Skip to main content

Challenges with data security regulatory compliance in financial services

(Image credit: Image Credit: Pitney Bowes Software)

For financial services companies, big data is a double-edged sword. Faced with the challenges of securing larger and larger volumes of sensitive information, the industry is in a unique position moving forward. Although they obviously must adhere to regulations in order to protect themselves from data breaches and preserve their reputation for trustworthiness, there are nonetheless substantial difficulties associated with financial services data compliance.

Below, we'll discuss some of the biggest challenges that you face regarding data compliance, as well as strategies for how you can begin to address them.

Regulations within regulations

The financial services industry already must comply with regulations such as the Dodd-Frank Act and the Basel II accord. These regulations, in turn, contain sensitive security information regulations outlining how financial institutions must protect their organisational data.

Under the Dodd-Frank Act, financial institutions must comply with a variety of data management regulations governing matters including capital planning, stress testing and loans. Meanwhile, organisations governed by Basel II must be sure that their data is accurate and has high integrity so that they can correctly assess the risks that they face.

Beyond these data regulations requiring security measures, financial services organisations must also comply with explicit security regulations such as PCI DSS, which relates to the management of customers' payment card information. PCI DSS consists of 12 requirements for payment card processors, including the installation of firewalls and antivirus software and the encryption of cardholder data when transmitting it over open networks.

Finally, regulations such as the European Union's General Data Protection Regulation (GDPR) will fundamentally change how EU institutions operate. Except in explicit use cases, organisations must inform users how they collect and process their personal information and allow them to opt out from such processing. The regulation affects all organisations that process the data of EU citizens and residents, meaning that international companies must carefully consider how they migrate their data between the EU and other countries.

The strengths of the data-centric approach

The majority of companies will see the best results by adopting a "data-centric" approach by encrypting and safeguarding their information. As experience has proven, this strategy is superior to the failing "perimeter" approach that protects the boundaries of the network using software such as firewalls and intrusion detection systems.

At Zettaset, we've witnessed again and again how perimeter approaches are losing effectiveness against the onslaught of security threats, and how they're easier than ever to breach. The complexities of the modern business network are simply too much for an imperfect strategy such as the perimeter approach. New technologies such as Wi-Fi and Bluetooth, and new ways of connecting to the network via mobile devices and tablets, mean that the "fortress" model of network security is increasingly outmoded.

On the other hand, malicious actors have rarely been able to successfully hack encrypted data environments. Rather than making your entire network an impregnable wall, focus on which data and assets are most important to you, and develop strategies for protecting and controlling access to that information.

Preparing for inevitable new regulations

The next few years are a critical time for data-driven organisations. The sheer quantities of information are expanding so rapidly that companies that don't know how to process and analyse this information will simply fall by the wayside. IT research and advisory company IDC predicts that, by 2025, humans will generate 180 zettabytes (180 trillion gigabytes) of data every year.

As the amount of data grows exponentially, and the internet changes to accommodate this explosive growth, new industry regulations will follow close behind. Even financial services organisations that are conscious of the current state of regulations need to remain flexible and agile so they can quickly react and respond to these shifts in the industry landscape. In the years ahead, change will come both in the form of new regulations as well as amendments to existing ones.

If and when these changes arrive, make sure your company isn't caught out in the cold. Visionaries in your organisation should spend time on long-term strategic thinking in order to anticipate the potential effects of new regulations. You also need to make sure your security solution includes provisions for flexibility from day one. This means both adding and protecting more data, as well as being able to take hands-on control.

The changing state of data

Financial services data is fluid: it frequently moves from being in use, to in motion, to at rest, and back again. What's more, companies constantly generate new data that they need to combine with their existing data stores.

As information changes from one state to another and moves locations, it becomes more difficult to apply data security methods throughout the system. Organisations that don't use the right tools will be unable to guarantee they can protect their information from end to end, which can cause serious conflicts when it comes to data regulatory compliance.

Dealing with the IT skills gap

By now, the IT skills gap is a well-known issue for the industry — and the size of the problem is proportional to the level of expertise required. The IT security non-profit group ISACA estimates that, by 2019, there will be a shortage of 2 million cyber security jobs around the world. With major organisations increasingly in the crosshairs of cyber criminals, the demand for such positions, and the difficulties in filling them, will be an ongoing challenge..

What's more, doing IT security well is no easy task, requiring a team of knowledgeable, experienced professionals. Security experts need to wear many hats: building data infrastructures, implementing security measures and maintaining data stores so that they can install patches and updates in a timely manner.

The financial services industry typically has more capital to spend on IT talent than other sectors that face information security regulatory compliance. However, this doesn't mean that the IT skills gap isn't a very real phenomenon for financial services. According to a 2017 survey of financial services executives by PricewaterhouseCoopers, 72 per cent of respondents believe that the IT skills gap represents a significant barrier to the growth of their organisation.

In order to surmount these challenges, financial institutions will need to cast a wide net, looking outside the confines of their own industry for talent. More and more IT security experts are casting aside the promise of a sizable paycheck in the finserv industry, preferring to work at tech startups with a greater cultural fit and a better work-life balance. Financial services companies can compete by making their IT security positions more attractive to candidates.

Finally, financial institutions should also work with vendors to find tools that fit their requirements without the need to hire more IT personnel. Advanced data protection solutions can help to reduce the strain placed on the IT team and the security operations centre while keeping an organisation’s sensitive information safely under lock and key.

Final thoughts

Regulations associated with corporate and regulatory compliance will continue to be a challenge for financial services companies, along with outside and inside threats to the sensitive data that they collect. By adopting a flexible approach with their security processes and architecture, financial services companies can remain agile even as regulations and best practices continue to evolve.

John Armstrong, CMO, Zettaset
Image Credit: Pitney Bowes Software

John Armstrong is the CMO at Zettaset, a data encryption provider. He has over 25 years of experience working for clients including Securent (Cisco), NetScaler (Citrix), and Mobile Money (Intuit).