Without a doubt, digital advances are changing the way financial institutions interact with both their customers and employees. Moving to a digital environment—including migrating data to the cloud—affords financial institutions the opportunity to modernize their existing applications and create new ones, with the goal of driving IT agility, business efficiency, and staying competitive.
New research shows that 91% of financial institutions already use cloud services today or plan to use them in the next six to nine months. If we look closer at the finance industry, we see an incredible adoption rate. In 2012, 58% of banks said they were planning, testing, or adopting the cloud. Today, that number is over 80%, which represents 16% of total global cloud expenditures and close to US$100B in annual spending with cloud-enabled workloads expected to double annually.
Despite this adoption rate, the financial industry could be leveraging the cloud more effectively if cybersecurity and privacy were top of mind. The race to keep up with an ever-evolving digital environment and emerging technologies means not skipping any fundamental steps.
The most essential step is building a foundation strong enough to take the business through the digital revolution, including digital leadership skills and values, infrastructure, and the capacity to seamlessly evolve. Establishing this foundation of change, however, can substantively impact risk, compliance, and legal functions.
In order to secure a successful digital transformation, your organization must consider implementing change across all areas—your people, organizational structure, strategy, plans for innovation and growth, customer experience, supply chain, technology, finance, legal, tax, and risk and cybersecurity.
As organizations transform major parts of their operations, special attention must be paid to data protection and privacy including:
- Managing compliance, data, and cyber risk as business transforms
- Keeping pace with increasing cyber attacks
- Understanding broader risks of new technologies
- Establishing a cybersecurity program
Starting with cybersecurity and data privacy
With the ever-increasing risks for conducting business in a globally connected economy and rapid evolution of related threats, it is critical that financial institutions do not overlook cybersecurity at the onset of the digital transformation journey. Investments in transformative technologies can be meaningless if they can't protect customers, sensitive data, and other vital assets. A single company may possess the personal information of millions of customers—data that it must keep private so that customers' identities stay as safe and protected as possible, and the company's reputation remains untarnished.
Today's financial ecosystems of digitally connected entities, people, and data increase the likelihood of exposure to a cyber attack. In addition, data privacy and protection laws are continuing to change on a global level.
Data privacy's ultimate goal is to properly handle and protect personally identifiable information (PII) as well as meet the public's expectation of privacy. It addresses concerns regarding whether data can be shared with third parties with or without the consent of the data subjects and how it can be shared. This discipline addresses how data is collected, processed, stored, and deleted.
A long list of data privacy law initiatives indicates an accelerating change in the way companies and individuals are recognizing the value and importance of protecting a user's data. This has forced many businesses to establish a road map for charting their future data privacy and data protection strategies.
Without effective cybersecurity processes and controls in place, many organizations are not just risking their data and intellectual property, they are also placing employees and consumers at risk. Cybersecurity and data privacy requirements cannot be an add-on or an afterthought. They must be part of the core design of the digital transformation so potential risks and threats can be addressed and costly rework measures prevented. This will also help satisfy compliance with various regulatory requirements.
Data classification, data protection, and the consumer perspective
Data classification is the organization of data into defined categories so that protection may be applied effectively. The goal of this process is to allow data to be available to the authorized users as and when needed, to be used as pre-defined. Data classification involves defining the type of data, its custodian assignment, its confidentiality, and its integrity.
For example, an organization may classify data as restricted, private, or public. In this instance, restricted data would represent the most sensitive data and would have the highest security requirements. Inversely, public data would represent the least sensitive data and the security requirements would reflect that.
With consumers becoming more aware and careful about sharing data and regulators continuing to evolve privacy requirements, companies are learning that data protection and data privacy can be leveraged to create a business advantage.
As consumers increasingly adopt digital technology, the data they generate creates both an opportunity for enterprises to improve their consumer engagement and a responsibility to keep consumer data safe. This data, including location-tracking and other kinds of PII data, is immensely valuable to companies: many organizations, for example, use it to better understand the consumer's pain points and unmet needs. These insights help to develop new products and services, as well as to personalize advertising and marketing
A common misconception among consumers about the cloud is that if the data is “up there,” it's in greater jeopardy of being compromised. This is obviously of grave concern to the financial industry, and for good reason, considering how little trust the public has in the industry's ability to protect sensitive data (only 44% of people recently surveyed have faith in the financial industry's approach to digital security). Knowing the financial institution's use of the cloud—and, more importantly, how it's being used—could be exactly what customers need to hear.
The stakes are high for companies handling consumer data. Even consumers who are not directly affected by breaches are paying attention to how companies are responding to these threats.
Building the foundation of privacy into your digital transformation journey
Despite its challenges, digital transformation remains an extremely compelling and beneficial venture—not to mention a necessary one—for the financial industry. The prospect of leveraging cutting-edge technology to accelerate innovation and competitive advantage is certainly attractive. But attempting to make widespread changes to your business operations while leaving security precautions to be dealt with later will almost always cause serious issues down the line. There are several actions a financial institution can proactively take to address data privacy and data protection requirements.
The first step would be to decide on a set of project oversight practices and to ensure the project is vetted by a privacy or legal expert. In addition, clear documentation on recording and governing the data's collection, storage, and use must be produced. Much of the data that is collected may not be needed in the future. Therefore, businesses in the financial industry can mitigate risk by collecting only the data they need to serve their customers.
Another necessary step is to write or revise data storage and data security policies. Since different categories of data require different storage policies, best practice is to ensure to account for the different categories. A financial institution must develop clear, standardized procedures to govern requests for the removal or transfer of data. These should ensure expedited compliance with regulations and cover consumer requests for the identification, removal, and transfer of data.
Explore more by viewing an informative panel discussion on cloud data protection and privacy from the Cyber Tech & Risk – Trusted Cloud Conference on September 16, 2021, presented by Dishank Rustogi, Senior Manager – Cybersecurity Engineering at BDO, along with Helen Oakley – Senior Product Security Architect at SAP, Hammoud Rabah – Director, Cloud Security Integration at RBC, and David Décary-Hétu – Associate Professor at the University of Montreal.