By Mike Mason, Senior Product Marketing Manager, FairWarning
MarketsandMarkets forecasts that the cloud market for the financial services industry will grow at a CAGR of 24.4 percent to $29.47 billion by 2021. As financial services industry spending shifts towards cloud technology, so does an influx of sensitive data. This kind of data must be secured, especially in an industry as heavily regulated as finance.
And the regulations just keep on coming. The New York State Department of Financial Services cybersecurity regulation for instance, requires banks, insurance companies and other financial services institutions in the state to hire a CISO who will put the proper risk assessments and processes in place, report not just successful data breaches but any attempted data breach and require their third-party providers to strengthen their security measures as well.
As the finance industry falls under these growing regulations, it becomes harder for
compliance professionals to manage and report because they are typically working with a wide array of legacy software services that are complicated, opaque and not optimized to configure for privacy and compliance.
The Effects of Cloud Migration
Cloud technologies now include features such as encryption, tokenization, strong authentication, and the ability for applications to produce audit logs. This allows highly regulated industries to entrust the cloud with their data and continue to reap the rewards of moving to the cloud. Not only do cloud-based technologies contribute to cloud security, but they also help organizations to meet basic regulatory requirement standards and to build upon their security and compliance programs.
Compliance Requirements Abounding
Across the country and across the globe, regulations are springing up to ensure the safety and privacy of citizens’ data. In addition to the existing regulations of FINRA, PCI, FFIEC, the above-mentioned NY State Cybersecurity Rule and the UK’s FCA, organizations continue to face a mounting list of compliance regulations.
Perhaps the most significant of these is the European Union’s General Data Protection Regulation (GDPR), set to go into effect on May 25th, 2018. It affects the way organizations collect, store and use EU citizen data. Under GDPR, fines can equal four percent of annual turnover or 20 million Euros.
Individual U.S. states are increasing their control over financial services as well. The state of Delaware passed a new law, House Substitute 1 for House Bill 180, that requires businesses to alert Delaware state residents affected by a data breach within 60 days of the occurrence, and to notify the state attorney general if more than 500 residents are affected. Meanwhile in Maryland, the Maryland Personal Information Protection Act was amended to expand the definition of personal information and provide a 45-day time frame for notice of a breach.
Key Questions When Choosing Cloud Applications
In light of all these compliance mandates, it’s important when choosing a cloud application to select an application that will aid in cloud compliance and improve your security posture, not create more risk. If not properly vetted, adding additional cloud applications into your network can create security and compliance vulnerabilities. If the applications don’t integrate, then you will possibly need to achieve compliance for each application separately.
This is why it is necessary to ask about integration when looking at cloud applications. Other compliance factors to consider include:
- Who has access to my data?
- Where does my data reside?
- Are my cloud applications secure? Do third-parties access my cloud environment?
- How long am I required to store my data?
- Is my data organized to aid in e-discovery?
Three Keys to Effective Cloud Compliance
Because there are so many regulations to keep track of and comply with, financial services organizations often have a hard time integrating their compliance programs with their security goals. But with a few considerations, you can better align your security and compliance goals.
- Understand which requirements affect your organization. These requirements can be mandated by specific regulations, which can be based on your jurisdiction or the activities that you employ to conduct business.
- Run ongoing compliance risk assessments. These regular risk assessments contribute to the foundation of a strong compliance program. Regulatory risks change, which calls for the risk assessment process to be updated and revised regularly.
- Streamline Compliance and Security. Go beyond meeting baseline regulatory standards. During your compliance journey, address gaps in security to go above and beyond just meeting a compliance checkbox.
- Overlap compliance requirements. If you are trying to meet multiple compliance standards, try to achieve overlapping requirements to reduce workload and complexity.
- Monitor and audit your compliance program. Be proactive in understanding your gaps and how to continue improving your compliance posture; don’t wait until you are in the midst of a crisis to conduct your own audit.
Of course, you want to avoid the sometimes-hefty fines associated with non-compliance, but a focus on compliance also continues to help your organization increase customer trust and loyalty to your brand.
As the financial services industry increases its adoption of cloud computing, it faces the dilemma of juggling multiple regulatory requirements concerning data handling, privacy and safety. GDPR is a sign of more compliance rules to come, yet many financial services industry organizations already struggle to uphold and verify compliance due to their legacy systems. Cloud technology providers understand this struggle and are upgrading their offering for greater compliance and security. They will prove to be strong partners in compliance going forward as new laws and regulations arise.
About the author:
Mike Mason is the senior product marketing manager at FairWarning. Mike has oversight and financial responsibility over nearly every aspect of FairWarning’s marketplace communications and education efforts. Mike’s efforts are directed at telling the company’s story and its customer stories from an authentic point of view. Mr. Mason was previously a product manager for Rakuten MediaForge.