Without a doubt, digital advances are changing the way financial institutions interact with both their customers and employees. Moving to a digital environment—including migrating data to the cloud—affords financial institutions the opportunity to modernize their existing applications and create new ones, with the goal of driving IT agility, business efficiency, and staying competitive.
New research shows that 91% of financial institutions already use cloud services today or plan to use them in the next six to nine months. If we look closer at the finance industry, we see an incredible adoption rate. In 2012, 58% of banks said they were planning, testing, or adopting the cloud. Today, that number is over 80%, which represents 16% of total global cloud expenditures and close to US$100B in annual spending with cloud-enabled workloads expected to double annually.
Despite this adoption rate, the financial industry could be leveraging the cloud more effectively if cybersecurity and privacy were top of mind. The race to keep up with an ever-evolving digital environment and emerging technologies means not skipping any fundamental steps.
The most essential step is building a foundation strong enough to take the business through the digital revolution, including digital leadership skills and values, infrastructure, and the capacity to seamlessly evolve. Establishing this foundation of change, however, can substantively impact risk, compliance, and legal functions.
In order to secure a successful digital transformation, your organization must consider implementing change across all areas—your people, organizational structure, strategy, plans for innovation and growth, customer experience, supply chain, technology, finance, legal, tax, and risk and cybersecurity.
As organizations transform major parts of their operations, special attention must be paid to data protection and privacy including:
- Managing compliance, data, and cyber risk as business transforms
- Keeping pace with increasing cyber attacks
- Understanding broader risks of new technologies
- Establishing a cybersecurity program
Starting with cybersecurity and data privacy
With the ever-increasing risks for conducting business in a globally connected economy and rapid evolution of related threats, it is critical that financial institutions do not overlook cybersecurity at the onset of the digital transformation journey. Investments in transformative technologies can be meaningless if they can't protect customers, sensitive data, and other vital assets. A single company may possess the personal information of millions of customers—data that it must keep private so that customers' identities stay as safe and protected as possible, and the company's reputation remains untarnished.
Today's financial ecosystems of digitally connected entities, people, and data increase the likelihood of exposure to a cyber attack. In addition, data privacy and protection laws are continuing to change on a global level.
Data privacy's ultimate goal is to properly handle and protect personally identifiable information (PII) as well as meet the public's expectation of privacy. It addresses concerns regarding whether data can be shared with third parties with or without the consent of the data subjects and how it can be shared. This discipline addresses how data is collected, processed, stored, and deleted.
A long list of data privacy law initiatives indicates an accelerating change in the way companies and individuals are recognizing the value and importance of protecting a user's data. This has forced many businesses to establish a road map for charting their future data privacy and data protection strategies.
Without effective cybersecurity processes and controls in place, many organizations are not just risking their data and intellectual property, they are also placing employees and consumers at risk. Cybersecurity and data privacy requirements cannot be an add-on or an afterthought. They must be part of the core design of the digital transformation so potential risks and threats can be addressed and costly rework measures prevented. This will also help satisfy compliance with various regulatory requirements.
Data classification, data protection, and the consumer perspective
Data classification is the organization of data into defined categories so that protection may be applied effectively. The goal of this process is to allow data to be available to the authorized users as and when needed, to be used as pre-defined. Data classification involves defining the type of data, its custodian assignment, its confidentiality, and its integrity.
For example, an organization may classify data as restricted, private, or public. In this instance, restricted data would represent the most sensitive data and would have the highest security requirements. Inversely, public data would represent the least sensitive data and the security requirements would reflect that.
With consumers becoming more aware and careful about sharing data and regulators continuing to evolve privacy requirements, companies are learning that data protection and data privacy can be leveraged to create a business advantage.
As consumers increasingly adopt digital technology, the data they generate creates both an opportunity for enterprises to improve their consumer engagement and a responsibility to keep consumer data safe. This data, including location-tracking and other kinds of PII data, is immensely valuable to companies: many organizations, for example, use it to better understand the consumer's pain points and unmet needs. These insights help to develop new products and services, as well as to personalize advertising and marketing
A common misconception among consumers about the cloud is that if the data is “up there,” it's in greater jeopardy of being compromised. This is obviously of grave concern to the financial industry, and for good reason, considering how little trust the public has in the industry's ability to protect sensitive data (only 44% of people recently surveyed have faith in the financial industry's approach to digital security). Knowing the financial institution's use of the cloud—and, more importantly, how it's being used—could be exactly what customers need to hear.
The stakes are high for companies handling consumer data. Even consumers who are not directly affected by breaches are paying attention to how companies are responding to these threats.
Building the foundation of privacy into your digital transformation journey
Despite its challenges, digital transformation remains an extremely compelling and beneficial venture—not to mention a necessary one—for the financial industry. The prospect of leveraging cutting-edge technology to accelerate innovation and competitive advantage is certainly attractive. But attempting to make widespread changes to your business operations while leaving security precautions to be dealt with later will almost always cause serious issues down the line. There are several actions a financial institution can proactively take to address data privacy and data protection requirements.
The first step would be to decide on a set of project oversight practices and to ensure the project is vetted by a privacy or legal expert. In addition, clear documentation on recording and governing the data's collection, storage, and use must be produced. Much of the data that is collected may not be needed in the future. Therefore, businesses in the financial industry can mitigate risk by collecting only the data they need to serve their customers.
Another necessary step is to write or revise data storage and data security policies. Since different categories of data require different storage policies, best practice is to ensure to account for the different categories. A financial institution must develop clear, standardized procedures to govern requests for the removal or transfer of data. These should ensure expedited compliance with regulations and cover consumer requests for the identification, removal, and transfer of data.
Explore more by viewing an informative panel discussion on cloud data protection and privacy from the Cyber Tech & Risk – Trusted Cloud Conference on September 16, 2021, presented by Dishank Rustogi, Senior Manager – Cybersecurity Engineering at BDO, along with Helen Oakley – Senior Product Security Architect at SAP, Hammoud Rabah – Director, Cloud Security Integration at RBC, and David Décary-Hétu – Associate Professor at the University of Montreal.
So how can these steps be effectively implemented?
Part of your organization's data protection framework should include a privacy architect—an expert in both privacy and technology. A privacy architect can assess business objectives and the privacy legislation to which you will have to comply. Without knowledge of privacy law, technology projects can create new risks for your finance business.
It is too late to think about a privacy strategy after a breach has occurred, and the cost to the organization can be significant. There are both short-and long-term consequences that must be considered when managing a data breach.
Short-term consequences include direct fines and fees, the cost of the investigation, and the cost of the remediation efforts.
Long-term consequences include damage to the organization's reputation and loss of customer trust. A financial institution can spend years meticulously building a trusted brand and continuously working to maintain its integrity, only to see it all diminish in a matter of minutes. It can take years to rebuild your reputation and customer trust can even be lost forever.
Privacy by design
As the finance industry embarks on its digital transformation journey, the concept of privacy by design—developed by Dr.Ann Cavoukian in the 1990s— provides seven foundational principles for building a future-proof privacy program. Privacy by design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization's default mode of operation.
These principles can provide large financial institutions the opportunity to gain control over personal and sensitive information and strengthen their competitive advantage. The following principles can be applied to your organization regardless of the people, processes, or technologies:
- Proactive not reactive; preventative not remedial – allows organizations to anticipate and stop an event before it occurs rather than after the fact.
- Privacy as the default setting – regardless of the system or process, sensitive and/or personal is protected by default.
- Embed privacy into design – integrate privacy into every blueprint.
- Full functionality – positive-sum, not zero-sum - an approach to system and process design so that there are no unnecessary trade-offs when it comes to privacy and security.
- Ensure end-to-end security – full lifecycle protection - an embedded approach to protecting data throughout its lifecycle from collection, retention, and storage, to destruction.
- Visibility and transparency – keep it open - assure stakeholders that privacy activities and controls are operating in accordance to defined objectives that are subject to independent verification.
- Respect for user privacy – keep it user-centric – making the privacy interests of individuals of the utmost importance and designing control measures and processes accordingly.
There are several other frameworks or standards available to guide organizations with their privacy programs. All help to maintain customer trust, improve data management and protection capabilities, and enable innovation and digital transformation while reducing loss from fines and penalties, brand damage, and potential lawsuits.
In addition, data cannot be protected without a strong operational data governance model that consists of the following:
- Stewardship, roles, and responsibilities
- Data privacy and security policies
- Sensitive data maps and sets that require protection and classification
- Privacy data discovery
- Data protections and loss prevention (at rest and in transit)
- Data integrity and change management
- Access based on policy rules and principles of need to know and/or least privilege
- Access and usage activity logged and monitored
- Incident and breach response
- Data retention and disposal
- Awareness and enforcement
- Third party management
- Risk management
Top questions organizations in the financial industry should ask when building a privacy framework
Building data privacy into the foundation of your financial institution's digital transformation can be guided by asking several key questions:
What are the legal and compliance obligations based on the services provided?
Before starting the data protection and/or privacy journey, it's important to understand the legal and compliance obligations (i.e. GDPR, CCPA, PIPEDA, HIPAA, PCI) in relation to the services provided and the information collected/stored. The reason for collection, storage, and processing is known as the consistent or defined purpose. Anything not in alignment to that purpose must be excluded unless consent is obtained.
What information are you collecting and processing, where does it come from, and where is it located and stored?
The key to protecting sensitive/personal data is to understand what information is being collected. Information such as names, addresses, and birth dates are relatively standard and expected, but other more sensitive information such as salary, personal health information, location, IP address, and even trade secrets can also be collected. In addition, there may be special categories of personal data such as political opinions, religion, health, sex, or criminal record just to name a few.
Once this has been established, identify where this information is coming from, where it's going, and where it is processed and stored within the organization (e.g. databases, cloud-based servers and office products, on-premise data centres, or mobile devices).
Are the privacy risks well understood?
A privacy risk assessment will help organizations understand the likelihood of an adverse event and the impact if such an occurrence was to take place. The output of the risk assessment drives and prioritizes what controls and mitigation measures are put in place and helps management make informed decisions.
Who is accountable for the privacy program?
Establishing accountability for privacy and data protection is crucial for a successful privacy program. Your financial institution must identify a privacy officer or data protection officer (DPO) who is responsible for governance and oversight. Accountability must also exist throughout the organization for any individual that interacts with sensitive or PII. Senior leadership must provide overarching governance and support for the privacy program by establishing clear policies, training, and awareness.
BDO's cybersecurity team is ready talk to you about your data protection needs. We can assess your situation and help you map out a framework that puts cybersecurity and data privacy requirements first as you navigate your digital cloud journey.
For more information, contact:
Mike Gelesz
National Industry Leader, Banking & Financial Services | Consulting
i. https://www.ibm.com/thought-leadership/institute-business-value/report/banking-hybrid-multicloud
ii https://www.ibm.com/downloads/cas/74KLAO6J
iv https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf