Financial services firms are not doing enough to securely manage and store sensitive customer data records, and are in danger of falling behind legal requirements on how they handle and protect sensitive information.
More than half of financial services apparently do not have an accurate map of how customer and sensitive internal data is collected or transmitted, or where it is stored in their operation. Almost as many concede that they do not require third-party service providers to comply with their company’s privacy policies.
The damning statistics have come out of a global study by auditors PwC in 2008, during which it quizzed more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. This included more than 650 financial services executives.
The survey has identified some common gaps in the way that businesses in the financial services sector manage their security regimes. Half the sector respondents gauged that their firm does not integrate its privacy strategy with its compliance plans, while virtually two-thirds suspect their information security and physical security departments do not report to the same executive.
“Financial services firms have been leaders in privacy and security, but their policies and capabilities are being outstripped by changes in technology and business practices,” said Sergio Pedro, managing director, PricewaterhouseCoopers. They should re-examine their security networks to help ensure compliance with privacy and data-protection regulations.
Some progress has been made over the last year, with PwC noting that “across industries, countries and regions, business models and company sizes, respondents report double-digit advances in implementing new security technologies across virtually every security domain, from prevention to detection.”
Respondents working the financial services sector reported gains in the deployment of systems such as malicious code detection tools (around 84% from 67% in 2007), content filtering (up to 80% from 62% in the year-ago period), and wireless handheld device security (50% against 38% for 2007).
Although both business and security priorities vary widely, this year’s responses reveal that, in general, there are several clear and promising opportunities to safeguard sensitive information.
These are concentrated in five areas, PwC has concluded, and take in improving privacy protections, getting better control over access, strengthening the security that enables sourcing, alliances, and other collaborative networks, using people and process to take full advantage of data loss prevention (DLP) technologies, and taking a risk-based approach to compliance with regulations and standards ranging from Sarbanes Oxley and the European Union Data Protection Directive to the global payment card industry’s (PCI) data security standards.