Opinion

Data security in financial services: Meeting the challenges head on

Recent research suggests that Financial Services firms have experienced a threefold increase in the rate of breaches, over the past five years. Financial Services companies face almost three times more cyber attacks than any other industry.

Pramod Singh Jul 19th 2018 A-A+
Pramod-Singh-Envestnet-Yodlee.jpg

As the world becomes increasingly interconnected and virtual, the risk of sensitive, personal information falling into the wrong hands has increased significantly. Recent research suggests that Financial Services firms have experienced a threefold increase in the rate of breaches, over the past five years.

Data privacy and security concerns are not restricted to the Financial Sector alone. Across industries and sectors, organizations have been cautioned for unlawfully using personal data accumulated from social media sites and other online repositories. One of the most famous example of this is Cambridge Analytica— a political consulting firm, which has been accused of harvesting and analyzing social media data to provide strategic communication support and influence significant political campaigns, including the 2016 US Election and Brexit. This event led to data privacy and security becoming household topics and the unfortunate reality is that such events are unlikely to have occurred for the last time.

Apart from unlawful collation, analysis or use of personal data, the looming threat of cyber crime has also been on the rise. Today, Financial Services companies face almost three times more cyber attacks than any other industry. In the US, more than a third of all breaches take place in the financial sector.

•    Less than a year ago, the US faced one of its worst data thefts when the data of about 148 million Americans and 400,000 people in the UK was stolen by hackers from the personal data collected by Equifax, a consumer credit reporting agency in the US. According to Equifax, the compromised data included names, social security numbers, birthdates, telephone numbers, and email addresses. The hackers also stole the credit card numbers of more than 209,000 consumers, over the month and a half long period the breach went undetected.

•    In 2014, JPMorgan Chase reported a data breach that affected 7 million small businesses and 76 million households. Though the bank rushed to assure its customers that no data was compromised, this was a blow to the trust in the brand. The fact that hackers were able to get into the bank's systems and acquire a list of applications and programs that the bank was using was an alarming revelation.

While recent events have set alarm bells ringing, security agencies and companies have even bleaker predictions for 2018 and beyond. While ‘traditional’ cyber crime is here to stay, more sophisticated forms of data breaches - distributed denial-of-service attacks (DDOS) , Ransomware, and even Internet of Things (IoT) attacks are expected to increase in the coming years.

The earlier cases were just some of the instances which received active news coverage. A significant number of these breaches go unreported and do not find any mention in the public domain. Given the sensitive nature of the data financial institutions (FIs) deal with— such as Personally Identifiable Information (PII) and Payment Card Industry (PCI) data— Financial Services firms and Financial Technology (Fintech) companies are particularly attractive to hackers.

Risks abound, beyond external threats
Aside from the multitude of risks posed by external threats, sensitive data can be compromised in other ways as well. Breaches can be caused by insider leaks or due to the lack of strong compliance and data security standards implemented by corporations.

The increasing use of multiple channels and consumer touchpoints, such as mobile applications, can also open up additional vulnerabilities. Today, more than half of all financial transactions are conducted on mobile devices and it’s no surprise that fraudulent transactions on these platforms have witnessed a dramatic rise in recent years.

Lastly, the use of open application program interfaces (APIs) provided by FIs to external agencies, partners or third-parties could jeopardize the host institution’s ecosystem, adding another dimension to overall cyber security risk.

Need for a strategic, multi-layered approach
To counter these threats, FIs need to adopt a strategic, multi-layered approach to counter the threats posed by cyber criminals. This involves the use of sophisticated technology and advanced security measures, along with the adoption of stringent compliance standards and internal controls.  While no system can be made completely fool-proof, adopting a holistic approach to data security using a cyber security Framework is infinitely better than building a vulnerable ecosystem and layering in security measures as an afterthought.

Some basic measures that can be taken include a data mapping exercise to decide where and how data is stored and how it is abstracted from various stakeholders. Conducting a thorough Security Risk Profile assessment helps identify the most vulnerable points in the stack and plug any gaps.  From a technology standpoint, using best-in-class encryption methods at the communication and application layers is crucial. Depending on their needs, different organizations can take a call on how to encrypt both resident and transient data, which adds another layer of protection.
    
AI and ML to counter cyber crime
Newer, more sophisticated means to thwart cyber crime stem from cutting-edge research in the world of artificial intelligence (AI) and machine learning (ML). A recent research project at the Massachusetts Institution of Technology’s (MIT) Computer Science and AI Laboratory, titled AI2 is focused on using advanced AI and ML capabilities to predict cyber attacks better than any existing system. Such models have the best of both worlds, seamlessly combining machine-driven large-scale pattern detection with human intuition. This synergistic approach is greater than the sum of its parts, and can drastically increase prediction accuracy and reduce false positives.

While these efforts will remain ongoing, security professionals need to strengthen traditional methods of securing data-endpoint security, access management, and threat monitoring. While we look for solutions, here are a few forward-looking ideas on effective ways to tackle the rising threat of breaching customer data in FIs.

Best practices and standards
While technology can play a vital role in ensuring data security, FIs also need to align themselves with global best practices. When it comes to financial data, these practices can be established on the basis of industry-wide policies like The Payment Card Industry Data Security Standard (PCI), created to increase controls around cardholder data to reduce credit card fraud, and the Service Organization Control, Second Report (SOC2) standard, which sets the benchmark for data handling, protection and consumer privacy.

After a two-year preparation phase, the General Data Protection Regulation (GDPR) for businesses in the European Union has been enforced and is expected to set the world standard for data privacy. Financial Services companies stand to gain a lot from these standards as they bring together expertise from security providers, regulators and FIs themselves.

While policies and security methods are the need of the hour, the most important safeguard is the coordinated action of security solution providers, government regulators, banks and Fintech companies. Ensuring that a cyber security framework is strictly implemented and regular audits with comprehensive compliance checks are carried out will be a big step forward in ensuring data privacy and security for individuals, organizations and the general public.

The information, analysis, and opinions expressed herein are for informational purposes only. Nothing contained in this column is intended to constitute legal, tax, accounting, securities, or investment advice, nor an opinion regarding the appropriateness of any investment, nor a solicitation of any type.

Pramod Singh is Chief Analytics Officer and Vice President of Data Sciences and Analytics at Envestnet | Yodlee.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).