By Maurice Uenuma, VP & GM, Americas at Blancco
Heightened customer demand for new digital services from their financial institutions is driving financial services organizations to change how they operate technologically, and how they do business in general. Well-established institutions embarking on digital transformation journeys must migrate legacy systems and embrace cloud data storage as well as service delivery for both enterprise and individual customers. Meanwhile, digital-first neobanks are building their businesses entirely on cloud infrastructure. Regardless of approach, the amount of financial data that financial services providers store, access, and process continues to expand dramatically as the world continues on its accelerated digital trajectory.
Compliance in the Age of Digital Transformation
While most business sectors have gone through some form of digital transformation, the financial services sector has been at the forefront. In addition to encouraging competition in a market that has been long dominated by a few established players, regulators are eager to protect customers. They’ve developed strict rules to shield customers from the misuse of their data and as well as rules and guidelines about how long they are to keep sensitive data. Banks must navigate and comply with regulations from different regions and for different use cases and types of data, making the situation highly complex. For example, in the UK, identity data held in connection with anti-money laundering regulations needs to be kept for five years from the end of the business relationship. GDPR, however, states that personal data should be kept no longer than is necessary for the purposes for which it was collected. For a bank, this combination may mean holding information for more or less than five years after account closure.
In late 2023, the Consumer Financial Protection Bureau (CFPB) proposed the Personal Financial Data Rights rule. If approved, it would accelerate a shift toward open banking, giving consumers control over data about their financial lives and would provide new protections against companies misusing their data. The goal of the rule is to increase competition by forbidding financial institutions from hoarding a person’s data and by requiring companies to share data at the person’s direction with other companies offering better products. In essence, the Personal Financial Data Rights rule would allow consumers to “break up” with banks and would forbid companies that receive data from misusing or wrongfully monetizing sensitive personal financial data.
There are also the potential regulatory consequences of a data breach. Financial services providers have paid hefty fines after the compromise of personal data. For instance, the U.S. Securities and Exchange Commission (SEC), fined more than a dozen banks almost $2 billion in 2022, citing cybersecurity deficiencies. The challenge is not unique to the largest institutions; across the entire financial services sector the average cost of such a data breach is US $5.9 million.
More Data, More Problems
The rapid growth of data resulting from expanding digital services coupled with the financial sector’s stringent rules and complexities related to data retention have created a culture of data hoarding, or retaining data that is not needed. We recently released a report based on a global study conducted in collaboration with Coleman Parkes, for which the research team surveyed 900 data retention and data disposal decision makers at financial services institutions. While 73% of respondents agreed digital transformation has made collecting and analyzing data simpler, 67% see the switch as increasing the amount of redundant, obsolete, or trivial (ROT) data collected.
Amassing too much data has the inherent risk of making the attack surface larger and easier for cyber criminals to target. This is a real concern because, in 2023, the financial sector was the most breached industry according to the 2024 Data Breach Outlook report by financial and risk advisory firm Kroll. One of the most notable attacks in the last year was the CL0P-MOVEit attack. Nearly 3,000 institutions from the public and private sectors were affected, including major firms like Deloitte, Ernst & Young, Deutsche Bank, and several U.S. government agencies.
Minimizing Data Risk
So, what can financial services organizations do to cope with the growing pains (and risks) of data expansion? An important step is minimizing data exposure risk, which can be addressed by identifying and permanently eradicating data in need of disposal and formalizing a robust data retention policy.
While many financial services organizations in our study reported having a solid data retention policy in place, there were gaps that are particularly worrisome for a heavily regulated industry. Specifically, we found that a sizable minority of financial sector organizations surveyed has fallen behind and must better manage and categorize their data. For instance, only 60% of our financial sector survey respondents could confidently say they had a data retention policy in place that was fully communicated across the business; meanwhile, 36% were only “in the process” of implementing and communicating such a policy, and 3% said that they did not currently have any data retention policy in place.
For the data retention policy to be most impactful, financial services organizations will need to ensure clarity about what is not end of life data based on the services offered and how different rules overlap.
Once data in need of disposal has been identified, properly eliminating it is crucial to protect a financial services organization from regulatory risk. Decreasing the amount of stored data reduces the attack surface; limiting data storage to required records reduces the number of records that can be breached.
Timely data disposal can also help control reputational damage. No organization dealing with a data breach wants to be further scrutinized for storing end of life or redundant, obsolete or trivial (ROT) data that should have been disposed of long ago. Reputational damage can also be a consideration in connecting the dots between data hoarding and environmental harm with negative effects such as wasting energy and exacerbating carbon emissions from unnecessary data center resource usage.
Conclusion
Financial services organizations must keep customer data safe from harm. Beyond complying with the sector’s rules and regulations on what information to store, they must also be prompt about disposing of data that no longer serves a purpose. Today, too many financial institutions are not meeting this challenge, risking data privacy violations, regulatory fines, and their reputations by not carefully managing what’s in the vault.
About the author
Maurice Uenuma is VP & GM, Americas, at Blancco Technology Group, collaborating with an interdisciplinary team to deliver the world’s leading data erasure and device diagnostics solution to address the privacy, security, and sustainability needs of government agencies, enterprises, and device processors. Previously, Maurice was Vice President, Federal & Enterprise with Tripwire. Prior to joining Tripwire, he was Vice President at the Center for Internet Security (CIS) and served as Workforce Management co-chair of the National Initiative for Cybersecurity Education (NICE) Working Group at NIST. Earlier, Maurice held leadership roles at Perot Systems and Dell, and served for nine years as an infantry and special operations officer in the United States Marine Corps. Maurice holds a Master’s degree in National Security Studies from Georgetown University, graduated from the U.S. Naval Academy, and is a GIAC-certified Global Industrial Cyber Security Professional (GICSP).
