such an effective method for cybercriminals–, it is the leading cause of data breaches globally, according to data from telecommunications and data security provider, Verizon.
While financial firms already know that social engineering is a problem, this does not make it much less of a compliance problem. Bangladesh Bank suffered an $81 million SWIFT fraud attack because of it several years ago. It is hard to protect against social engineering because it preys on human error.
Risk #5: Unauthorized Data Sharing
Finally, a fifth significant data compliance risk for financial institutions is the unauthorized sharing of regulated data.
Regulated data can escape a company in many ways. Employees can share it unintentionally through email forwards or data buried in conversation threads. APIs can expose regulated data to partner organizations or the public at large. Authorized third parties can be granted access to more data than they should, or employee devices can contain software that exposes regulated data to other users or systems.
There’s a number of ways that access to a financial institution’s regulated data can migrate outside the list of authorized users. Unfortunately, it takes only one such exposure to create a compliance violation.
Addressing these compliance risks can take many forms. One effective solution is Qostodian Recon™, a cloud-based data discovery and classification platform that monitors data on corporate networks, public cloud resources, and even employee personal computers. Qostodian™ can also help classify data and provide AI-assisted predictions about compliance threads before they take place.