Key industry trends

Increasing regulations

The Financial Services industry is undoubtedly one of the most regulated in the world, and rightly so given the highly sensitive nature of information under its control. As new technologies continue to develop and be adopted, business models and consumer behaviour changes, governing bodies are having to create new legislation to ensure minimum standards are established – this is no more apparent than when it comes to risk management and cyber threats.

The regulatory landscape is becoming increasingly complex and it is largely falling on the shoulders of IT teams to implement compliant, yet agile architectures that drive innovation whilst curbing costs.

GDPR is the regulation that has occupied headlines throughout the past couple of years, but this is just one regulation of many that FS companies need to comply with when forging IT strategies.

In the US, the California Consumer Privacy Act was signed into law in June 2018 to establish new consumer privacy rights whilst increasing liability for data breaches. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a US federal law that, under the Safeguards Rule, expects financial institutions to be able to demonstrate how consumers’ private information is protected. The New York State Department of Financial Services (NYDFS) cybersecurity regulation requires all DFS regulated entities to adopt the core requirements of the cybersecurity program through the implementation of a cybersecurity policy, designation of a CISO, periodic pen testing and vulnerability assessments as well as a string of other requirements.

And these are just some of the US laws affecting data and privacy. In the UK there is the Data Protection Act 2018, in Germany the German Privacy Act 2018, revisions were made to the French Privacy Act to comply with GDPR – the list goes on as data and privacy comes to the forefront of not only IT agendas, but organizational agendas as well.

Data privacy is of paramount importance and ensuring compliance is a priority for the InfoSec community. With an ever increasing mobile footprint, IT and Security professionals need to consider the impact of mobility on data privacy and whether they have the appropriate technologies in place to guarantee compliance.

“Consumer confidence is eroding more and more with every data breach. It’s never been more important to take those precautionary measures to secure your IT infrastructure, inside and outside the perimeter. Too many companies wait until it’s too late to set up sufficient protections that extend to endpoints like mobile.”

Alex Cherian, Senior Offering Manager at IBM Security

Moving to the cloud

Across industries, there is a general shift toward the cloud model, whether it be partial or full adoption. For the more traditional FS incumbents, the cloud offers an infrastructure that is agile relative to in-house legacy systems, helping to compete with more nimble challengers.

It’s very easy to see cloud technologyies through rose tinted glasses, but it’s not without its pitfalls and not everyone is convinced. Compliance, legal and possibly IT teams can be skeptical of cloud technologies. Outsourcing means control is diminished, whether it be over the service provided or data residency, and in an industry that is as vigilantly regulated as the Financial Services, it’s more control than some companies are willing to relinquish.

However, commercial demands are necessitating migration to the cloud, perhaps not for business critical systems, but the non-core processes like HR and Marketing. All this means is that FS companies and governing authorities will have to adapt to a new norm.

In Europe, the European Data Protection Supervisor (EDPS), Information Commissioner’s Office (ICO) and the European Banking Authority (EBA) have all published guidance on the use of cloud service providers (CSPs), with the latter specifically focusing on the Financial Services. In the UK, the Financial Conduct Authority (FCA) has followed suit and published its own guidance pertaining to firms outsourcing to the cloud and other third party IT services.

There is also ISO IEC 27017 which provisions guidelines on information security controls for the use of cloud services. Despite the publication of guidelines, accreditations and regulations, these technologies are still in their infancy. Organizations and authorities alike are exploring how best to approach the cloud and Financial Services companies in particular need to consider the effect of cloud adoption on operational resilience.

Supporting BYOD

According to Forrester, 64% of devices in financial services firms are employee-owned. There are two main reasons why BYOD is so appealing to this industry.

The first and most obvious:, it removes the equipment cost. Second, it protects the organization from legal liability in the event an employee uses a mobile device to carry out illegal activities, like insider trading for example.

IT teams supporting this BYOD model are tasked with walking the fine line between protecting corporate data and respecting end-user privacy, all while remaining compliant with the cascade of industry regulations.

A multinational british bank was seeking an MTD (Mobile Threat Defense) solution for its BYOD Android devices. The company had rolled out Android Enterprise container solution managed by BlackBerry UEM to these devices. The company required a solution that is fully integrated with its UEM for automated compliance actions, and minimal impact on the user in any given scenario. They also required the corporate container to be blocked or wiped automatically if a threat is detected or if the MTD app is missing from the device. The company was aware that it needed to be alerted to security threats but wanted to limit the amount of information the MTD solution provided IT admins due to privacy laws. As a proof point for the diversity of fleets within financial services firms today, this company also requested integrations with Microsoft Intune and Office 365 as well as support for iOS devices. Luckily, this level of interoperability does exist in the MTD market.

By recognizing the unique mobile requirements of Financial Services businesses as well as the threats affecting mobile users, IT and security leaders can develop a better security strategy that extends beyond the protected perimeter.