Outlook 2020: Integris FinServ Data Privacy Maturity Study
Integris Software recently surveyed an exclusive community of 258 top business executives and IT decision-makers across financial services, retail, government, and healthcare organizations to compile a series of reports to determine privacy practices, challenges, data complexities, and preparedness to comply with privacy regulations.
The latest financial services report entitled, the “Integris Software FinServ Data Privacy Maturity Study,” collected data from a broad pool of financial services industry respondents with nearly half representing companies that surpassed $10B in annual revenue.
The financial services industry continues to fall victim to breaches and is a top target for cyberthreats that expose and capture personal data. For example, this year First American Financial leaked hundreds of millions of sensitive documents related to mortgage deals because they were unknowingly stored without protection on their website. Boston Consulting Group also found that cyberattacks hit financial services firms 300 times more than other companies. In addition, this challenge is growing exponentially, with the sector reporting 819 cyber incidents in 2018 versus 69 incidents in 2017.
Despite being one of the top industries targeted for data theft, we found that finance professionals were still overconfident in their ability to protect sensitive information, with 75 percent of respondents being “Very confident” or “Extremely Confident” in their data management efforts. The research found that even with large investments in data privacy management teams and technology, financial services is still taking a major hit from cyber criminals and has a ways to go with respect to protecting personal data.
To help alleviate these issues, the financial industry is starting to use more automated data privacy management tools to increase real-time visibility, comply with regulations and meet data subject requests (DSRs) to furnish or delete personal information.
Top findings from the data privacy research include:
FinServ invests the most in data privacy management: The financial services industry spends the most on data privacy management, but is it getting a positive return on investment? It is also increasing data privacy budgets within InfoSec departments, showing it recognizes the need to improve privacy practices as part of a broader data protection strategy.
- Nearly all organizations – 92 percent – had a dedicated data privacy management budget. Many are also investing large budgets, with 28 percent providing more than $5 million per year, nearly double what healthcare spent at this level.
- Over the next year, 92 percent expect to increase privacy management budgets. Nearly a fourth of respondents (23 percent) predicted a privacy spending increase of more than 25 percent.
- The finance industry also had the largest internal data privacy teams in the study with 40 percent having 50 or more people (nearly triple the 17 percent of healthcare privacy teams this size).
Misplaced confidence in data privacy practices: Despite large data privacy investments, the industry still needs to improve its ability to manage sensitive data across systems.
- For example, financial data is extremely widespread. A single bank transaction can be replicated across 100 systems making it virtually impossible to manually monitor personal information as it travels throughout an organization.
- The finance industry must search more locations to find sensitive customer data than any other sector, with 20 percent of respondents needing to search 200 sources to find all data (more than double the healthcare industry). In total, 64 percent needed to search 50 or more sources to find all data on a customer.
- Meanwhile, 24 percent of respondents only update their personal data inventory once a year. Even more concerning, 13 percent only compile sensitive data when audited or in response to regulation requests.
- Virtually all respondents – 94 percent – share sensitive customer data with third-party partners. More than 45 percent had at least 50 data sharing agreements in place, which was the highest of all industries. The more data-sharing agreements an organization has, the more challenging it is to enforce its terms and manage all personal information held across companies on a customer.
- As such, finance organizations were also much more confident in their ability to comply with data sharing agreements than in their partners’ ability to reciprocate in kind – 75 percent of respondents were “Very confident” or “Extremely Confident” in their compliance efforts vs. 50 percent in their partners.
Growing interest in automation: To help alleviate these issues, the financial industry is starting to use more automated data privacy management tools to increase real-time visibility, comply with regulations and meet data subject requests (DSRs) to furnish or delete personal information.
- Those who take real-time inventory of personal information with automated tools are much more confident in knowing what sensitive data they have and where it resides – 52 percent were “Extremely Confident” vs. only 3 percent who didn’t take real-time inventory.
- Overall, 84 percent of those who take real-time inventory rather than periodic, manual surveys were “Very Confident” to “Extremely Confident” in their ability to know where personal data resides across systems.
- Organizations that take real-time inventory could also immediately tell which customer data had been breached – 89 percent vs. 59 percent who didn’t have real-time data discovery and classification tools.
How Financial Organizations Can Increase Data Privacy Returns
These findings and the ongoing privacy challenges facing the financial industry show a need for continued investment to improve sensitive data discovery and classification across all data types. Having a dedicated privacy team and budget isn’t enough, organizations need to:
- Harness automated tools to continuously monitor and map sensitive customer data they collect across locations through their own transactions and from data-sharing agreements.
- Maintain continuous compliance with privacy regulations by having real-time visibility into the personal information traveling throughout their systems, enabling better tracking and quicker DSR fulfillment response times.
- Establish and enforce their own data retention policies that are stricter than what is required by privacy regulations to minimize data breach fallout and maintain consumer trust.
While the finance industry is leading the way for data privacy maturity across sectors, its volume of severe security breaches is still concerning. We hope this study helps identify areas for improvement and encourages organizations to improve their sensitive data discovery and classification capabilities, and privacy management practices.