Logo
Search
Home » Why Data Loss Prevention Matters in Financial Services

Why Data Loss Prevention Matters in Financial Services

By Sanjay Bhakta, VP & Head of Solutions

The 2024 World Economic Forum summit provides a snapshot of the issues shaping the agenda of international leaders from business, politics, academia, and media. One topic was driving this year’s agenda: cybersecurity. The disruption to economies and governments alike dominated many discussions and content shared online. The conversation was timely in light of recent Securities and Exchange Commission (SEC) rules that require publicly traded firms to share information about their cybersecurity governance and report cybersecurity breaches quickly.

Days after the event concluded, a massive data breach, reportedly the largest ever discovered, reminded the world why cybersecurity and fraud are becoming a bigger threat to the essential fabric of the digital world day by day.

Let’s take a closer look at how recent current events have cast a spotlight specifically on data loss prevention in financial services.

45 Billion Attempted Hacks a Day

Financial services companies are especially vulnerable to cybersecurity breaches and fraud due to the sensitive customer data they handle. In a Davos discussion “Are Banks Ready for the Future?” the importance of data loss prevention took center stage. Mary Callahan Erdoes, chief executive officer, J.P. Morgan Asset & Wealth Management, said that JPMorgan Chase fights 45 billion hacking attempts a day. The statement that resulted in headlines everywhere.

“We have 45 billion cracks into our system that don’t make it through -- 45 billion times a day,” she said. “The worst part about that number? It is 2x what it was last year.”

She said that the company invests $15 billion a year and employs 62,000 technologiststo help fight cybercrimes,

“We have more engineers than Google or Amazon,” she said. “Why? Because we have to. The fraudsters get smarter, savvier, quicker, more devious and more mischievous.”

Bad Actors Are Threatening Financial Services Firms

Of course, financial services institutions have every reason to fortify their cyber defenses. As Mary Callahan Erdoes pointed out, they managing the financial assets of clients all over the world. JPMorgan Chase’s total assets amount to $3.89 trillion. That number is a very big target for bad actors. They’re getting sophisticated in their use of tools such as generative AI to attempt to hack into assets and commit acts of fraud by stealing customer data.  Unfortunately, hackers are getting through. The average cost of a data breach in financial services is second only to healthcare according to the IBM 2023 Cost of a Data Breach report:

Her comment also cast a spotlight on the growing importance of data loss prevention. DLP consists of a security approach that identifes and prevents the unauthorized use, disclosure, or destruction of sensitive information. It’s like a security guard for your data, constantly watching for suspicious activity and stopping attempts to take it out of the walls surrounding your digital estate. 

Data Loss Prevention Is Crucial for Financial Services Firms

For financial services firms, DLP is crucial due to the highly sensitive nature of the information they handle. This includes customers’ personal data like names, addresses, Social Security Numbers, account details, and financial transactions. Financial services companies also face some special considerations with DLP:

  • The industry is heavily regulated by data privacy and security laws. Financial services firms must manage challenges related to data sovereignty, jurisdictional policies, and regulations per country.  A mature DLP program should be aware of any regulatory changes and adapt the change to the specific origin country and localization policies, conform to the location of the cloud provider, cloud user, data subject, server location, and any treatise and/or contracts.
  • Financial services firms have complex IT environments with on-premises systems, cloud deployments, mobile applications, and various third-party integrations. DLP solutions need to be flexible and scalable to cover all data endpoints and movement channels. 
  • Unfortunately, employees with legitimate access to sensitive data pose a risk. DLP need to monitor user activity for suspicious behavior and prevent unauthorized data exfiltration.

Financial Services Firms Are Vulnerable

According to Deloitte, financial institutions have reduced cybersecurity budgets as a share of total revenue in the banking and capital markets and insurance sectors, from 0.72 percent in 2021 to 0.54 percent in 2023. Of that amount, the share devoted to data protection and privacy has dropped from 10 percent to 7 percent. As a result, financial services firms face some vulnerabilties.

The industry should expect bad actors to exploit the financial services companies that are devoting less to protecting their data, like burglars who bypass well-fortified homes and focus on the vulnerable ones. It’s not a question of if a financial services company will suffer from a massive data leak, but when.

This is all happening as publicly traded firms enter a new era of accountability in cybersecurity disclosure. In December 2023, the Securities and Exchange Commission adopted cybersecurity rules that require publicly traded businesses to disclose cybersecurity incidents within four businesses days of determining that the incident is material. Firms also must report on their cybersecurity risk management and governance processes annually. In effect, the SEC has put businesses on notice that they will be held accountable for failing to manage and report cybersecurity. 

A mature DLP program infused with generative AI can protect a business’s digital estate and accelerate and automate the reporting that the SEC requires. DLP and generative AI ensures preparation, automation, and reduction operational costs as an extra layer of value on top of safeguarding against date leaks. Read our blog post for more insight.

Mother of All Data Breaches Reveals 26 Billion Records

As if to underscore everything that Mary Callahan Erdoes said at Davos, on January 23 news broke that a massive data leak spanning 26 billion user records had compromised LinkedIn, Twitter, Weibo, Tencent, and other platforms. This is likely the largest breach discovered. 

So far, no one knows who harvested the leaked data. The culprit could be a bad actor, data broker, or a service that works with large amounts of data.

Researches noted, “The dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts.”

Although the leak does not target financial services companies, per se, adjacent industries and businesses are affected, such as Tencent, which saw 1.5 billion records released. And users’ financial data could be at risk as bad actors use leaked data to launch phishing attacks to attempt to gain access to bank accounts and the like.

What Financial Services Firms Should Do about Data Loss Prevention

At Centific, we believe that a rigorous, 360-degree approach to data loss prevention that encompasses generative AI is the key to staying ahead of bad actors who are looking for every conceivable edge in their quest to breach corporate data and commit acts of fraud. This approach encompasses the right processes, tools, and much more.

This approach must embrace a zero trust architecture (ZTA). ZTA assumes that threats can exist both outside and inside the traditional network perimeter. This necessitates rigorous verification and control measures. As a result, a company employing ZTA protects its systems with a far greater level of rigor.  For instance, under the ZTA principle of least privilege, an organization would grant users and devices the minimum level of access they need to perform their duties. This limits the potential for data leakage from over-privileged accounts. In addition, an organization would implement role-based access controls (RBAC) to ensure that only authorized individuals have access to sensitive data.

Alignment with Governance, Risk, and Compliance (GRC)

The approach must also include alignment with your governance, risk, and compliance (GRC) efforts. DLP is essential for mitigating the risks of data breaches, which have far-reaching implications for the governance and compliance posture of an organization. By integrating DLP into your GRC strategy, you demonstrate a proactive approach to risk management, prioritizing the protection of sensitive data.

Robust data classification, a core component of DLP, aligns strongly with GRC’s emphasis on information governance best practices.  Knowing what data you possess and its level of sensitivity empowers you to prioritize protection measures accordingly.  Additionally, the monitoring and alerting mechanisms within DLP support regulatory compliance. Many regulations, such as HIPAA, PCI DSS, and data privacy laws, contain specific requirements for data handling and protection of sensitive information.  DLP’s detailed logs and reports help you demonstrate adherence to these regulations and reduce the risk of financial penalties or reputational damage.

Incorporating DLP practices into your overall GRC framework ultimately leads to improved decision-making and better resource allocation. By effectively managing data-related risks, you can make more informed strategic choices, protect your brand reputation, and avoid costly setbacks associated with non-compliance.

In a recently published blog post, “A 360-Degree Approach to Data Loss Prevention,” I delve into our recommended approach in more detail. This approach applies to financial services companies as well as other industries. In addition, visit our website to learn how Centific’s Digital Safety Services can help you protect your assets with a rigorous approach that stays a step ahead of bad actors. We are in your corner!