In 2021, the European Cloud User Coalition (ECUC), consisting of some of the continent’s biggest banks, was formed to accelerate the adoption of off-premises technologies, mainly cloud computing in financial services.
It is a recognition of a trend that has been ongoing for several years and has already had a profound impact on the industry.
Financial organisations are increasingly turning to the cloud to harness vast quantities of information to guide the development of differentiated financial products in a highly competitive market. The cloud has also enabled banks through increased visibility for risk management assessments, which in turn allows them to adjust business decisions, and combat fraud and money laundering.
Yet, with intensive data usage in the cloud come technical, legal and ethical challenges. . Data security and privacy are now major concerns not just for company CIOs and data security specialists but for all C-level executives.
The landscape in which decisions about security are made and implemented is constantly shifting. So companies need to understand how data security is evolving to ensure that they don’t expose themselves and others, i.e., the data subjects, to heightened risks when they build analytics and data science programmes.
There are essentially three key types of trends that are impacting data security. Macroeconomic trends, such as the response to the pandemic and the ongoing downturn, technology trends driving the storage of data in many locations such as the cloud, on premises and edge devices, and regulatory pressures which are placing stricter measures on organisations to protect data.
It is essential that CIOs keep on top of all three trends and communicate them to their C level colleagues.
The pandemic had a huge impact on the process of digital transformation. Employees had in many instances little choice but to work remotely and this placed all kinds of pressure on data security. Employees were at the heart of some of the world’s most notorious data breaches, including the Equifax data breach that exposed the records of nearly 146 million Americans.
Customer habits shifted too. With their buying and indeed banking taking place predominantly online this meant that financial service companies had to move quickly to accommodate this. But during this period privacy concerns were not always as high on the agenda as perhaps they should have been.
And now we are in the midst of an ongoing economic downturn. One which might also impact banks and financial organisations as they seek to contend with increasing interest and inflation rates, and a nervous customer base.
Ever changing technology is also putting pressure on banks as they seek to maintain high levels of data security.
Legacy issues are a serious problem for some established financial service companies, especially in relation to online banking. Systems in place may not have been designed to cope with issues such as data deletion and fine-grained management. The shift from on-premises storage to cloud computing is another issue, as this requires new data management strategies to be implemented which can handle the complexity of having data stored in multiple locations and controlling data flows that usually involve a variety of stakeholders.
There is, alongside this, growing pressure in many organisations to adopt innovations such as distributed ledger technology (DLT) and artificial intelligence to improve data security. While both can help increase levels of data security they aren’t without their issues. DLT for example, is transparent, traceable, and immutable. Data stored in the ledger is viewable by all parties, which can be useful for financial institutions for a variety of use cases. But they also raise storage other challenges such as compliance with storage limitation and deletion requirements
Financial services organisations are also having to prepare for a surge in the amount of data that is likely to present itself in the coming years. IoT, voice banking and biometrics will all create data that enables banks to better know their customers, but there are also concerns about handling huge amounts of often unstructured data, alongside individual monitoring and surveillance.
Financial institutions already face the increasing burden of regulatory reporting and the need to comply with prudential regulatory regimes, standards and guidance which require granular data. On top of that, the global nature of cloud infrastructure adds to the need to meet regional data sovereignty requirements or international transfer restrictions found in frameworks such as GDPR, alongside a patchwork of new privacy laws such as the state laws that are emerging in the US in the aftermath of the adoption of the CCPAFinancial institutions need to consider the compliance and regulatory requirements of the jurisdiction in which their data is located but as well as the jurisdictions where the data is transferred to or accessed from. As more users, data sources, and data consumption tools are added, the complexity of data access intensifies – further exposing the data to risk.
This has in turn put the spotlight on banks to ensure that the management of the data – from gaining the customers’ consent or establishing their legitimate interests, to using it in an appropriate way, is pivotal to their workflows and processes.
The shift in data management can feel overwhelming for already time-compromised tech leaders. Yet financial services organisations must take the initiative to build access controls and detection and audit capabilities into their data strategies.
Data needs to be adequately protected; providing the right access at the right time, and controlled in a way that adheres to a growing number of regulations.
Fortunately, there are ways that data security can be automated eliminating both lots of manual effort and the maintenance burden of managing access and privacy controls for different roles across the organisation. These new types of approaches help to unify and enforce policy across cloud platforms to ensure the right people get access to the right data, data usage is monitored in real time, and more generally appropriate safeguards are in place to then be able to demonstrate compliance with laws and regulations.
Once these horizontal and by-design approaches to compliance are set up, time to be data accelerates.
Consistency, underpinned by technology is key
Organisations that have a uniform approach to data management and access control are able to increase their security and compliance, while setting the foundation for extracting greater value from their data.
As for regulations, people often incorrectly assume that highly regulated companies are at a disadvantage. Yet, it could be argued that organisations that have to comply with an array of regulatory requirements are, in fact, often better prepared to use their data to achieve better business outcomes. They stress the importance of a data security, governance, and compliance-first strategy, which can lead to better data analytics, decision making, and operations support – thus contributing to overall success.
There is no denying that due to many factors data security is going to be a key issue for financial services companies in the coming years. Yet by adopting a consistent approach and harnessing technology they can be more than ready to meet that challenge.
Sophie Stalla-Bourdillon is senior privacy counsel and legal engineer at Immuta