Best practice data security for financial services
When it comes to securing personally identifiable information (PII), the financial services sector faces some unique challenges. Account access and financial gain are among the most common objectives for cyber-criminals, so the very nature of account and transactional data makes it an attractive target.
The threat landscape
Although not an early adopter, the financial services sector has embraced digital transformation since the turn of the millennium. Fintech is a rapidly growing market, with digital payments driving a CAGR in double digits and transaction values exceeding $5 trillion in 2020. The volume and sensitivity of transactional data means network data security is a priority.
In its 15th annual Cost of a Data Breach report, the Ponemon Institute highlights the financial services sector as having the third highest average cost of a breach; at $5.85 million it is 50% higher than the global industry average of $3.9 million. Whilst human or systems errors still account for a large number of data breaches every year, malicious attacks now account for the majority (52%) of all data breach incidents.
Systems errors, misconfigured infrastructure and software vulnerabilities represents points of ingress for hackers and cyber-criminals, and were the root cause of over 40% of malicious attacks in 2020. Although there has been a noticeable increase in state-sponsored cyber-attacks in recent years, the majority are still financially motivated.
Hidden risks
Much of what we consider to be the modern digital experience adds both complexity and risk to financial data security. When we look at those factors that negatively impact on the cost of a breach, (i.e., increase the cost) we can see that their influence is on the rise.
Remote working is a typical example. The more likely an individual is to be a remote or mobile worker, the greater the risk. Similarly, the adoption of cloud computing (or the migration of additional workflows to the cloud) and the extensive use of IoT technologies, exposes data to a wider range of threats.
High profile incidents
Financial institutions have been the victims of some huge, high-profile breach incidents over the past ten years. In 2013 a massive breach of over 160 million credit and debit card records was discovered. For over 7 years a hacking ring had been targeting payment processors and chain stores, leading to a number of prosecutions.
In 2017 a breach of Equifax’s database exposed the names, credit card details, addresses, date of birth and other personal details of over 140 million customers in the UK and North America. At the beginning of 2021, there was another massive breach, this time it was over 220 million records from Experian in Brazil.
Regulatory impact
Industry-specific compliance obligations, coupled with emerging data protection legislation, make the financial services sector one of the most tightly regulated. Influence from sources as diverse as the FSA, PCI/DSS, Euro SOX, the DPA and GDPR all have implications for the security of financial data.
Compliance obligations aside, enforcement of the GDPR has served as a reminder that financial penalties await those who do not treat their data with care. Financial services organizations are amongst those that have been hit with substantial fines recently.
Quantum security
Much of the financial data that travels across today’s infrastructure has long-term value, so protection needs to extend beyond current requirements into a quantum future. The extensive use of encryption technologies in financial services applications currently offers a degree of data protection: it is actually the 2nd most important factor to reduce the cost of data breaches and is required by most compliance regulations. However, the advent of the quantum computer will render much of today’s cryptographic apparatus redundant.
To combat this, cybersecurity professionals are turning to quantum technologies to provide long term data protection, integrity and authenticity. The security of Public Key Infrastructure is dependent upon the degree of randomness used to generate encryption keys. Quantum Random Number Generators are used as a source of true randomness (entropy) to enhance the security of a range of financial services applications, including authentication, data encryption, digital signatures, access control, high-speed trading and more.
One of the biggest data security challenges facing financial services organizations and applications is the time it takes to identify and contain a breach. In 2020 it took an average of 280 days. During this time, there is enormous scope for irreparable damage to have taken place. A highly effective solution is Quantum Key Distribution (QKD), which provides an additional layer of security to encryption platforms, delivering a secure channel for key exchange. Any attempt to intercept the data is detected as soon as the key is exchanged with the receiver, alerting authorized users and deleting the compromised key material. Quantum-Safe encryption in therefore the next logical step.
Quantum in action
While the world awaits the arrival of the quantum computer with a mix of anticipation and trepidation, quantum technologies are already being used in a wide range of financial services applications. IDQ has deployed multipoint encryption to secure global WAN infrastructure, 10Gbps Ethernet links with QKD to secure back-up and disaster recovery services, and even ERNIE, the machine responsible for randomly drawing premium bond numbers in the UK, is powered by a QRNG. Several finance and banking apps are even leveraging QRNG through smartphones equipped with the technology. Among the most notable examples are the partnerships between SK Telecom with DGB Daegu Bank through the quantum-powered banking service IM Bank, as well with Standard Chartered which will be using quantum security through its mobile banking app.
The Quantum Vault, developed for Mt Pelerin, is another example of how quantum technologies are securing the future of financial data. The solution features both QRNG and QKD technologies to deliver state-of-the-art security for a digital asset custody (DAC) solution. Suitable for all types of crypto-asset, on any blockchain, the Quantum Vault addresses the security challenges of storage and back-up for high-value assets.
Want to learn more about Quantum-Safe Security Solutions for Banking and Financial Institutions? Check out our application page.
If you’d like to know more about the emerging use of quantum technologies in securing financial data, or speak to one of our consultants for a specific use case: email us at info@idquantique.com
