The Need for Sensitive Content Communications Privacy and Compliance in Financial Services

By Tim Freestone, Chief Strategy and Marketing Officer, Kiteworks

For some time, the financial services industry has been at the forefront of a sophisticated and evolving digital landscape. It has witnessed rapid and transformative technological advancements that have delivered new services to customers and driven a myriad of operational efficiencies. However, the movement of more and more confidential data into the digital space and it being regularly exchanged with first and third parties has not gone unnoticed by those with unscrupulous intent. This had made the financial industry to continue to be a top target for cybercriminals. In fact, according to CrowdStrike’s 2023 Global Threat Report, the financial sector is now the second most frequently targeted vertical after the technology vertical. Among the data that is being targeted, Verizon’s 2023 Data Breach Investigations Report (DBIR) found that personally identifiable information (PII) is the top target of bad actors – making up almost three quarters (74%) of attacks. It has got so bad that 96% of financial services organisations tell us that they have experienced four or more exploits of sensitive content communications in the past year alone.

Too many disaggregated tools for sensitive content communications

Our Sensitive Content Communications Privacy and Compliance Report last year revealed that financial services firms today struggle to manage file and email data communication risks. Both within their organisations and with third parties. One of the reasons is the large number of systems that financial organisations use to send and share private data today. So much so that nearly seven in ten financial institutions have six or more sensitive content communication systems in place. No wonder they are struggling to secure them.

Ranking third-party content communications risk

Those systems are not just being used to send data internally either. In fact, financial organisations rank among the highest of any industry when it comes to the sheer number of different systems used to send and share content communications outside of the organisation with third parties. Six in ten (60%) use six systems or more. Surprisingly, in terms of ranking, web forms are at the top of the list, with a quarter (25%) of respondents giving them a number one ranking. When ranks one and two are factored together, email caught up with web forms, with 41% giving each a number one and two ranking. One of the ways email poses such a risk relates to challenges with its encryption. Specifically, when recipients cannot decrypt an email due to it being encrypted in a format not supported by their organisation. Out of the other applications thought to present the biggest risk, application programming interfaces (APIs) came in second, with 30% of respondents ranking them at number one and two.

Somewhat surprisingly, governance plays an important causation role here. Less than a third (31%) only track and control access to sensitive content folders for certain content types. While only another 37% only do so for certain departments.

Whilst it is true that risk management of third-party content communications is seen as a problem across industry sectors, financial services is one at the top of the list. Because of this, a new approach is required or at the very least the current approach requires significant improvement.

Better digital risk management is required

The current lack of robust digital rights management (DRM) is undoubtably a big part of the problem. Having said that, weaknesses across different financial service organisations are not the same. Whilst two in five (43%) of respondents said they have administrative policies in place for tracking and controlling content collaboration and sharing on-premises but not in the cloud. At the same time, one in five (21%) said the opposite. Namely, that they have tracking and controls in place for the cloud but not on-premises. Worryingly, only slightly more than a third indicate they have digital risk management capabilities in place for both the cloud and on-premises.

A potential game changer

A change is needed. A Private Content Network could be the answer. A Private Content Network employs a content-defined zero-trust approach that would enable financial services organisations to unify, track, control, and secure all their sensitive content communications into one single platform. This would allow financial services organisations to track and control access to files and folders, who can edit and share them, and to whom and where they can be shared. This could be a game changer as doing so would enable financial firms to ensure private personally identifiable information, intellectual property, client financial records, insurance claims, and more would remain private and in compliance with increasingly stringent global regulations.