A common misconception is that IT teams can manually compile a list of sensitive data
In 2018, Mastercard, in an interview with The New York Times revealed that it encountered more than 460,000 data breach attempts in a day, up 70 percent from 2017. The company also showed that it tracked almost 267,300 incoming attacks in 24 hours.
The Boston Consulting Group, in its 2019 study, reported that “Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack—and dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.”
The very foundation of the Financial sector lies in nurturing trust and credibility from its customers. A comprehensive Data Security solution with an expertly architected Data Discovery solution is critical to the sector, to be at the receiving end of its customers’ loyalty.
Role of Sensitive Data in BFSI
Financial organizations handle a variety of customer sensitive data such as-
-customer PII such as name, address, social security number, etc.
-family member's PII
-credit score, and many more.
Banks generate a lot of value using data-
- To enhance customer engagement: Banks are being digitally driven in recent years. Banks analyze customers’ purchase patterns and shopping habits to create custom products that are tailor-made to suit their needs. When a customer purchases a car or a bike, banks may send promotional offers of insurance to cover that vehicle. In an extremely competitive landscape, this helps banks enhance customer retention and widen their customer base. Such real-time services from banks increase customer engagement.
- To predict defaulters and fraudsters: Data-driven banks can analyze customers’ past spending patterns and behavior to predict future outcomes. This helps banks detect money laundering and fraud. In the case of money laundering, money launderers often try to exhibit the legality of their income source. With the help of data, banks can now study such suspicious patterns and save themselves from huge financial losses and frauds.
- To offer loans: Banks collect personal data such as income, credit score, debts, loans, etc. to measure risk levels before deciding to offer loans to customers. It uses structured, semi-structured, and unstructured data to generate insights. Structured data like customer feedback can be analyzed along with unstructured data like comments on social media platforms to create customer profiles. This alerts banks around the risk of non-payment of loans.
- To predict future trends: Banks also collect aggregated data from a large number of customers to analyze patterns. These patterns provide insights into future economic trends, spending patterns of a particular stratum of customers, etc.
The sector manages the flow of the above-mentioned data across the globe for each of its customers. It relies on data, most of which are sensitive in nature, for its day-to-day operations and considers data as its most important commodity. The finance sector transmits and stores hoards of sensitive customer data which makes it one of the most obvious targets of hackers and data thieves.
Why is Data Discovery important in Financial Institutions?
Despite being frequent victims of data-centric threats, the finance sector often underestimates the cost of potential data threats. This is also why the sector doesn’t often consider implementing effective, high-quality automated data security solutions with a well-equipped data discovery feature.
Insider cybersecurity threats have been on a steady increase since the last few years. Such attacks are a result of human errors, employee and third-party negligence, or employees who intentionally abuse their access to sensitive data. While perimeter security is necessary, it loses its purpose when your enterprise’s biggest threats originate from within.
- Data Discovery is the foundation for a comprehensive data-centric approach to security. An effective Data Discovery Solution enables your enterprise to discover sensitive data from anywhere across your data landscape and lets you identify which database contains the most volume of sensitive data.
A comprehensive Data Discovery Solution backed by a carefully architected AI-centric model also studies access patterns and alerts you should a deviation occur.
This exercise lets financial institutions proactively identify insider data threats and stops them from turning into full-blown data breaches
- A best-of-breed Data Discovery Solution can help manage and accelerate your financial enterprise’s compliance with data privacy regulations. The size of your enterprise is immaterial to determine your compliance with such regulations given your ability to handle or process your customers’ sensitive data.
The ever-evolving data privacy regulations like GDPR, CCPA, etc. require that your financial enterprise be aware of the volume, location, and degree of sensitivity of your sensitive data. The regulations also demand that you know who has access to which sensitive database, how the access affects the data and more.
Without a data discovery solution pointing out the whereabouts of your sensitive data and how much of it resides in each database, you may not be able to comply with mandatory privacy regulations.
- In the event of a breach, an effective Data Discovery solution equipped with an expert data Classification Solution would be able to point out if the compromised database contained sensitive information. Wouldn’t you be glad to find out that the compromised data was not sensitive enough to cause a disastrous effect on your enterprise?
How can BFSI comply with GDPR to secure its data?
The average cost associated with breaches in financial institutions has been on an increase in the last few years. Detecting a breach and responding to it can be financially draining for banks and hence a comprehensive data compliance framework is essential for such institutions.
Regulations such as the GDPR (General Data Protection Regulation) govern financial institutions to ensure the secure collection, storage, and processing of sensitive customer data. Non-compliance with GDPR can get businesses fined up to EUR 20 million or 4% of their annual global revenue, whichever is highest in the event of a security breach.
Below are a few key clauses under GDPR that Kogni can help your financial firm comply with-
- Right to know what data/information is being collected and processed online: Under this clause, customers are given the right to access their personal data. They can request and receive a copy of their personal information collected by a firm. They can also receive certain information about how the firm processes their information
Kogni can help organizations comply with this clause. Anytime a consumer requests to access their data, organizations leveraging Kogni’s powerful data discovery feature can pull up the data instantly from all available data sources.
- Right to opt-out of businesses selling/reselling customers’ personal data: This clause allows customers to opt-out of their data being processed for marketing purposes. They can opt-out of their information being sold to third-party sales that support marketing activities.
You can access all the data belonging to a particular customer with a few clicks when using Kogni’s efficient data discovery feature. The requested data gets pulled up in an instant on your screen which helps you process your customer’s request. You can accordingly inform the third-party organization to stop processing your customer’s data.
- Right to Data portability: This clause dictates that a customer can request for a structured and machine-readable copy of their personal data. They can also opt to transfer the data to another organization.
Kogni simplifies data portability for organizations. Financial entities looking to process their customer’s request to transfer their data can use Kogni to instantly gather all the personal information belonging to the customer. The entity can then send the customer a copy of the data or enable its transfer to another organization.
- Right to Deletion/Erasure: A customer can request for the erasure of their personal data under this clause. Businesses must also inform other businesses (third-party data controllers) that process such data to ensure complete deletion of the information
When a customer initiates their right to deletion, financial institutions can use Kogni’s effective data discovery solution to instantly collect their data from all available sources and comply with this clause well ahead of the stipulated duration.
- Right of rectification: This clause allows customers the right to correct incorrect personal data. They also possess the right to complete incomplete personal data.
When a customer places a request to rectify their personal information, financial institutions leveraging Kogni’s data discovery capabilities can instantly pinpoint the data to allow its correction. Kogni thoroughly scans your data landscape to pinpoint the data to enable compliance with this clause.
Apart from the aforementioned key clauses, Kogni’s data discovery solution enables your compliance with many other clauses under GDPR.
Data Discovery Challenges in PCI DSS compliance-
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that applies to financial institutions too. A major setback that banks and other financial institutions suffer while complying with PCI DSS is inefficient card data discovery.
Your payment card information could be at considerable risk when you make a payment through your mobile, internet or at an e-cash payment counter. When you make a payment against your purchase by swiping your card, the card information passes multiple systems to transfer the payment to the retailer. There are significant chances that the unencrypted information in your card gets exposed while navigating through multiple phases of the money transfer process, such as storage, processing, and transmission.
The identification of this unencrypted data is an important clause under 3.1 of the PCI DSS Standard. It is imperative that the financial sector adopts the right solution to discover data such as card details, that may reside in undisclosed locations within the data landscape. Kogni, a powerful data discovery and security solution can help financial institutions pull up sensitive data from anywhere across their data landscape.
Also, per requirement 3.1 of the PCI DSS Standard, organizations, on a quarterly basis, must discover and erase cardholder data that exceeds defined retention parameters in a secure manner. To achieve this, they must ensure the following-
-Organization-wide data scanning and discovery: An organization’s data landscape may contain many undisclosed data storage pockets. An effective data discovery solution, such as Kogni carries enterprise-wide data scanning capability and leaves no storage area unscanned. It collects sensitive information (cardholder data, in this scenario) from all available data sources and not just the ones that contain information related to payment cards.
-Data discovery across data formats and sources- A comprehensive Data Discovery Solution must have a 360-degree data identification range. This enables the solution to identify sensitive data from anywhere, any data source, format or type across your data landscape.
Kogni’s Sensitive Data Discovery Software explores different repositories including cloud, on-premise, and third-party controlled storage centers, for unknown, sensitive and critical information.
Its predefined data sources include Amazon S3 bucket, Amazon RedShift, Oracle, Sybase, SQL Server, Informix, Postgre SQL, Office365, MySQL, MongoDB, Google Drive, and many more.
Implications of a financial breach
Resulting from a human error, a data breach in the Scottrade Bank’s publicly accessible servers exposed the sensitive information of over 20,000 of its customers. This 2017 data breach is a reminder that not all data breaches are a result of unauthorized access by outsiders. A good portion of the data attacks is also caused by insider threats.
An effective Data Discovery solution is necessary for financial institutions to combat data-centric threats for the following reasons-
-Equifax, in 2017, declared a data breach that exposed the personal information of over 140 million customers. It paid a fine of $425 million in the form of penalty and remediation funds.
According to a 2019 study by The Ponemon Institute and IBM, a financial institution has to spend an average of $1.8 million, post an attack targeting its online banking services.
When a bank falls victim to a data threat, it has to bear the huge cost of lost business. Among others, it also has to pay for investigation, thorough audits, marketing, increased customer-service, public relations, etc. It also has to handle the legal and administrative costs as well as pay up huge penalties due to regulatory non-compliance.
-A recent study by Accenture reveals that financial institutions are more worried about guarding themselves against data breaches than making use of the data to drive innovation in the sector. An increase in data attacks in the financial sector has managed to discourage innovations.
-One of the biggest unquantifiable costs that a financial establishment pays post a major breach is the loss of brand value. Reputational damage caused by a breach can be hard to recover from. Enterprises take years to build a reputation for their brand and earn customers’ trust and loyalty. A breach breaks it all in an instant and enterprises are left building it back from the ground up.
A 2019 study by the Ponemon Institute and IBM reported that the rate of customer churn or loss of existing customers, post an incident, is the greatest in the financial sector as compared to the other sectors. One out of every 5 financial establishments surveyed in the study revealed that reputational damage was their top concern in the event of a cyberattack.
-When HSBC suffered an attack in 2017, its customers were unable to access the firm’s online banking service twice in the same month.
Delay in delivering services to customers is also a common implication of data breach. Customers often find themselves unable to access their bank’s online portals or are delayed a service as their bank is trying to remediate a breach.
-Customers often lose time and money due to a data breach. They are forced to cancel their credit/debit cards, repeatedly check bank account statements for discrepancies, and watch out for further complications. Their personal information landing in the wrong hands could open a gateway to a host of information that could be used against them by the hacker.
How do data thieves make use of the stolen financial data?
Hackers monetize the stolen financial data in several ways. Below are a few-
-Hackers can make use of your banking-related information, billing information, insurance activities, etc. to extract your identity to commit identity fraud. They may submit fake tax returns and take loans using your identity and bank account information. Extortion and blackmail are also common post breach activiies.
-Fraudulent purchases using stolen card details are another way hackers misuse your financial data.
Several stolen credit card numbers and details are often sold in bundles. A ‘broker’ buys this information in 10s or 100s and sells them to a ‘carder’. The carder then buys items on various online sites. These items are then resold on legitimate online channels or on the dark web.
An effective data discovery solution lays the foundation for a comprehensive data security framework. Adopting such a solution can keep your organization from falling prey to hackers and data thieves who mishandle your customers’ private data and put your firm in trouble.
Kogni’s uncomplicated and cost-effective Data Discovery solution is easy to implement and is a comprehensive approach to your Data Security strategy. With Kogni, you can significantly reduce the time you spend on discovering your sensitive data. Leave it to Kogni to efficiently automate your Data Discovery, Classification, Security, and Compliance!