Information security in Financial Services: what to look for in your technology partners

Data is one of an organisation’s most important assets. Accordingly, Data Protection is not just a legal necessity; it’s crucial to protecting and maintaining your business. Aside from reducing opportunities for thieves and fraudsters to steal data, commit identity fraud and other financial crimes, keeping data secure plays a crucial role in maintaining confidence in the integrity of the financial sector and service delivery channels. Data Protection initiatives should also increase consumers’ awareness of the need to take responsibility for keeping their data safe. 

An IBM Security report released earlier this year noted the average cost of a data breach in the Finance industry is $5.97 million - second only to the Healthcare industry ($10.1 million). Furthermore, 83% of the organisations studied had experienced more than one data breach, with 60% of breaches leading to increases in prices being passed on to customers.  

Cost is one way to quantify the effects of a breach, however it does not convey the scale and complexity of the processes and activities driving this expenditure, namely detection and escalation, notification, post breach response and lost business. Each of these could include a range of tasks or committees dealing with everything from audit services and crisis management to paying regulatory fines and reputational risk response. 

For most, this process takes longer than desired, particularly for those without a structured or mature information security management system (ISMS). According to the same report, the average time for a typical business to detect and contain a data breach is now 277 days - 207 days to identify and 70 days to contain. To put that into perspective, a breach that occurred on 1 January would take until 4 October to contain. 

 

Information Security vs Data Privacy  

It’s important to make the distinction between Information Security and Data Privacy. Data Privacy addresses the governance of personal data – how it is collected, shared or used. Information Security focuses on how data is protected from external and internal threats, and exists as the measures, policies, and technologies taken to protect data. While not the same, Data Privacy and Information Security are linked and complementary to each other, and successful implementation of either is reliant on some similar obligations.  

Looking a little deeper, Information Security is the main prerequisite of Data Privacy. The privacy of data is reliant on a maintained level of good security from unauthorized access or malicious attacks that could lead to the exploitation of data. Additionally, Information Security will enforce the integrity of that data, ensuring it is accurate, reliable, and available to authorized parties.   

And what is Data Protection? Simply, it is the union of security and privacy. As both deal with their own unique challenges, their combined efforts ensure protected, usable data. 

 

Technology partners and Information Security  

Software and technology can transform an organisation, making it more efficient and productive and potentially delivering greater value to your customers.  While it is crucial to find partners who align with your business goals and priorities, the single greatest consideration is often downplayed or overlooked; is the solution or service they’re providing secure?  

Your partners have an immense responsibility dealing with your highly sensitive data, and it is important to ask the right questions to assess how secure your data will be when working with a potential partner. For example, questions could include: 

  • What do your Information Security protocols look like?  
  • Where will our data be stored?  
  • What measures do you have in place to ensure customer data is protected?  
  • Do you separate customer data from the main infrastructure?  
  • What types of information about my environment would be logged, and how long are logs available?  
  • Do you work with third parties to deliver your solution? If so, what are their security protocols?  
  • Does your Disaster Recovery plan sufficiently address Information Security concerns? Do you perform tests?  
  • Have you achieved any recognised Data Protection standards?  

While detailed and comprehensive answers will have weight, the attestations and certifications your potential partner holds will ultimately show how seriously they take Information Security and how important the security of your data is to them.  

 

Technology partners and certifications  

Scrutinising your potential partners’ security practices is fundamental in ensuring that they add as little risk as possible. Some of the essential attestations and certifications your potential technology partner should hold include ISO 27001, Financial Services Qualification System (FSQS), and System and Organization Controls (SOC) 1 and 2. Let’s investigate these further. 

  • ISO 27001 is an auditable international standard that defines the requirements of an information security management system (ISMS) - a set of policies, procedures, processes and systems that manage information security risks. Certification demonstrates that an organisation has defined and put in place best-practice information security processes. It is important to note that some organisations attest to the standard as a framework, but choose not to get certified.  
  • The Hellios Financial Supplier Qualification System (FSQS) is a community of financial institutions including banks, building societies, and investment services. The FSQS standard is methodology for collating and managing supplier compliance assurance information across the financial sector. Key areas include health and safety, fraud, business continuity and financial insurance, and meeting FSQS requirements demonstrates strong GDPR compliance. 
  • Service Organization Control (SOC) for Service Organisations are internal control reports based on a framework set out by the American Institute of Certified Public Accountants (AICPA). These reports detail the services provided by a service organisation and include information required to assess and address the risks associated with an outsourced service.  

A SOC 1 report has a financial focus; it includes service organisation's internal controls that could impact their clients' financial reporting. A SOC 2 report addresses criteria for satisfactory internal controls relevant to a service organisation's services, operations, and compliance. Additionally, a SOC 2 report includes controls outlined by the AICPA's Trust Services Criteria (TSC).   

A SOC 2 report covers five Trust Services categories: security, availability, processing integrity, confidentiality, and privacy. It is worth noting that assessment is not required across all criteria; some organisations may select criteria relevant to specific industries or sectors, but security is the accepted baseline. At Lendscape, we concentrate on security, availability and confidentiality, in alignment with our clients.   

It is also worth highlighting the two types of examinations of SOC reports - Type 1 and Type 2. A Type 1 examination looks at the description or design of controls at a specified point in time, while a Type 2 examination also looks at the design of controls but includes testing the operating effectiveness of these controls over a period of time (as a general rule, six months is the minimum).   

While ISO is an internationally recognised standard and SOC is a US-based standard, the latter has gained traction internationally in recent years. SOC reports are thorough and detailed, particularly when it comes to information about the controls and processes in place, which is the reason why this standard is favoured in heavily regulated sectors such as finance. For example, a SOC 2 report covers the design of hosted services, the platform environments, the different processes in place, organisation charts, roles, profiles, performance, communication, risk assessment, monitoring activities, and internal audits.   

Information Security has never been more critical. As we highlighted earlier above, the fallout of a data breach can include hefty fines, reputational damage and time and lengthy, resource-draining processes.  Information Security may start with your organisation's software security awareness and knowledge of your products, yet knowing your risk level and being in sync with your IT team is increasingly important. 

When researching software and technology partners who may have access to sensitive data, be sure to undertake a thorough assessment of their data protection practices, requesting details of their security standards and certifications. 

 

Learn more about how Lendscape keeps your data safe and secure.  

Article written by:

Iain Gomersall