Are US and UK financial service organizations complying with regulations to protect financial and customer data?
There are several regulatory bodies in the US and UK and some even global such as the PCI DSS, that set standards and guidelines in collecting, accessing and safeguarding sensitive data. However, meeting only the minimum requirements of these standards allows risk for potential security breaches such as unauthorised access or data loss.
Financial organizations need to ensure that they are not only complying with regulations and meeting industry standards. They should ensure that the right security policies are in place to sufficiently protect data — both theirs and that of their customers. And unfortunately the results of the research uncovered in this guide indicate that for many organizations, that is not the case.
Hopefully the guidance given here will help your organization not to be one of them.
Access Security risks and compliance penalties
Financial organizations are, essentially, data based. They operate on the handling of sensitive financial and customer information. This data transitions between other organizations and customers across international boundaries on a constant basis.
The movement of data means there is always a risk of breach, and that risk can come from technology, but more often from human error. All it takes is an absent-minded employee sharing a password or deciding to use the intel to which they shouldn’t have access to do something illegal.
The risks are great and the penalties for breaches are severe. Fines for non-compliance or breaches of standards like PCI Data Security Standard (DSS) or GLBA can be up to $100,000.
‘Need-to-know’ data restrictions
In data security we often talk of information being distributed on a ‘need-to-know’ basis — an informal way of putting what all the regulations in this guide (SOX, GLBA, the FCA and PCI DSS) require. That everyone in an organization has the level of data access that is necessary for their role, and no more.
This significantly reduces the risks from human error, and it’s a view on data access that can clarify your approach. But while it might sound simple in theory, implementing it in practice may not be.
Unique user identification
To limit data to the necessity of each individual’s role, you need to be able to identify each individual.
Having unique user identification in place is another requirement of all the regulations we’re looking at, and it is the foundation of all good user security practice.
Going beyond compliance
Unique user identification is just the foundation, however. Best practices filter down to a much more granular level. As do the requirements of SOX, GLBA, the FCA and PCI DSS, but the requirements of each differ to suit different kinds of risks (for example, SOX for insider trading, PCI DSS for the protection of payment card data).
Also, some compliance requirements are often not as granular as they could be, because they need to apply to all kinds of financial companies, and be open for interpretation to some degree so they can be more broadly applicable.
It’s for this reason that the guidelines we will go into here are not a simple ‘minimum’ for your organization to achieve compliance. This report will go into more detail on best practice so your approach to access security goes beyond compliance and minimises risk.