Research from Claranet found two-thirds of businesses were lacking in data management, casting doubt on their ability to comply with the incoming General Data Protection Regulation (GDPR).
GDPR is a cross-Europe regime which comes into force on 25 May with the aim of strengthening data protection rules across the continent.
Despite the impending deadline, 69 per cent of firms said they were not able to secure customer data effectively.
Almost half (45 per cent) of the some 750 IT decision-makers said they had encountered challenges around securing customer details when trying to improve the digital user experience for customers.
This pointed to a "distinct lack of capability" when it comes to managing security in a reliable manner, Claranet said.
Michel Robert, UK managing director at Claranet, said: "There can be little doubt that data security is the most pressing issue facing financial businesses today and that sound security practices are the foundation on which these organisations are built, but our research confirms this is an area in which most financial institutions are failing.
"Thinking more broadly, the fact that almost seven in ten organisations can’t guarantee the security of their customer data is particularly concerning."
The Financial Conduct Authority (FCA) said at last week’s Association of British Insurers annual conference (27 February) it would do further work on insurance firms’ data protection efforts after detecting failings, including possibly a new thematic review.
GDPR includes rules such as the right to erasure, meaning someone can request the deletion of their personal data, and the right to access, meaning someone can demand information on how their data is being used and a free copy of their personal data.
It also introduces the right to data portability, which means a person must be able to transfer their personal data from one system to another without being prevented by the handler of their data.
Meanwhile explicit consent must be obtained for the collection of data and all the purposes it is used for, while all data breaches must be reported within 72 hours.
Almost six in ten (57 per cent) firms identified security as one of the biggest challenges facing their organisation’s IT department, while 63 per cent stated their security procedures and requirements held back their ability to innovate, according to Claranet.
The research also found IT teams were struggling to acquire the skills and expertise necessary to fix the problem.
Mr Robert said: "Part of the problem derives from the fact that most internal IT teams don’t have the skills, expertise or the time to keep up with the rapidly changing threat landscape as it’s not their core area of focus.
"Our research has shown that organisations are very much aware of this problem, but also that they are still some way away from solving it."
To address the shortcomings, businesses are set to ramp up their investments in IT security, with 55 per cent of businesses expecting to increase their IT budget across the entire organisation by at least 5 per cent next year, the research found.
Mr Robert said firms’ attitudes towards this problem were encouraging but warned it was important to recognise more needed to be done particularly in the space of cybersecurity.
Scott Gallacher, an adviser at Rowley Turton, said the data protection issue has been blown out of proportion and most firms would be expected to be compliant come May, including insurers.
But he said it was still a grey area how long claims can be brought and if client files are deleted prematurely that could throw up potential problems.
He said: "The main issue is around informed consent. For most adviser firms there will be a few things to do but it doesn't seem to be as challenging as some are making it out to be.
"When the client ceases to be the client that is when the potential problem starts. Because the question is how long do we have to keep the data from a protection [against client claims] perspective."
carmen.reichman@ft.com
