2018 Finance Trends: Security, Privacy and Governance of Finance Data Are Top Concerns, for Good Reason

Ken Thomas, Managing Director Business Performance Improvement
Scott Laliberte, Managing Director Technology Consulting – Security and Privacy

Data security and privacy is receiving a lot of attention at the highest levels of organizations these days. Boards are asking about it, executive management is concerned about it, and a growing number of regulations are placing demand on organizations to respond and comply appropriately.

We are not surprised then that finance data security and privacy ranked as the top priority for the finance function in Protiviti’s 2018 Finance Trends Survey Report. To better understand why, it is important to put the survey results in context:

  • Companies are dealing with data, of all kinds, in unprecedented volume.
  • That data is coming in from a variety of internal and external sources making it difficult for many organizations to know definitively where this data is coming from, how it flows, and how it is governed.
  • Many finance organizations don’t have a clear picture of who is looking at their data, or who is collecting it — internally or externally — and for what purposes.

The growing concern also comes at a time of increasing demand for financial application data among cyber attackers. These malicious actors have seen the value of stolen personal information fall with market saturation and the implementation of security measures, such as credit monitoring services, that make it harder to monetize stolen identities. So hackers are looking to monetize their attacks in other ways. That may include fraudulent financial transactions, such as the $81 million theft from the Bangladesh Bank central account at the New York Federal Reserve Bank that alerted SWIFT to a global scheme to access the 11,000-bank network through individual workstations at member banks. It could also mean stealing non-public financial information and using it to make better stock trades, as was the case with the 2016 infiltration of the U.S. Securities and Exchange Commission’s EDGAR electronic filing system.

Even foreign governments are getting in on the act, seeking to gain economic and political advantage by disrupting rival countries. That was the case in 2017, when an attack originating in Ukraine paralyzed cloud-based supply chain software networks, disrupting banks and logistics companies.

The exposure is vast and getting bigger every day, with increasingly dire financial and reputational implications. Maintaining a secure financial application environment is critical — but at what cost? There is no magic number. Each company needs to conduct its own thorough enterprise risk assessment and invest accordingly. Organizations that fail to conduct such an assessment and continue to approach this challenge solely from an IT perspective risk pouring their money into a bottomless hole while continuing to fall victim to ever more inventive and sophisticated attacks.

We recommend using a robust risk assessment methodology, such as FAIR, which uses a quantifiable risk assessment method; as well as iterative random Monte Carlo simulations to really look at risk levels and the factors that go into risk related to security and privacy. Only then can an organization begin to make intelligent decisions around where to invest in data security and what type of controls it needs to implement to achieve the desired risk reduction results.

Finally — and this is important — financial data in the cloud is definitely an area to be scrutinized and assessed from a risk perspective. Too many organizations assume they can rely on their cloud or SaaS provider to have all necessary controls in place. That is simply not the case. Although a shift to the cloud seems inevitable, and many cloud providers do advertise security features, it is important for companies to recognize that in the eyes of regulators and the law, they are responsible for any data entrusted to them, regardless of where that data may reside.

The times are changing, but the principles of good data governance still apply. By deploying a quantifiable risk assessment methodology, a robust control framework and talent with the right skill set to manage data security from a risk perspective, companies can avoid the embarrassment and financial harm that has befallen so many others.

Add comment