Compliance and Security - A perfect symbiosis

Why the need for stricter compliance and security standards in BFSIs?

Compliance and security go hand-in-hand to create a robust networking system. Adhering to industry regulations and standards ensures that your systems are IT compliant while securing your systems and data from theft and unauthorized access secures your network and infrastructure. Banking, Financial Services, and Insurance companies (BFSIs) are offering more personalized digital services to customers thus mandating the use of cloud computing for storage and other benefits. Although initially hesitant to get on the cloud bandwagon, the benefits of using the cloud were too many to ignore.

Cloud Computing – the way forward

Improved customer relationships, adhering to compliance standards, data analysis, and fraud detection are a few of the advantages of cloud computing. With an increasing need to protect customer information and their financial products and services, BFSIs are now adopting cloud security with much gusto. Finance companies especially banks have now understood that cloud computing helps meet their business objectives while delivering a great customer experience leading to tremendous market growth. Cloud infrastructure provides a secure environment provided by Cloud Service Providers (CSPs) who provide a shared responsibility model. CSPs secure hardware and infrastructure across regions, databases, and networking software. Vendors such as SaaS (Software as a Service) keep applications secure on the cloud. With the rapid advancement in information technology, it has become challenging to keep up with new compliance and advanced security measures.

How cloud manages compliance?

It’s not only data that is moved to the cloud, but also business-critical applications, thus rendering the need for regulatory compliance by financial institutions. Although cloud services are designed to comply with the regulatory standards, it is mandatory to incorporate security measures as well. These can be included in the contractual agreement between the company and the CSP. Cloud-based tools regularly update customer data policies and procedures. Banks and other financial institutions can automatically update regulatory reports on the cloud. With increased business resiliency comes business continuity.

How are compliance and security different?

Simply put, compliance decides the frameworks and guidelines inside which the organization needs to function whereas security is the actual physical control and control over who has access to the network. Although security takes priority over compliance at a given point in time, it is a critical business requirement. Security implies protecting the network, the users, and all the physical devices within the framework given by the compliance team. Compliance largely depends on the organization’s data type and security processes. Companies usually have some basic security in places such as a firewall or antivirus software. Converting this into a compliant IT system is what is important. Thus, a coordinated alliance between security and compliance will go a large way in determining that security won’t degrade over time, all the while ensuring that the compliance standards are met for auditing purposes.

How to check if your system is secure and IT compliant?

A compliant and secure IT network of your company helps build trust in your investors and clients. The security team initially assesses the network for loopholes and plugs in the defective areas. Then compliant frameworks are used to find shortcomings if any.

• Assess the security tools that are in place currently
• Assess the risk it poses for the type of information it processes
• Understand the framework and guidelines
• Compare it with your current situation and identify the gaps, if any
• Itemise the deficiencies in order of priority to be solved
• Check the various solutions provided for their efficacy
• Last but not least do regular assessment, which is crucial for success
  

Thus, it can be concluded, that compliance and security go hand-in-hand and are not exclusive of each other. A symbiotic relationship between security and compliance helps the organisation to keep data at its secure best and its reputation intact in the public domain.

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law that pertains to data protection and privacy practiced in the European Union (EU) and the European Economic Area (EEA). It is an important component of the EU privacy and human rights law. It basically ensures that there is data protection and privacy at every step of the way. The EU takes data protection and privacy very seriously and GDPR simply standardizes it. GDPR further ensures that the same standards are used across all countries. It also has the authority to penalise companies that don’t adhere to them.

What does GDPR Compliance mean for the BFSIs?

GDPR ensures protection for all EU citizens and those living in the EU countries. It is important to note that even if companies are located outside the EU and yet store and process data of EU and UK citizens, they have to comply with the GDPR. The company and its HR team is responsible for ensuring compliance as non-compliance comes at a high price, a penalty of 4% of annual global revenue or 20 million pounds, whichever is greater. Thus, GDPR makes good business sense apart from being a legal requirement. It works perfectly well for both customers and businesses as the guidelines are clear with no room for confusion.
Finance companies such as banks are a storehouse of very sensitive data such as profits, sales, banking details of customers, payment details of suppliers, employee salaries etc. And this information is stored in myriad forms: on-location servers, in the cloud, on PCs, cabinets, desktop trays etc. For finance companies, ensuring GDPR compliance means increased individual rights, wider scope of accommodating customer requests and regulatory queries, stronger enforcement, and accountability. GDPR will ensure that all documents are kept securely in archives in a single location or multiple locations to prevent unauthorised access. Customers will have access rights to documents and also the right to destroy data pertaining to them, in accordance with statutory accountancy rules. GDPR helps finance companies to convert paper-based finance processes into electronic document management that saves time and cost.

Who is a GDPR DPO and what is his role?

GDPR mandates the appointment of a Data Protection Officer (DPO) in certain cases: where the data processing is carried out by a public authority, where there is large scale monitoring required due to the processing of large amounts of data, and finally where the processing of special categories of data is required such as those relating to criminals’ convictions and offenses. The DPO holds a unique position bound by strict confidentiality clauses and reports only to the highest level in the organisation. The DPO’s roles are clearly outlined in the article 39 of the GDPR.

• To outline the legal GDPR obligations to the organisation relevant to the EU member state
• To track and monitor GDPR compliance for the organisation
• To impart training to the employees with regards to GDPR compliance
• To deal with questions regarding data processing
• To communicate and cooperate with the relevant authority in the company, for instance the Information Commissioner’s Office (ICO) in the UK
• To be the one-point authority on all matters related to the GDPR
  

Synergetic roles of the DPO and CISO – why they should work together?

It is important for the DPO and the CISO (Chief Information Security Officer) to work closely together to ensure that data is transmitted safely, securely, and legally from one place to another benefitting the organisation by saving time and money. At the time of product inception such as cookie creation processes, if the DPO and CISO work together it is possible to build data protection into the company’s products. CISO’s concerns usually rest with security whereas the DPO’s priority will always be privacy concerns. By collaborating together, they ensure the security and privacy of the created cookies. The joint working of the CISO and the DPO also comes in handy while dealing with security breaches and privacy violations. DPO acts as the advisor to the company and performs risk assessment while auditing the CISO’s existing security infrastructure. In case of data minimisation where unnecessary data is not processed, it is the role of the DPO to ensure storage of the least amount of data thereby shrinking the attack surface and helping the CISO maintain a high level of security.

Conclusion

Banking, Financial Services and Insurance companies deal with voluminous amount of data that has become increasingly difficult to store and access. Cloud computing provides enhanced security with the much-needed secure environment to easily manage data. What’s more it helps in detecting fraud which is rampant in the financial sector. Businesses, today, are all about customer management. Cloud technology is used to meet business objectives while delivering a great customer experience. Companies are now rethinking ways to operate within the frameworks provided by the GDPR. A common challenge these days is to strike a balance between the DPO, mandated by the GDPR and the CISO of the company. This obviously is the result of the complexity of regulation standards looked after by the DPO and the variety of functions performed by the CISO. But once the roles are defined perceptibly, it is smooth sailing than on.