Security challenges in financial services

by Fran Howarth, Senior Analyst – Security, Bloor Research

Navigating the global financial crisis, which has seen financial institutions fail and led to increased consolidation, is not the only chal¬lenge faced by the finance sector. Other main pressures on financial institutions include the need to meet regulatory demands, manage risks and contain costs, whilst at the same time meeting customer demand for products and services provided through multiple commu¬nications channels. They need to satisfy mul¬tiple constituents—shareholders require cost controls and profitability, regulators require disclosure and transparency, and customers are looking for reduced risk, new products and services, and best-in-class user experience.

“Financial services institutions need to satisfy multiple constituents—shareholders require cost controls and profitability, regulators require disclosure and transparency, and customers are looking for reduced risk, new products and services, and best-in-class user experience. ”
-Fran Howarth, Senior Analyst – Security, Bloor Research

Excerpt from White Paper by Fran Howarth, Senior Analyst – Security, Bloor Research
Publish date: December 2009

Navigating the global financial crisis, which has seen financial institutions fail and led to increased consolidation, is not the only chal­lenge faced by the finance sector. Other main pressures on financial institutions include the need to meet regulatory demands, manage risks and contain costs, whilst at the same time meeting customer demand for products and services provided through multiple commu­nications channels. They need to satisfy mul­tiple constituents-shareholders require cost controls and profitability, regulators require disclosure and transparency, and customers are looking for reduced risk, new products and services, and best-in-class user experience.

Many of these challenges hinge on the need to improve data and information security. Data security is a key risk for financial institutions because they collect, process and store enor­mous amounts of personal information about their customers, much of which is highly sensi­tive. As well as the usual information required for customer records, such as name and ad­dress, financial institutions keep transaction records, employment details, and records of income and debt. In the life insurance sector of the industry, institutions will require such sensitive information as medical records.

By taking a proactive stance to security, rath­er than reacting to events such as security breaches as they occur, financial institutions will be better positioned to control costs, and improve the efficiency and effectiveness of their operations. By showing that they have the controls in place to manage and keep data secure, financial institutions will benefit from improved customer retention and acquisition rates, will be better protected from threats originating from both within and outside of the organization, and will be better able to comply with regulations that demand higher stand­ards of data security.

Sector consolidation

The financial crisis of 2008-2009 has led to poor performance among many financial institu­tions, including failures ranging from large fi­nancial conglomerates such as the Royal Bank of Scotland, to small regional players such as Northern Rock, and diversified banks such as Fortis. Not only have governments been forced to step in to shore up a range of institutions, but there has also been a rash of mergers, ac­quisitions and divestments. An example of this is the Netherlands, where the banking sector has consolidated from five major banks to just three in the past year. ABN AMRO is merging with Fortis Bank, including the businesses bought from the Royal Bank of Scotland, and ING and the Postbank merged operations in 2009. The remaining large bank, Rabobank, is the exception, although it has announced plans to work in greater collaboration with its sub­sidiaries in the insurance sector for greater customer reach and economies of scale.

Impact on IT

Mergers and acquisitions can throw up many challenges for an organization, including those of combining the IT functions of the compa­nies involved. A survey conducted by Bloor Research, sponsored by Informatica, indicated that just 21% of respondents felt that consoli­dation of IT systems is given appropriate weight in merger and acquisition decisions. As a re­sult, more than 50% of respondents cited poor documentation of systems, a lack of meta­data, diverse and uncontrolled data sources, and poor data quality as significant problems, and 54% cited poor integration of the planning process in particular as being a challenge.

As a result of factors such as these, the chal­lenges can be great in efficiently linking the IT systems together or, in the case of a divest­ment, separating the customer data of the two organizations.

Such challenges can lead to security issues that can increase risks to organizations if the linkages between the two organizations are not properly controlled, adequate access controls are not put in place, or data security issues are not properly dealt with. However, this is not just a technologi­cal exercise. Rather, due diligence requires that organizations should start with an inven­tory of all assets, combined with information security and regulatory compliance concerns such as security of personal data, archiving technologies and procedures, disaster recov­ery systems, and authentication of user access and privileges. Only when the organization has defined the business requirements of the combined architecture to be implemented can it be sure that the technology controls put in place meet its business needs.

Download the full report to access a checklist for organizations undergoing mergers or acquisi­tions, and for additional information from McAfee and Bloor Research on securing the financial sector, including:

• Opportunities for new technology delivery mechanisms
• Regulation and risk management
• Data security trends
• Infrastructure security trends
• Retaining and acquiring customers with innovative and secure services

For the immediate future, financial firms should work to ensure that adequate controls are in place for securing the data they hold within their organizations, as well as helping their customers to protect themselves and their financial details online. These efforts, however, should not be made in isolation. With regulatory pressures expected to increase, any decisions made on security investments should be made with a view to creating a joined-up, risk-aware culture throughout the organization. With repeatable, auditable proc­esses in place for ensuring all parts of the network are monitored and security risks con­trolled, it will be far easier to maintain security and to extend controls to cater to new regu­latory demands that are put in place or new classes of threat as they emerge.

This is an excerpt from a December 2009 Bloor Research report.  All rights reserved.

Download the full report: Security Challenges in Financial Services.