Data Classification in the Finance World
When it comes to data privacy, financial services is one of the most highly regulated industries, and as a result, finance organizations face immense pressure to protect the data they are creating, collecting, and storing. Let’s take a deeper dive into what pressures are put on financial organizations to protect their data, and what they can do to ensure their sensitive data stays secure and remains compliant, in line with regulatory requirements.
The Pressure to Protect Data in a Financial Environment
The list of regulations that financial organizations must comply with is growing, and the risk of non-compliance could see organizations face heavy monetary fines, alongside reputational damage, which would be highly damaging in the financial sector. In addition, financial organizations must be ever vigilant to the possibility of a data breach, and particularly the insider threat, whether by malicious actors or accidental loss.
Some of the current challenges financial organizations are facing when it comes to protecting their data are:
Current and Emerging Privacy Regulations
Regulations regarding data privacy have been rapidly emerging all over the world within the past five years, and since the GDPR went into effect in 2018 in Europe, more US states are implementing their own privacy regulations. And one of the more notable regulations affecting financial organizations is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation – 23 NYCRR 500 – which went into effect in 2017, predating even the GDPR. This regulation applies to firms holding a banking, insurance, or financial services license to operate in New York, and in order to comply, organizations must complete key tasks including:
- Appointment of a CISO (if one isn’t already in place)
- Perform risk assessments (which must be kept up to date on an ongoing basis)
- Document all organizational policies and procedures
- Perform penetration testing and vulnerability assessments
- Train all staff on a regular basis
- Monitor assets and create audit trails
- Limit user privilege
- Securely destroy unnecessary data
This regulation also affects organizations outside of New York. New York is one of the largest financial hubs in the world with many national and international banks licensed to operate in the city. Any non-US banks with a New York operation must comply with NYDFS 23 NYCRR 500. Non-compliance with this regulation can be costly – in May of 2021, the NYDFS enforced a total of $4.5 million in penalties to two companies found in violation. While New York is currently the only US state to have a specific privacy regulation for the financial services industry, at the rate data protection regulations are emerging, it likely won’t be for long.
Rising Cybersecurity Threats
While protecting financial data has never been easy, the real difficulty began amidst the pandemic when remote work started. According to the Cybersecurity Challenges in Financial Services – Market Survey Report from 2020, 45% of CISO/CIOs said they’d noticed more cybersecurity incidents since remote work started, and the issue has only gotten worse in the past 2 years. FS-ISAC, the Financial Services Information Sharing and Analysis Center, echoes this in their recent report, Navigating Cyber 2022, stating that “the rapid digitization of the financial services sector led to an increase in global cyber threats in 2021”. The report also outlines that one of the top threats to the financial industry in 2022 is third party attackers.
Data Visibility Challenges
In addition to the rising cyber threats in the financial sector, firms are also facing data visibility challenges. In the 2020 Cybersecurity Challenges in Financial Services – Market Survey Report, half of the CISO/CIOs surveyed said that data visibility was a challenge, which the report called a “major concern”, with data visibility an integral part of regulatory compliance. Fast forward to the present, and much like we saw in the rise of cybersecurity threats, this also shows no signs of improvement and is in fact, getting worse. In HelpSystems’ recent CISO Perspectives: Data Security Survey 2022, 63% of CISOs say data visibility is the biggest challenge facing organizations today. That is a 13% rise in data visibility challenges in just two years!
Cybersecurity Workforce Gaps
The cybersecurity sector is facing the same issue as many sectors are seeing currently – a lack of personnel. The global workforce gap in cybersecurity, while better than it was in 2020 and 2021, is still down about 2.72 million security professionals. Cybersecurity staffing issues could potentially impact financial organizations, with downstream effects such as struggling to maintain compliance requirements, but also a potential lack of staffing when it comes to monitoring, documenting, and reporting any cybersecurity issues that may arise. Many regulations, such as GDPR, require organizations to report data breaches within 72 hours of being aware of it taking place. In the US, the SEC has proposed an amendment to require organizations to report data breaches within 4 days, which may be impossible if no one knows it even happened due to a lack of monitoring.
How Data Classification Can Relieve the Pressure
Between rapidly emerging data privacy regulations, rising cybersecurity threats, the increasing challenge of data visibility, and the workforce gap of cybersecurity professionals, the prospect of data protection within financial organizations may seem overwhelming. But there is a very simple way to protect all types of financial data against these issues, and that is to identify and classify your data with data identification and data classification solutions. Let’s look at how implementing these solutions mitigates each of the issues discussed above:
- Maintaining Compliance
Data classification allows you to organize data based on risk factors to let you know what needs to be protected and to what degree. It is essential that data be classified and organized as it enables organizations to apply the proper DLP and DRM solutions mitigating the risk of a data breach, thus saving organizations from heavy monetary fines and reputational damage. In addition, many regulations allow consumers to inquire where their data is at any point and can request access to it or that it be deleted, so having data classified allows organizations to comply with those requests.
- Stopping Cybersecurity Threats
The best way to keep sensitive data secure and safe from threats is to focus on protecting the data itself by classifying it. This then enables downstream security solutions, such as DLP and DRM, to keep data protected wherever it travels and ensure it doesn’t leave the business if it shouldn’t. The preferred cybersecurity framework, Zero Trust, is heavily reliant on data classification in order to be effective.
- Increasing Data Visibility
You can’t protect data you don’t know you have! Data identification and classification solutions allow an organization to identify where all its sensitive data resides, and classify that data based on predetermined levels of sensitivity. Once data has been identified and classified, the proper action can be taken which can include deleting it if it isn’t needed, labeling it, and deciding who has access to it.
- Closing the Workforce Gap
Many data classification solutions, such as Titus, use automation to classify, monitor, and report on what is being done with data. This eliminates the need for an employee to do all of this manually. Furthermore, if a data breach were to occur, automated monitoring and reporting would quickly detect it, and it could be addressed and reported within the timeframe allotted by regulations.
Protection and proper management of financial data requires that it be clearly identified so that every aspect of the security ecosystem, be it employee or software, can make deliberate decisions on how the information is to be handled and protected. Classifying data as a first step will enable the protection strategy and solutions you implement to be built around the types of data you have, and the levels of security they require. Thus, a data classification and identification solution is a must for all financial organizations.