Data protection 

Warning about data security at financial services firms

Warning about data security at financial services firms

Financial services firms are still struggling to secure data effectively, an IT firm has warned days after the regulator hinted at new supervisory work in the field.

Research from Claranet found two-thirds of businesses were lacking in data management, casting doubt on their ability to comply with the incoming General Data Protection Regulation (GDPR).

GDPR is a cross-Europe regime which comes into force on 25 May with the aim of strengthening data protection rules across the continent.

Despite the impending deadline, 69 per cent of firms said they were not able to secure customer data effectively.

Almost half (45 per cent) of the some 750 IT decision-makers said they had encountered challenges around securing customer details when trying to improve the digital user experience for customers.

This pointed to a "distinct lack of capability" when it comes to managing security in a reliable manner, Claranet said.

Michel Robert, UK managing director at Claranet, said: "There can be little doubt that data security is the most pressing issue facing financial businesses today and that sound security practices are the foundation on which these organisations are built, but our research confirms this is an area in which most financial institutions are failing. 

"Thinking more broadly, the fact that almost seven in ten organisations can’t guarantee the security of their customer data is particularly concerning."

The Financial Conduct Authority (FCA) said at last week’s Association of British Insurers annual conference (27 February) it would do further work on insurance firms’ data protection efforts after detecting failings, including possibly a new thematic review.

GDPR includes rules such as the right to erasure, meaning someone can request the deletion of their personal data, and the right to access, meaning someone can demand information on how their data is being used and a free copy of their personal data.

It also introduces the right to data portability, which means a person must be able to transfer their personal data from one system to another without being prevented by the handler of their data.

Meanwhile explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.

Almost six in ten (57 per cent) firms identified security as one of the biggest challenges facing their organisation’s IT department, while 63 per cent stated their security procedures and requirements held back their ability to innovate, according to Claranet.

The research also found IT teams were struggling to acquire the skills and expertise necessary to fix the problem.

Mr Robert said: "Part of the problem derives from the fact that most internal IT teams don’t have the skills, expertise or the time to keep up with the rapidly changing threat landscape as it’s not their core area of focus. 

"Our research has shown that organisations are very much aware of this problem, but also that they are still some way away from solving it."