Protecting Sensitive Data in Financial Services: What can you do?
Image this scenario: You are a seasoned leader in Operations at a major financial services firm. You log on to work one morning and are faced with a ton of urgent e-mails that one of your staff had accidentally sent a client listing to the wrong third-party data supplier that you use. This is a major client confidentiality breach, requiring your Compliance and Legal teams to get involved to confirm that the people at the third-party data supplier removed the erroneously sent e-mail and have purged it off their systems.
You then write up an incident report, having assessed and made changes to your controls, validated with your IT and security teams that e-mail warnings and blockers, if they are present, were working, retrained your staff, and have now moved on to your other work activities. Yet are you 100% sure that the breach has been mitigated? Was that misdirected e-mail and file truly purged or does someone still have it?
Does this sound familiar to you and perhaps even worry you?
This is a real problem facing leaders today: sensitive digital assets are collected and collaborated with limited visibility, security, and control exposing businesses to the risk of regulatory fines, reputational damage, lawsuits, negative market reaction, and high incident costs.
Sensitive digital assets like client PII, trade, or material non-public information (MNPI) data types get exchanged between different user groups, and if not handled correctly, can expose businesses to the aforementioned risks. It is important to ensure that sensitive business information is available on a need-to-know basis.
While good policies, procedures, and internal systemic controls may exist, none are foolproof. Incidents keep happening, e.g., sensitive information is sent over e-mail to the wrong recipient, and it is almost impossible to recall or retract it. Regulators are fining firms in the multi-millions of dollars with non-compliance to data protection rules, such as GDPR, GLBA, CCPA, and others. In 2022, the top 3 fines across capital markets firms totaled $885MM, so the magnitude is significant.
A few notable incidents:
- High Net Worth Client Data Leak: A large financial services firm accidentally released files containing the data on 50,000 private wealth management clients.
- Client Confidentiality Breach: The regulator, ESMA (European Securities and Market Authority) fined a firm 408K Euro for the over-reporting of sensitive client data.
- Insider Trading Incident: An investment banker e-mailed insider information to a colleague at a competitor firm.
So, what are your colleagues saying? There was an industry survey conducted earlier this year with the following themes noted:
- 87% said that sensitive information sharing does at times happen ad-hoc and outside of applications and systems.
- 92% said that there is no mechanism to know access and entitlements to sensitive information within and outside of the firm.
- 94% said that there is no way to take action by recalling or revoking access to sensitive information once shared.
- 84% said that it is hard to prove compliance with internal and/or regulatory policies and procedures.
- 96% said that the incident response (business, compliance, and legal) is high-cost and causes disruption.
So what options are there to best protect your sensitive data?
Through my advisory and consulting work, I have gained an intimate look into Seclore’s product and capabilities in this space.
Seclore delivers a data-centric security solution built around three core pillars:
- Know – exactly what’s shared and where your data is via risk insights and trends, access patterns and usage analytics, and location awareness.
- Protect – every single data asset wherever it goes via policy management, dynamic watermarking, classification labeling, and AES256-bit encryption.
- Control – who has access and the ability to revoke it at any time via granular access control, real-time access revocation, and dynamic policy federation.
These capabilities support unstructured data control and data leakage prevention and reaction needs, such as e-mails, files, images, and others across varying systems and shared application types.
You may be asking yourself: So what? My firm has a CISO, and they take care of all our needs at my firm. It is their problem to figure out.
I’d challenge anyone on that point to say data protection is everyone’s accountability and responsibility to get right. Yes, CISOs support enterprise views, yet as users and practitioners, we are also in this mix. We define the ‘what’ and work with security and IT teams to deliver the ‘how.’ It is in everyone’s best interest to act and perform responsibly here.
Consider the following: There are over 1,000 installations of the Seclore data-centric security stack across both small-to-medium and large enterprises. Within the past year, Seclore has expanded its product focus into the financial services space. Here’s a recent example.
The client is a leading financial services company and has sensitive data protection needs for supporting its automobile loans business.
- Secure collaboration – client PII (credit score and history) when collaborating with internal teams and external credit agencies.
- Achieving personal data privacy regulatory compliance.
- Having a complex and heterogeneous application and device security to protect sensitive data.
The Seclore solution:
- E-mail and document security with advanced user behavior controls.
- Enforce granular controls and track user activities on files and e-mails.
- Secure collaboration with external parties.
- Geo-location-based access and usage controls.
- Compliance with data privacy regulations.
- 360-degree monitoring of sensitive data.
- Data segregation.
Seclore product controls and capabilities that were important to the client in this case study were:
- Granular usage controls including who, what, when, and where:
- Who can access the information; for example: employees, external users?
- What rights do those users have; for example: read only, ability to edit or download?
- When their access begins and ends; for example: set the access to expire after a set date?
- Where can they access digital assets from; for example: based on device or location?
- Track and revoke provide the ability to remain in constant control of the client’s sensitive digital assets, even when they have left the enterprise. Tracking includes reports on sensitive data and user actions performed. Alerts and notifications can be enabled.
- Every interaction with a Seclore classified and/or EDRM-protected asset is tracked. This helps to understand if the asset is being used for the purpose it was created. In the case of unauthorized attempts on the asset, real-time notifications help the file owner, or the admin take the next appropriate actions.
- Once an asset has been ‘Seclored’ security teams are able to change permissions and revoke access at any time. Even after it may have been accessed or downloaded and saved somewhere else external to the firm.
- Dynamic Policy Federation: No additional policy maintenance overhead is required with policy federation as the entitlement and access control defined in say SharePoint is enforced even after the documents are downloaded.
- Seclore sits adjacent to existing firm systems as an augmented control capability by adding ‘wrapper’ tech capabilities to perform the above controls and risk mitigants.
Seclore protects and controls sensitive data to proactively mitigate the risk of data leakage incidents. I encourage you to schedule a meeting with Seclore to learn more and to see the product in action.