Innovative Financial Institutions Standing Up to Data Leaks

There are three key areas that drive financial institutions to develop and implement data security solutions including; customers, regulatory compliance and internal business requirements.

Customer pressures for increased security of their private information have increased significantly in light of the growing frequency and severity of publicized data leaks. Over the past year, there have been a number of high-profile leaks, many of which have occurred at leading financial institutions. In many cases, this has had a profound effect on customer retention and acquisition, as the proliferation of technology and online customer care has made it easier for customers to switch from one institution to another. The average information leak costs organizations approximately $182 per record (according to the Ponemon Institute), averaging roughly $4,800,000 per breach. That number doesn’t take into account the longer-term affects of breach to an organization that come from other cost factors including litigation or the loss of customer and investor confidence.

Customer data security is, among many surveyed consumers, a key expectation of financial service providers. Today’s financial providers that take a proactive approach securing information are quickly recognizing that significant benefits can be derived for both customers and the business, through the reduction of risk to brand, company reputation, and ultimately, delivering a competitive advantage.

Regulatory compliance is another consideration for financial institutions. Banks and credit bearing institutions are subject to both state and common criteria to protect the confidentiality of their customers. One of the biggest challenges in adhering to regulations is that there are so many. Compliance officers question which requirements to pursue and the best approach to move forward. Ironically, many have expressed that had they implemented every facet of every regulatory requirement, their business would cease to operate. Finally, the cost and time to implement an effective compliance framework is high for most financial institutions and requires a solution that can provide both immediate return on investment, and the requisite reporting to audit business processes and ensure that policies are being enforced.

Internal business pressures are increasingly driving financial institutions to secure confidential information, as more communications technologies are deployed to facilitate larger volumes or more secured transmissions of confidential information. Brokerages, banks, payment processors, etc., all engage in countless transactions through email, instant messaging, and custom communication protocols. Protecting these transactions requires a delicate balance between securing the content without disrupting operations. The growth and geographical expansion of offices in today’s global enterprise have created a borderless enterprise through which employees, customers, and partners communicate effectively and efficiently in real-time. These communications are an essential business function, but must be properly secured.

Indirect Risks Escalating

Cost implications from indirect data leaks are unique to financial institutions and are an area of increased concern. Although the origin of a data leak may not be with the institution, the cost burden associated with it often falls to them. This is most noticeable for credit bearing institutions whose customers transact in large volumes with retailers. Although the transaction originates and terminates at the retailer, such as a department store or grocery store, the consumer transaction triggers a secondary and often tertiary set of transactions between corresponding business partners. If the retailer experiences a leak of confidential information such as credit card information, the ensuing result is that the creditor must terminate the consumers account, refund any lost monies, create a new account, transfer the customer’s information, and contact and reissue credit cards to the customer. The cost for this process is enormous and though legal battles have ensued between retailers and financial institutions to remediate these hard costs, settlements and legal fees provide little restitution in the end, and do nothing to re-establish the customer’s trust – the soft costs.

The best example of this “indirect risk” is with the TJX data breach earlier this year. Having lost millions of customer credit card account numbers, TJX set aside more than $100 million to cover costs associated with the remediation of the breach. In the end, however, the re-issuing of customer cards, the processing of fraud claims, and loss of customer confidence is estimated to have an exponentially greater impact on the financial institutions whose card holders were victimized. As expected, a number of law suits have ensued to provide remedy to the creditors; however, as stated previously, this comes at both a price and with a diminished return.

Lawmakers Eying Data Loss

To tackle the problem of indirect risk, several states – most notably California – in the United States have proposed legislation which says that should a company suffer a leak of confidential customer information and it cannot provide evidence that at the time of the leak it was in compliance with all applicable requirements – any business partner that suffers a direct cost associated with the leak is legally entitled to be reimbursed by the ”leakee.” On the surface statues like this promote the equitable distribution of costs associated with a data leak. However, two important ancillary results are also likely:

First, as stated previously, it is very difficult for any one financial organization to provide sufficient evidence that it’s in compliance and to comply with all associated regulations Additional investment in policy creation and auditing will likely result to mitigate the risk of a lawsuit following a breach; however, because the audit is unlikely to conclude at or near the exact time a breach has occurred, especially an audit covering multiple applicable regulations, it will be near-to-impossible to prove that at the time of a breach the firm was in compliance.

Second, statues like this open the flood gates for legal departments to demonstrate their effectiveness and overall value to the company, both by defending and prosecuting companies that have had a leak, but obviously at a significant cost to both the defending and prosecuting organizations. What happens when a national or local bank decides the risk of a leak is too great to warrant working with a national or local retailer? Will insurance companies continue to back “at risk” enterprises, especially following a leak? What will happen to the business relationship should a financial institution sue a retailer? At present, there’s a fair amount of comfort in the fact that the problem of data leaks is so new and the solution so apparently obtuse that organizations can fall back on the old adage, “plausible deniability – what we don’t know won’t hurt us.” However, statutes such as this legitimize the problem and provide only a path to remedy but not a path to a solution.

Financial Institutions Mitigate Risk

To address these challenges, many organizations are turning to their solution providers to help them implement an information leak prevention (ILP) solution, designed to discover, monitor, and protect Who and What go Where and How. It may sound like a funny catch phrase, but as an executive when asked, “do you know who in your organization is sending what information where?” you’re answer will logically lead you to start thinking more seriously about its consequences.

What employees do in our organizations, accidentally or maliciously, is often only managed by what they tell their managers. In today’s electronic world, the question of who is in control of what information, where they are sending it, and how (by virtue of the fact that different modes of communications represent different risks to security) poses an almost philosophic dilemma to senior management. The answer, fortunately, is more simple than what one might expect: information leak prevention.

Unlike traditional threat-based protection solutions that restrict access to resources or control applications or communication channels, leak prevention solutions are designed to understand and enable policies for the information, users, destinations and vectors. This allows the organization to focus on protecting its sensitive information from unintentional or malicious leaks.

ILP solutions discover data throughout the network – on servers and endpoints – to provide organizations with the intelligence necessary to effectively design and implement content enforcement policies. They also monitor data as it rests, ensuring it’s only located in a secure place (where it is assigned), data as it’s being used, to avoid misuse, and data in transit, as users exchange it, whether to external or internal parties.

Internal protection of information should be well evaluated because many external leaks are precipitated by internal leaks, as unauthorized users are able access and use information that they don’t realize is confidential, or they don’t know how to secure when sending inside and outside of the company. That’s why best-of-breed ILP solutions provide complete coverage of business communications, both external and internal. With an ILP solution, an organization can monitor email, printers, http/s, instant messaging, and a variety of other commonly used protocols to discover where information is transmitted and by whom and how, and audit business processes to increase efficiencies, redefine policies and workflows, and reduce the risk of a leak.

ILP solutions provide coverage for today’s regulatory and corporate governance requirements. They employ a policy-based framework to protect data, regardless of form or manipulation and with a high degree of accuracy and with pre-defined, automated enforcement capabilities. With this, financial organizations can leverage policy controls to block, encrypt, quarantine, notify, and/or remediate an infraction. This flexibility allows administrators to create more efficient information workflows that map to internal business processes, securing information while enabling both auditing and enforcement of regulatory requirements in real time.

When deploying an ILP solution, it’s important to consider the requirements of the specific organization, taking into account such variables as the type of information being protected, and communication technologies in use. Information leakage is a problem that affects the entire organization and not just IT. Fundamentally, the problem of leakage is a business problem – the solution for which is a mixture of technology (ILP), education, and process.

Financial institutions bear a great responsibility both to their customers and their stockholders. Protecting their information assets are the equivalent of protecting the firm’s competitive advantage. Additionally, maintaining a sustainable competitive advantage is tantamount to long-term success. For financial institutions, data security isn’t merely about risk mitigation; it’s about business strategy, continuity, and integrity, and is likely to have a great impact for both the firms that weave it into the fabric of their operations, and those that do not.