Lessons Learned From The SEC's $1 Million Data Privacy Fine
In June, a bulge bracket bank agreed to pay a $1 million fine to settle a Securities and Exchange Commissions (SEC) charge for failing to protect client and investor information. According to a press release issued by the SEC, the bank’s former financial advisor had transferred client data related to 730,000 accounts to his personal computer, which was then hacked by a third party and sold on the web. Some argue that the $1 million penalty was small price to pay for such a large bank, but officials are saying that the charge marked a turning point in the SEC’s focus on cyber security-related issues.
The SEC fine is indicative of a larger trend. The sweeping changes in global regulations when it comes to protecting the personal data of private citizens, such as the General Data Protection Regulation (GDPR) and the pending EU-U.S. Data Privacy Shield in the European Union, demonstrate that international governments are seeking more stringent ways to penalize companies who don’t make cyber security a top priority. This, coupled with the increase in cyber attacks in the past year (in 2015, 38% more security incidents were detected than 2014, according to PwC), should be a signal for global financial institutions to take disruptive, proactive steps to boost cyber security initiatives. Incremental, reactive change isn’t enough.
The SEC case shows that financial institutions are under increasing pressure from regulators to protect client data. The SEC has identified cyber security as being a top enforcement priority for 2016, and firms must prepare for a new reality in which both the fines and frequency of audits could rise over the next year.
Based on what the SEC revealed in their release on this case, the bank didn’t have proper control over two of its internal, web-based portals where client data was stored. Additionally, the bank had no restrictive measures in place to prevent employee access to customer data. They didn’t audit, monitor or analyze employee’s use of the portal. This included former employees and even contractors. Once they left the company, the bank didn’t have any way to revoke their access to the portal. This made it all too easy for the former financial advisor to help himself to client data, leaving it vulnerable to unauthorized access and ultimately, theft.
Every global financial institution should view this SEC fine as a teachable moment for their own organization. Data breaches are increasing on a daily basis, but that doesn’t mean they can’t be prevented. Here are four key takeaways that all banks should consider:
1. Permission-based access is your new best friend. Systems that store any client or employee personal data need to have proper controls to ensure that the right people have access to the right information at the right time. To do this, web-based data portals should offer the capability to set up and manage permission-based user roles. When granting access to sensitive data, ask yourself: what can each user do? What can each user see? And, most importantly for audits, can your risk management group see each user’s behavior in the portal? What are they viewing and downloading?
2. Leave a paper trail. For successful auditing and monitoring, risk and compliance professionals should have the ability to pull real-time reports that show which users have been accessing what information, and when. Auditors will want to see evidence of your institution’s document control process, such as version control, transmission and receipts, and even proof that data has been properly disposed of. Further, plan on showing evidence proving that employees who no longer work for you have had their permission and credentials revoked.
3. Don’t forget your client communications system. It’s hard to believe that global institutions are still using unsecure, outdated methods like e-mail and overnight mail to deliver investment reports to their clients. As we’ve seen time and again, email doesn’t provide the necessary safeguards for information this sensitive. And as for paper statements, if documents are sent to the wrong recipients, the bank is in danger of violating privacy laws and receiving fines. Additionally, banks have no ability to confirm receipt in either of these scenarios.
4. Invest in security mechanisms. Technology such as two-factor authentication and 256-bit AES encryption are becoming the standard for financial institutions. These methods make it difficult for hackers to access data, and more clients are accustomed to using these kinds of safeguards on a regular basis. Even Google requires these for consumers.
It is possible for financial institutions to provide employees and clients with the storage and collaboration tools they need, without compromising security. Making the proper security investments, and training staff and clients on the best practices for sharing and storing sensitive data, is your best defense against data breaches, information theft, and million-dollar fines.
Meghan McAlpine is the director of Alternative Investment Strategy for Intralinks, a secure collaboration firm enabling financial institutions to accelerate business beyond boundaries. Prior to joining Intralinks, Meghan worked in the Private Fund Group at Credit Suisse. While at Credit Suisse, she raised capital from institutional and high net worth investors for domestic and international private equity firms. Before Credit Suisse, Meghan worked in the Mergers, Acquisitions and Corporate Advisory Group at Deutsche Bank, focusing on the healthcare industry. Meghan graduated from Georgetown University with a BSBA in Finance.
© 2017 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.