Security and data privacy in finance

Security and data privacy in finance

Security and data privacy in finance

Data security in financial services has always been important. However, with many services now available online and sensitive documents and information containing personal data being sent via email or via online portals as part of application processes, security is more crucial than ever. The direct handling of personal information during customer on-boarding is one aspect of data privacy, but big data analytics is another. Through our spending, we all share large volumes of information about our purchasing habits and our movements, which over time indicate trends. How much access should financial institutions have to this customer data?

According to IBM’s X-Force Threat Intelligence Index, the finance and insurance sector has been at the top of the list of industries targeted by threat actors for the five years between 2015 and 2020. The pandemic has highlighted weaknesses in supply chains and criminals and hackers have taken advantage of these vulnerabilities, leading to the manufacturing sector overtaking finance and insurance for the number of attacks endured. Threat actors tend to be cyber criminals, however, hackers and nation-state attackers are also active and pose a threat to organisations and institutions.

The X-Force Threat Intelligence Index 2022 reports that phishing was the top method (41%) used by criminals to extract personal data. The most phished brands that cybercriminals used to dupe consumers in 2021 were Microsoft, Amazon, and Google. When there is a data breach, it’s even easier for criminals to use stolen consumer data en masse to carry out identity theft as well as to commit fraud, putting consumers’ funds as well as their privacy at risk. Data privacy regulations have been put into place by governments around the world ensuring that business entities are accountable if cyberattacks happen because of a lack of due diligence.  

What is GDPR?

The General Data Protection Regulation (GDPR) is part of the EU’s data protection laws. It came into play on the 14th of April 2016 and applies to organisations that have a data controller or processor (e.g. a cloud service provider) in the EU. It also applies to any EU citizen no matter where the business they are dealing with is currently located. This means that the impact of GDPR was felt beyond simply the EU member states. These safeguards are in place to avoid individuals becoming identifiable by the collection of their data and subject to identity theft, credit card fraud, and other crimes.

According to the European Commission, "Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."


GDPR outlines the following responsibilities of institutions to ensure sound initiatives are in place to ensure information security for EU citizens beyond the basis of legitimate interests:

  • Requirements to obtain consent from consumers on the collection and sharing of their information as well as communication on how to request the erasure of their data.
  • Ensuring all data collected is anonymous to prevent the identification of individuals.
  • Making formal notification of any breaches of consumer information to authorities and letting customers know the details of any breaches.
  • Safeguards around the transferring of data across different borders.
  • Requirements around appointing a data protection officer who is responsible for enforcing GDPR regulations.

The UK GDPR is enforced by the Information Commissioner’s Office (ICO). The ICO also provides a guide to law enforcement processing of personal data just as the EU has a separate Data Protection Directive for the police and the criminal justice sector outlining rules on personal data exchanges at state, union, and international levels.

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) 2018 shares the same goals as GDPR in protecting sensitive data about California residents collected by and shared between businesses. In the USA, there is no single data protection legislation enforced across the nation. Instead, there are many laws at the federal and state levels that protect the personal and financial data of U.S. citizens. All 50 states have their own data breach notification laws in the wake of the Equifax (credit reporting agency) breach which exposed the personal data of 143 million people.

The New York Department of Financial Services (NYDFS) regulation came into play in 2017, one year before the CCPA. It was a direct response to the increasing threat of financial information being stolen and the need for more sophisticated cybersecurity. This regulation applies to all firms regulated by the Department of Financial Services including their branches which are out of state and overseas. It requires firms to assess their cybersecurity risk profiles and initiate a robust plan that recognises and mitigates risk.

The Federal Trade Commission Act gives the Federal Trade Commission (FTC) wider power to protect citizens from deceptive practices and to uphold federal privacy regulations alongside data protection. Deceptive practices include the failure of a company to comply with its published privacy protocols and failure to offer sufficient security around personal information. It also includes deceptive marketing or advertising methods.

What is the Gramm-Leach-Bliley act?

The Gramm-Leach-Bliley Act (GLBA) was implemented to ensure that financial services firms and institutions across the USA safeguard sensitive data and explain to their customers how they do that. It is sometimes referred to as the Financial Services Modernisation Act and was introduced in 1999. The main principles of the GLBA are:

  • Financial Privacy Rule

This demands that financial institutions provide each customer with a privacy notice which explains what information is collected about them, where and with whom that information is shared, how the information is then used, and how the institution will ensure that the information remains protected.

  • Safeguard Rule

Requiring financial institutions to develop a written information security plan, the Safeguard Rule demands that an institution outlines exactly how it has prepared for the continued protection of customers’ nonpublic personal information.

  • Pretexting Protection

Also known as social engineering, pretexting is where a customer who has been targeted by criminals is manipulated to give up personal or non-public information. It is one of the most common forms of financial crime and the GLBA encourages the organisations covered by GLBA to take responsibility by implementing specific security measures against this particular type of activity.

Secure your career progression with an MBA Finance

The world of security and data privacy in finance is ever expanding and requires tighter protocols across institutions, from authentication processes to cloud storage infrastructures. Communicating these protocols effectively and offering customers easy access to their own data all make for a better customer experience and a level of transparency that is now expected. 

Discover more about gaining an online MBA Finance from the University of the Commonwealth Caribbean (UCC) today to deepen your knowledge of cyber risks and how to manage them.