Financial data providers such as banks, robo-advisors, wealth managers, and credit reporting agencies are using increasing amounts of personal data in activities such as KYC and credit monitoring. In addition to traditional sets of financial data, these financial institutions now use a wide variety of ‘alternative data’ including their users’ spending habits, savings patterns, and social media activity to take important decisions.
Institutes such as Investment banks, PE funds, and asset managers use sensitive data for deal making. With a meteoric increase in data generation and consumption in financial services, the need for data security is now greater than ever before and the cost of ignorance is huge, as was exemplified by Equifax’s data breach in September 2017.
Equifax, one of the largest consumer credit reporting agencies in the US, has agreed to pay at least $1.4 billion to settle the multiple lawsuits brought on behalf of the customers due to the data breach in 2017 that compromised personal data of 148 million Americans. In 2019, more than 3,800 data breaches were reported within the first six months in the US with the Capital One hack being the largest contributor. 2019 is expected to be the worst year of data breaches ever.
The Growing Challenges
The use of sensitive data by financial services companies has increased significantly. They use this data to offer customized services and accurate decisions to their users. The use of cloud networks to store this data has also increased as they offer solutions for data security and the businesses can focus on their core operations. However, financial services companies still face challenges regarding data security.
Greater reliance on public cloud for M&A data is increasing security concerns
Investment banks store large volumes of sensitive deal data and most middle-market banks store this data with cloud-based storage services. These banks rely on the data security mechanisms of the cloud service provider even though the onus of securing the data ultimately remains with them. Of late, there have been many incidences where this dependency has come back to hurt subscribers of such cloud-based storage services. For example, in January 2019, the popular cloud sharing platform MEGA suffered a data breach where over 772 million emails and over 22 million unique passwords were leaked online.
Increasing need to make online deal making platforms more secure
Although, most M&A deals today are negotiated through investment banks, there is a growing trend of buyers and sellers completing deals over online platforms such as Axial Networks, without a traditional intermediary. The volume of sensitive financial data stored on the cloud is set to increase tremendously as this trend grows. It will be critical for sellers to thoroughly review the data security mechanisms of online platforms and cloud storage vendors before trusting them with their data.
Platform-based deal making is a lot more common in the early-stage financing space than in the M&A space. Crowdfunding platforms and other types of online financing platforms store sensitive data of several companies and investors. However, their data security processes can also be vulnerable, as exemplified by Kickstarter’s data breach in 2014 that affected over 5 million accounts.
Online Financial Services companies are being targeted for personal data
The emergence of robo-advisors, online payment platforms, alternative lenders, challenger banks, and online insurers has catapulted the digital consumption of financial services and the cloud-based storage of financial data. As the consumption of financial services becomes increasingly digital, these platforms have become susceptible to cybercrime.
Recently, the New Payments Platform (NPP), an industry-wide payments platform for Australia, suffered a data breach where several PayID records and associated data in the Addressing Service. The hack originated from one of the NPP banks that were secured by payments provider Cuscal Limited. Personal data including mobile numbers, email address, customer name, and account numbers may have been exposed. Also, companies need to take additional security measures in addition to using a secured cloud platform. The Capital One data breach that affected over 106 million accounts and used Amazon’s web servers for data hosting, has raised questions on the security standards of these platforms.
Taking Steps To Enhance Data Security In Financial Services
Financial services companies need to continuously invest in data security solutions. In addition to the expenses for remediation, data breaches pose legal and reputational risks as well. Governments in most major countries have elaborate data security rules and guidelines for companies to follow. However, companies can also adopt the following ‘smart practices’ to avoid internal data breaches as well as decrease the damage from external cyberattacks:
Incorporating a cyber review in an M&A due diligence
Incorporating a cyber review in M&A and financing due diligence of the target company has become vital as data breaches have become more frequent and serious. Insights about the data security standards of the selling company will help in the risk assessment of the company. A deviation by the company from its mentioned standards is a major red flag. In the case of acquisitions, where companies from different industries are involved, a review of the past data breaches of the selling company is necessary. The reason for breach and steps taken to avoid further breaches should also be reviewed in such cases.
Choosing the right cloud network for sensitive data
Most small and mid-sized financial services companies store their data in a public or a shared server due to its cost-effectiveness. However, given the sensitive nature of their data, they should move to a private cloud even though it will cost slightly more. A private cloud offers better data control and robust firewall resources.
Giving data security the same importance as core business activities
Many financial services companies hesitate in implementing data security practices at work as these practices can slow down the workflow and hamper business efficiency. Implementing these security measures may also add to the costs of the company but the benefits of building a data-secure organization far outweigh its costs.
Building a data secure culture at work
In most of the financial services companies, employees need to be trained on data security practices as there is a frequent flow of large quantum of data between different departments. Companies can engage in organizing cybersecurity workshops for their employees to spread awareness and foster a security-oriented culture at work.
The Need To Give A Strategic Approach To Data Security
Online companies can serve their customers better than the traditional ones as they are able to analyze and use data more effectively. Data has become the new oil as more and more companies, especially in the finance sector, use data to provide customized services. The battle between cybercriminals and cybersecurity experts is unending as cybercriminals constantly find new ways to breach cyber defenses and cybersecurity experts try to strengthen their defenses against new attacks. Financial services companies can give themselves the best chance of protecting sensitive client data by ensuring that they regularly update their cybersecurity defenses and adopt a strategic approach towards data security. They must accord data security the same strategic importance as product development, marketing, etc.
References:
- Equifax Reaches $1.4 Billion Data Breach Settlement: https://www.databreaches.net/equifax-reaches-1-4-billion-data-breach-settlement-in-consumer-class-action-also-agrees-to-pay-575-million-as-part-of-settlement-with-ftc-cfpb-and-states-related-to-2017-data-breach/
- Equifax Data Breach: https://epic.org/privacy/data-breach/equifax/
- 2019 on track to be worst year ever for data breaches: https://www.usatoday.com/story/money/2019/08/18/2019-on-track-to-become-worst-year-ever-for-data-breaches/39963021/
- In 2019’s first big data breach, over 772 mn email addresses leaked: https://www.business-standard.com/article/current-affairs/in-2019-s-first-big-data-breach-over-772-mn-email-addresses-leaked-119011700324_1.html
- Info From 15 Million Breached Kickstarter and Bitly Accounts Is Now Publicly Available: https://lifehacker.com/15-million-hacked-kickstarter-and-bitly-passwords-are-n-1819216049
- PayID Hack Prompts Warning From Banks Down Under: https://www.pymnts.com/news/security-and-risk/2019/payid-data-breach-aussie-banks-warn-consumers/
- The Capital One hack couldn’t have come at a worse time for Amazon’s most profitable business: https://www.washingtonpost.com/technology/2019/08/01/capital-one-hack-couldnt-have-come-worse-time-amazons-most-profitable-business/
Disclaimer:
This publication contains general information only and is based on the experiences and research of Anplify professionals. Anplify is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Investments are subject to risk, including the loss of principal. Because investment return and principal value fluctuate, shares may be worth more or less than their original value. Some investments are not suitable for all investors, and there is no guarantee that any investing goal will be met. Past performance is no guarantee of future results. Talk to your financial advisor before making any investing decisions.