Security and Privacy in Financial Services: Q&A Addressing Top Concerns


By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy


Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

Retailers, Tech Firms and Financial Services Providers: It’s Time to Shape the Future of Mobile Payments — Are You Ready?

By Gordon Tucker, Managing Director, Technology, Media and Communications Industry Leader; Rick Childs, Managing Director, Consumer Products and Services Industry Leader; and Jason Goldberg, Director, Financial Services Business Performance Improvement


The global mobile payments market is projected to reach US$780 billion by the end of 2017, according to research firm TrendForce. That figure seems impressive until you consider that the ability to pay for goods and services with a mobile device has been a reality for years. It’s been nearly a decade since Starbucks, one of the biggest mobile payments success stories to date, launched its app and rewards program. And recent research by the Mobile Economic Forum found that one-fifth of global consumers have made a mobile payment in-store. Given the exponential growth in smart device innovation and adoption over the past decade and consumers’ inherent desire for convenience and speed when making a purchase, it is logical to think that the mobile channel would dominate as the avenue for payments by now. It’s where we’re headed, to be sure. But some formidable obstacles have been impeding the growth of the industry, such as:

  • Persistent concerns about fraud, privacy and security: Even though most consumers are aware of “digital wallets” — apps on smartphones that store credit card information and facilitate mobile payments — many remain wary of the risks. Fraud has been a problem, with weak authentication practices and identity theft at the root of many incidents — including those involving well-known brands like Apple Pay and Samsung Pay.

Consumers also worry about how companies are collecting and using data, including purchasing history and even geolocation. How and if that sensitive information is being protected from hackers is yet another concern. Tokenization helps to secure valuable transaction data, but data stored in digital wallets or merchants’ payment systems may still be vulnerable. Also, new entrants to the market may lack the security sophistication needed to protect sensitive data from compromise.

  • Bad timing: When solutions like Apple Pay, Google Wallet and Android Pay were being rolled out by mobile manufacturers and tech providers a few years ago, EMV chip card technology was also hitting the market. Retailers were initially confused, and frustrated, about whether to adopt mobile payments or EMV chip card technology. Most prioritized the latter. Now, adoption of that technology is near-universal in retail, even though EMV chip card transactions are slower than mobile payments or even traditional credit card payments.
  • Lack of a consistent experience: Merchants of all types have been racing to launch their own digital wallets. But it is unlikely that many will achieve long-term success with their ventures because consumers are already overwhelmed by choice in the market. Plus, these offerings are diverse, which means the mobile payments experience for consumers also varies. That works against efforts by retailers, and the mobile payments industry to engage consumers and convince them to pay with their smart devices at every opportunity. And there’s another ingredient for mobile payments success that not all retailers can capture: A key reason that apps from brands like Starbucks, Taco Bell and Dominos are so popular is that consumers do business with these retailers frequently — sometimes daily.
  • The fact that old habits die hard: One more dynamic that’s working against mobile payment adoption is the simple fact that it’s still easier and faster, in most cases, for consumers to pay for goods and services with cash, debit card or credit card. They’re comfortable with these methods, so they’re in no hurry to change. And many businesses that offer mobile payment options fail to do enough to incentivize consumers to make the switch — for example, they don’t provide compelling rewards to customers who use their app frequently.

A Growing Swell of Expectations From Consumers

The picture is not all bleak. There are other strong trends in motion that will help to drive mobile payments innovation as well as consumer adoption and use of these solutions. Here are some of the dynamics to watch:

  • New shopping trends will help mobile payments grow — a lot. Showrooming — where consumers examine merchandise in a traditional brick-and-mortar retail store or another offline setting and then buy it online, sometimes at a lower price — is just one example. It’s a retail experience that’s made for mobile — and it’s expanding as large e-commerce players like Amazon and Microsoft get in the game. Retailers can use mobile payment apps to incentivize shoppers to buy items in the store by offering discounts, special rewards or free delivery.
  • Mobile shopping apps are becoming more experiential for consumers. The core purpose of a mobile payment service is to facilitate transactions, of course, but that’s not enough to engage a consumer. Mobile shopping apps are evolving to help customers discover and research products before they are at the store and then help them locate those products while they’re in the store. These apps can also store shoppers’ receipts, gift cards and shopping lists; present discounts and coupons; enable comparison shopping; make the checkout process simple and fast, and more. Look for customer loyalty programs to evolve, as well; for instance, using data insights, a retailer could offer individualized incentives to mobile shoppers and reward them for specific behaviors.
  • A friction-free experience is becoming an expectation, fast. Mobile payments success hinges on creating a simple, seamless, value-adding and branded customer experience. Leading players in the person-to-person (P2P) payments space are setting the standard for the frictionless consumer experience — and winning over mobile-minded millennials. Recent research from Bank of America found that 62 percent of millennials use a P2P service.

Entrants in the P2P space are also focusing on the back end, trying to simplify operations and bake in security wherever possible without undermining the consumer experience. Good infrastructure that supports a secure and seamless customer experience is essential to the future of mobile payments. In the coming months on the blog, we’ll be exploring topics that retailers, technology companies and financial services providers, specifically, should consider when developing their mobile payments strategy. These topics include operational effectiveness, risk and compliance issues, technology strategy, and security and data privacy. Each of the industries mentioned above has an important role to play in helping to shape the evolution of the mobile payments industry. It will be through their collaboration, cooperation and innovation that the mobile payments experience can become what businesses and consumers alike envision it can — and should — be.

From Tiny Tech to Populism: Latest Issue of PreView Scans the Global Risk Horizon

jason-dailyBy Jason Daily, Director
Risk and Compliance




Imagine a DNA-programmed nanoparticle capable of hacking cancer cells, a plankton-sized carbon tube that can remove pollutants from water, or food packaging that changes color in the presence of dangerous bacteria. Nanotechnology, with a market predicted to reach almost $13 billion by 2021, has the potential to change the world, and every industry — from healthcare to the military — has a stake in its advances.

Use of Nanomaterials by Industry

With that potential, of course, comes risk. Nanotech may be applied in controversial ways — such as surveillance, or weapons capable of attacking people, plants or livestock at the molecular level. The technology is not visible to the naked eye, raising concern among some, who worry that self-replicating nanobots could destroy the planet if not properly controlled.

Nanotech is only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate emerging risks according to the five global risk categories established by the World Economic Forum. In the January edition, in addition to nanotechnology, we consider the risk of a global water crisis and the “morality” of thinking machines, and we look ahead at the risk of marching populism and what cybersecurity means on a national and global scale.

WEF Global Risk Categories

The flip side of risk is opportunity. While governments and industries grapple with the shortage of fresh, clean water, particularly in developing countries, opportunities for water applications of nanotechnologies abound. As artificial intelligence increasingly replaces humans in making key decisions, opportunities to improve the underlying algorithms can translate into market share and increased profits for the early movers. And finally, with cyber the new warfare, governments and companies have an opportunity to stake a claim in the cybersecurity space by designing products, as well as policies, that protect both digital assets and societal freedoms.

Several of the topics in our current issue are a continuation from previous issues. This trend will continue, as the risks we are keeping an eye on evolve over time and their implications change, sometimes quickly. Whether continuing or newly emerging, such as populism, all of these risks are fascinating to follow, and imperative to take into consideration in mapping long-term business strategies. That’s probably one reason why our PreView series is among our most popular publications.

I encourage you to both read and share our latest issue with your board and executives, to spark discussion and help ensure these emerging risks are part of risk discussions. And, we encourage a discussion here as well. Tell us what you think in the comments.

Your Personal Information Is Not Personal Anymore – So Who’s Guarding It?

Scott Laliberte (2014)

By Scott Laliberte, Managing Director
IT Security and Privacy



We live in an age of great convenience enabled by technology. Snap a photo of your check on your smartphone to make a deposit, simple. Rollover an IRA from your home office, easy. Change the password on your bank account from the airport, no problem.

What is less apparent to consumers of these services is the risks they may be assuming by making use of these conveniences. And while few of us have the wish to give up our conveniences, we’d better be ready to demand the best processes and technologies available to protect us from the risk of fraud and identity theft.

For businesses, meeting demands for enhanced personal identity protection can be costly, and it introduces new inconveniences to their customers – something of which businesses are always conscious. It helps when consumers realize the value of better security, and even demand it, despite the potential costs and inconveniences. We are all familiar with the annoyance of forgetting our password and having to jump through a half a dozen hoops to get it back – but at least we recognize it’s our own interest that demands it.

Businesses are limited to just a few options when they want to confirm the identity of a consumer: These are things the consumer knows, things the consumer has, and things the consumer is. For instance, a consumer knows her password, date of birth, social security number, and the answers to several secret questions, like make of car or mother’s maiden name. Some of these are easy to guess; all are easy for a hacker to store and reuse: If one breach reveals the customer’s password and secret question responses for one site, hackers are smart enough to “replay” this information to hack other sites. Things the consumer has, like her cell phone, are harder for hackers to obtain. Adding an “out of band” element to authentication – like texting a PIN to the phone to authorize a logon to a website – protects customers even when hackers have other identifying data. Finally, things the customer is offer strong protection as well (though they also may be subject to replay or other issues). Biometrics, such as fingerprints and retina scans, are two methods in this category right now.

These are the kinds of protections businesses must now routinely offer and customers must demand, or at least reward with their patronage those businesses that offer them.

Here are some suggestions for businesses that wish to add themselves to the category of companies with strong, responsible customer identity protection:

  • Offer enhanced security features but allow your customers to opt in. Not all consumers will be willing to take on more complex authentication to protect their identities against theft. Some simply don’t care, and the complexity may drive them away.
  • Consider how fees might offset the costs of enhanced protection, and also how fees might affect customer loyalty. Monitor how these services are priced by other players in your industry.
  • Develop your in-house knowledge of the changing cybersecurity landscape and expedite development of your expertise in areas that are affecting your business the most.
  • Educate your consumers so they can recognize the value of the enhanced security you offer to protect them against significant losses – and why the added inconvenience is a minor hassle compared to the syphoning of their 401k, for example.
  • Employ advanced fraud analytics to monitor for suspicious activities and high-risk transactions.

From the consumers’ perspective, the following actions should help us to become partners in the effort to protect their own identity:

  • Sign up for identity theft protection services. These services monitor credit inquiries and can protect against thieves using stolen personal information to apply for credit in your name. While they may not be able to detect activity directed at your 401k, HSA, or other financial accounts, these services may provide support to resolve problems resulting from identity theft and some even offer insurance against loss.
  • Monitor financial statements promptly to ensure all transactions are valid.
  • Change passwords often; don’t reuse passwords on other sites. Vary your secret questions; choose questions with answers that are the hardest to guess (e.g., the name of your best friend in high school is harder to guess than your favorite color).
  • Welcome enhanced security features like out-of-band authentication (such as a PIN texted to your phone) and biometrics (using your fingerprint or iris) – especially for high-risk transactions such as changes to key account information (password, email, address) or transfers of money.
  • Vote with your wallet: Gravitate toward businesses that offer enhanced security features. Encourage your established providers, via survey responses and direct requests, to offer enhanced security features, and be prepared to pay for them – perhaps in higher fees; certainly in inconvenience.

Businesses will continue to benefit from offering convenient online features to their customers, as a way of achieving customer loyalty and competitive advantage. Consumers will come to expect faster, secure, seamless services as platforms and technology allow. Businesses and consumers alike will do well to stay informed about how to protect consumer data in this evolving landscape. As long as identity theft continues to reward hackers, they’ll keep looking for ways to circumvent security measures. We need to evolve our security techniques to keep up with the ever-changing threats from cybercriminals.

Introducing Compliance Insights: Protiviti’s Monthly Roundup of News for Financial Services Firms

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance



With global banking regulation consistently ranking as a top concern for financial service industry executives and directors, Protiviti has launched Compliance Insights, a monthly advisory newsletter designed to provide financial services industry (FSI) executives with timely news on issues that are relevant now.

Although primarily focused on banking compliance matters related to consumer protection, privacy, anti-money laundering/anti-terrorist financing, and sanctions, this short newsletter also includes topics applicable to other types of financial institutions, including those in capital markets and emerging financial technology (“fintech”).

The information we choose for our monthly briefing is not intended to be a complete picture of the FSI compliance landscape, but to provide clear and concise summaries on key topics we consider of interest to the industry.  We’re not going to cover everything; rather, each month we’ll highlight a handful of issues, tapping our subject-matter experts for analyses of the latest changes in rules and guidance.

Our inaugural issue, launched in July, led with a couple of updates on global payment systems.  In the wake of cyberattacks on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payments network, which facilitates cross-border interbank transfers, both SWIFT and the Federal Financial Institutions Examination Council (FFIEC) issued reminders to institutions of the need to manage risks associated with interbank electronic transactions. We also shared new guidance from the Wolfsberg Group of International Financial Institutions, an association of 13 global banks with a common goal of developing effective anti-money laundering (AML) standards. The guidance is related to financial institutions’ use of certain SWIFT services.

Other topics included:

  • Proposed rules from the SEC limiting the use of derivative investments by mutual funds;
  • The long-anticipated proposal from the Consumer Financial Protection Bureau (CFPB) on rules governing payday, vehicle title, and other short-term, small-dollar loans; and
  • The possibility of fintech firms obtaining limited-purpose national bank charters, enabling them to operate under uniform federal regulation and supervision.

Our August issue, released last week, provides updates on another CFPB proposal, this one focused on third-party debt collection practices, plus several other topics we consider relevant:

  • A joint regulatory update of Community Reinvestment Act (CRA) Q&As
  • Increased regulatory scrutiny of potential money laundering at card clubs, casino-like gambling establishments offering exclusively card games
  • A ruling by a Miami judge in an anti-money laundering case that calls into question whether bitcoins are “money”
  • Upcoming changes to the Military Lending Act (MLA), which extends additional consumer lending protections to active-duty military personnel and their dependents

We hope you’ll find this resource useful – please let us know if you do or if you have any suggestions or suggested topics. It is part of our ongoing effort to help financial service institutions face the future with confidence.

You can subscribe to Compliance Insights or send us your feedback here.

A Matter of Trust: Taking a Look at the CISA Controversy

Kurt UnderwoodBy Kurt Underwood
Global Leader of Protiviti’s IT Consulting Practice




Back in October, we issued a Flash Report on a senate move regarding a proposed law that has spurred controversy at home and abroad. The bill is intended to improve cybersecurity in the United States through enhanced sharing of threat information.

Now out of committee, and potentially up for a floor vote in the Senate soon, the Cybersecurity Information Sharing Act (CISA) would allow (but not require) the sharing of Internet traffic information between U.S. government agencies and technology and manufacturing companies, making it easier for companies to share cyber threat information with the government.

The bill provides legal immunity from privacy and antitrust laws to companies that provide threat information from, say, the private communications of users, to appropriate federal agencies and other companies. It also permits private entities to monitor and operate defensive countermeasures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities on their own information systems, and, under certain conditions, the systems of other private or government entities.

Although the bill includes provisions to prevent the sharing of personally identifiable information (PII) irrelevant to cybersecurity, some worry whether those protections are adequate.

The U.S. Chamber of Commerce, National Cable & Telecommunications Association, and other advocacy groups support the measure, on the grounds that the information in question is already flowing freely to spies and criminals around the world. Others, including the Computer and Communications Industry Association and various prominent technology companies, oppose it as a violation of personal privacy.

In the end, it all boils down to trust. Repeated high-profile security breaches of PII and other sensitive data have raised questions regarding the ability of government and large corporations to secure their data. It is interesting to note that the Department of Homeland Security, the designated entry point for all submitted data under the proposed law, is among those opposed to the bill.

The concern crosses international borders. A European court recently struck down an agreement that previously allowed U.S. companies to import the personal information of EU citizens and store that information within the United States. The agreement was called into question over a lawsuit questioning the protection of PII from the U.S. government.

For a more detailed analysis of CISA, you can download the Protiviti Flash Report, Proposed Cybersecurity Information Sharing Act Sparks Controversy. I am interested in your take on the issue in the comments section below.

More on Cybersecurity – President Obama Issues Executive Order to Sanction Cyberattackers

As a follow-up to our recent posts related to cybersecurity and cyberthreats, President Obama issued an Executive Order this week authorizing sanctions against cyberattackers operating outside the United States. You can read the Executive Order here. Reuters also published an informative overview of the Executive Order.

As noted in Reuters’ article and other sources, the Executive Order has received some positive response, but concerns are raised, as well. How exactly will a cyberattack be attributed with certainty to an individual or group? How will the administration handle cyberattackers who are deemed to be state-sponsored, particularly by nations with which the United States conducts trade? Will such sanctions be effective against faceless perpetrators who operate independently (i.e., without state sponsorship)?

We will continue to monitor these issues and comment periodically here and in other forums.