Security and Privacy in Financial Services: Q&A Addressing Top Concerns

 

By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy

 

Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report: www.protiviti.com/ITpriorities.

Jim

 

 

 

 

 

Is Your Data Safe and Are You Sure?

Cal Slemp mug

 

 

by Cal Slemp, Protiviti Managing Director
Leader – Security Program, Strategy and Policy Practice

Data is the lifeblood of any organization, fueling nearly every aspect of operations. But with reports of cyberattacks and data breaches making headlines routinely, the question needs to be asked:

Is your business really safe?

There is no better time than now to assess whether you have the protections you want in place to protect your information and data and, equally important, whether your organization is prepared to respond to a crisis.

Protiviti professionals have performed data security fieldwork for decades, and Protiviti has formally surveyed the cybersecurity landscape for the past 3 years. We’ve identified recurring issues among organizations that threaten to compromise their data and privacy security. To best protect your organization, here are a few key safety measures:

  • Classify data. Not all data is made equal. Some is useful or valuable, and some is critical. Companies should identify their most critical data – the “crown jewels” – and classify it accordingly so its protection can be addressed first. Protiviti’s 2014 IT Security and Privacy Survey indicates developments in data classification that are both positive and negative: While more organizations are becoming aware of the concept of data classification (“don’t know” responses to the question whether the organization has a classification scheme and policy in place dropped almost in half), a full one-third of organizations surveyed admit they have not yet performed such classification. This is a rise from 20 percent in 2013. Let’s hope this high number is tied to the increased awareness and that these companies tackle the complex but important task of data classification soon. With a clear data classification scheme and policy, those companies will be able to identify types of data (sensitive, confidential, non-sensitive, public, etc.) and allocate security resources accordingly.
  • Only keep what you need. Companies should adhere to the principle “If you don’t need it, don’t store it.” Not only is retaining all data and records inefficient and costly, it exposes your organization to a greater security risk and liability. Instead, companies should “stratify” data based on importance and type and then assign appropriate retention periods for each “stratum” according to regulatory and legal requirements, as well as industry- or company-defined standards. What’s alarming is the increase in the number of organizations that fail to adhere to this practice. 17 percent of respondents to our survey acknowledged retaining all data and records without a defined destruction date – up from 9 percent in 2013.
  • Make sure your cloud is safe. Although relatively few organizations are currently moving sensitive information to the cloud, Protiviti’s survey did document a significant year-over-year jump in the use of cloud-based vendors: 8 percent versus 3 percent in 2013. By comparison, 64 percent of respondents said they store sensitive data on on-site servers. For those choosing a cloud-based service, it’s critical to focus on terms and conditions and understand the information security standards that will be used. Many companies are discovering that cloud-based vendors are holding more data than they were contracted to store, potentially escalating risk. A related focus must be to ensure that the physical processing and storage of specific sensitive data is done in concert with established data privacy regulations.
  • Minimize legal exposure with information security policies. In the United States, almost every state has data privacy laws that impose penalties on organizations that expose confidential data. Nearly all of these laws, however, provide for leniency if the organization that suffers a data breach had a written information security policy (WISP) and a data encryption policy in place. Naturally, these policies should be well-communicated and understood by your employees and business partners. The value of such policies, aside from reducing legal liability, is obvious. But shockingly, one-third of respondents in the 2014 Protiviti survey acknowledged not having a WISP, and 41 percent had no data encryption policy.
  • Perform regular fire drills. Even the most secure organizations cannot expect to prevent all breaches. That’s why it’s critical for a company to have a documented crisis response plan, in which everyone involved knows what to do, and the ability to implement this plan quickly in the event of a crisis or cyberattack. Organizations with robust security protocols involve various senior management members, including the CIO, in their crisis response planning to bring different critical perspectives to the process and ensure an effective response. Again, it’s troubling to note that only 56 percent of respondents in our 2014 survey said they had a crisis response plan. Best practice calls for an annual risk assessment and testing of the response plan every six months.

With high-profile breaches making headlines almost daily, it is becoming clear that a security incident is not a matter of “if” but rather, “when.” With so much at stake, isn’t it best to be prepared?

Author’s note: I want to thank SingleHop for providing information to us as part of National Cybersecurity Awareness Month (NCSAM) in October. For more information, visit www.singlehop.com.

Just-Released Insights on IT Security and Privacy – Board Engagement, Cyber Threats and More

I am pleased to announce that Protiviti released the results of its 2014 IT Security and Privacy Survey today. Our report contains some highlInfographic-2014-IT-Security-Privacy-Survey-Protivitiy noteworthy findings that we’ll be discussing in greater detail in future entries. For now, let me share the key highlights with you:

  1. Board engagement is a key differentiator in the strength of IT security profiles.
  2. There remains a surprising lack of key “core” information security policies.
  3. Organizations lack high confidence in their ability to prevent a cyberattack or data breach (which isn’t a surprise given previous entries we’ve posted on this blog!).
  4. Not all data is equal: Companies can’t protect everything – designating a subset of their data deemed most critical will help with their data security measures, yet many aren’t doing this.
  5. Many are still unprepared for a crisis.

Visit www.protiviti.com/ITSecuritySurvey for more information and to obtain a complimentary copy of our report. And view our video below.

Today’s IT Organization – Delivering Security, Value and Performance Amid Major Transformation

Today, Protiviti released the results of its 2014 IT Priorities Survey, and in it, there are some remarkable findings. Indeed, if there is one word to describe the state of IT organizations in 2014, it is transformation.

We found that nearly two out of three organizations are undergoing a major IT transformation. Consider the change and disruption this undoubtedly is creating within IT organizations, and it’s understandable to see why – as we found in our survey of more than 1,100 CIOs, IT executives and IT professionals – they have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges. To no one’s surprise, these results show that IT is fundamental to executing the strategy of just about any company.

Take a look at our infographic:

Infographic-2014-IT-Priorities-Survey-Protiviti

Among the other key findings from our IT study:

  • Enhancing and protecting business value – The integration and alignment of IT planning and business strategy represents a paramount priority. In fact, enhancing and protecting the value of the organization – via data security as well as other IT risk management and business continuity capabilities – is top-of-mind not only for IT organizations, but also for their organizations’ boards and executive management teams.
  • All eyes are on security – Massive security breaches continue, with some organizations being questioned by congressional committees in recent months. More than ever before, this has IT departments – as well as boards and executive management – on edge, on notice and, in some cases, testifying under oath. Strengthening privacy and security around the organization’s systems and data is now a top priority across all industries. No organization is immune to this threat.
  • Managing and classifying all that data – As the need for stronger information security intensifies, CIOs and IT professionals are seeking out more effective ways to stratify the importance of the information they have, and organize and secure the growing volume of data they must manage.
  • Strengthening IT asset – and data – management – Companies are seeking to improve their data and information governance programs, a need no doubt driven by the growing use of mobile devices and applications, social media, and the continued integration of cloud computing into IT strategy and processes.
  • More mobile, more social – Mobile commerce management, mobile security and mobile integration remain focal points for IT departments in 2014, even as security-related priorities compete for their time and resources. A similar trend holds for social media, as organizations continue to rely on IT to support their investment in social media activities while improving the integration of these capabilities with other IT assets.

Let me know your thoughts on these IT challenges. And I invite you to visit our survey site at http://www.protiviti.com/ITpriorities for more information and a free copy of our report.