Key Points:

• Data security is becoming increasingly important as financial services deepen their reliance on SaaS applications and cloud providers, posing new data protection and compliance challenges.
• Financial institutions (FinTech), are prime targets for hackers due to the valuable data they store, such as bank account details and social security numbers. This data can be used for fraud or sold on the black market.‍
• They must comply with stricter data security regulations than most organisations, such as PCI DSS 4.0 and GLBA. They also store data in a variety of places, including data centres, the cloud, and on-premise servers. All of these locations require robust security measures.
• In our 2024 ‘The State of Data Security in Financial Services’ report, we dissect our own proprietary data to understand how financial services companies are navigating data security.
• Financial institutions can protect their data by using a variety of methods, such as data security software, employee security training, data minimisation, encryption, strong access controls, system monitoring, regular risk assessments, software updates, supply chain security, and incident response plans.

In 2023, the global fintech market size hit $226.71 billion, and research from the World Economic Forum suggests that it’s going from strength to strength.

With the majority of FinTech's specialising in digital payments and lending, there is a significant amount of sensitive data being stored within their systems and networks, including bank details, home addresses, and more.

So, how can FinTech organisations protect one of their most valuable assets?

We take a closer look at why financial organisations are typically targeted by hackers, and the best ways to ensure their sensitive data is protected.

What sensitive data do financial organisations hold?

FinTech companies handle sensitive data on a daily basis, due to the nature of their work.

They will hold Personally Identifiable Information (PII) such as names, addresses, social security numbers, and contact details, as well as specific pieces of financial information that can be very attractive to fraudsters.

For instance, a FinTech organisation will store data such as bank account numbers, credit card numbers, and transaction details, that can prove valuable to those who want to sell data on, or take advantage of it themselves.

Because financial institutions, including fintech companies, are handling more sensitive data than most, they are held to more rigorous standards, and must adhere to more regulatory financial compliance requirements such as PCI DSS 4.0, and GLBA.

Why are financial organisations targeted more than most?

In 2023, finance surpassed healthcare to become the most breached industry, according to a report by Kroll.

Due to the amount of sensitive data they hold, and the types of financial data they store, financial organisations are often targeted for the valuable data they have on record. This type of data can be used for fraudulent purposes, including making transactions from an individual’s bank account into a hacker’s account, or sold on the dark web.

As financial organisations also handle large amounts of money, criminals may target them for monetary gain, such as using ransomware to withhold data until a significant fee has been paid.

It’s crucial that financial organisations stay one step ahead when it comes to protecting their infrastructure; the more sophisticated cyber attackers become, the more vulnerabilities they can find to exploit in complex, often interconnected, systems, networks, and databases.

📝Report: The State of Data Security in Financial Services

In our 2024 ‘The State of Data Security in Financial Services’ report, we dissect our own proprietary data to understand how financial services companies are navigating data security. You'll find:

• The pivotal data types that hold significance for Financial Service Companies
• A comprehensive understanding of the risks posed by stale data and effective management strategies
• Compelling reasons why financial institutions should prioritise attention to access controls

Where is sensitive customer and financial data held?

FinTech companies can store sensitive data in a number of locations, depending on the tools they use, and the infrastructure they have in place.

Many organisations will have their own data centres or use third-party data centres to store and manage sensitive data. Having their own data centres ensures they have full control over their data and how it is handled, including using security measures such as firewalls, encryption, and physical access controls to prevent any leakage of sensitive data.

Any third-party data centres or payment processors handling sensitive data on behalf of a financial service provider should be vetted thoroughly to ensure that they have stringent security measures in place, and will remain compliant with industry regulations.

With businesses now working across countries and borders, cloud services are often employed to store customers’ financial data too, so that it can be accessed from anywhere at any time. This comes with its own security risks, as organisations must ensure that the correct access controls are in place, as well as additional factors like multi-factor authentication, and data is securely stored to mitigate the chances of a bad actor accessing data in the cloud, or an employee accidentally leaking sensitive data by storing data in the wrong environment.

Finally, financial data can also be held on secure servers within the organisation’s premises, which require physical security measures to ensure sensitive data isn’t accessed by unauthorised individuals.

Regular data risk assessments and a holistic data security posture can help FinTech companies keep sensitive data protected, and retain the trust of their customers.

What SaaS applications are used in the finance sector?

• Cloud-Based Accounting Platforms: These tools hold sensitive financial data, including transaction histories and corporate financial statements, with the primary risk being exposure to data breaches that could compromise confidential information.
• CRM Software: These systems contain personal client information, sales data, and interaction logs, posing risks related to compliance with data protection regulations.
• Payment Gateways: They process payment details, transaction records, and authentication data, where the main risk entails data corruption that could disrupt transaction integrity.
• Project Management Tools: These applications store project plans, communications, and internal documentation, with unauthorised access being the key risk that could lead to data leaks or manipulation.

Financial Compliance Issues with SaaS Apps

The integration of SaaS solutions in finance has its compliance hurdles. Issues like data sovereignty, data encryption, standards, and third-party risk management are at the forefront, necessitating a careful approach to ensure regulatory conformity:

• Data Localisation and Sovereignty: Many regulations require storing financial data within certain geographical boundaries. Often hosted globally, SaaS tools can inadvertently breach these rules by storing data in locations not compliant with national regulations.
• Access Controls and Identity Management: Compliance with standards like the GDPR and HIPAA demands strict control over who can access sensitive data. SaaS tools must have robust identity management and access control systems to prevent unauthorised access and breaches.
• Encryption and Data Security: Compliance regulations like PCI DSS 4.0 require that sensitive data, especially payment information, be encrypted in transit and at rest. Ensuring that SaaS providers comply with these encryption standards is a significant challenge.
• Audit Trails and Activity Monitoring: Compliance frameworks often necessitate detailed audit trails of data access and modifications. SaaS applications must be capable of providing comprehensive logging and activity monitoring to satisfy these requirements.
• Third-Party Risk Management: When third-party SaaS providers handle financial data, institutions must ensure these vendors comply with relevant regulations. This includes managing the risks associated with vendor security practices and data handling procedures.
• Incident Response and Reporting: In the event of a data breach, regulations like the GDPR require prompt incident response and reporting. SaaS solutions must have quick detection, response, and notification mechanisms per these legal requirements.

Financial institutions must understand these security issues and develop comprehensive strategies to address each, ensuring a secure and compliant SaaS environment.

What are cyber attacks trying to achieve by accessing sensitive data?

Primarily, cyber criminals will be aiming to access sensitive data for financial gain, hoping to sell data on, commit fraud, or make unauthorised transactions. However, they can also be looking to gain notoriety among other cyber criminals by hacking into the systems of large financial institutions who should have a resilient cybersecurity posture in place.

Other motives involve being paid for corporate espionage by rival companies, or deliberately sabotaging organisations if they do not agree with actions they have taken.

The challenge for FinTech companies is that a cyberattack not only damages them financially, it can also leave lasting effects on their reputation too. As a result, their customers and partners can lose trust in them, which can lead to a loss of business.

Unravelling the Anatomy of Financial Cyber Attacks

Far from being random, cyber attacks in the financial sector are executed through a phased approach, each designed to escalate the attacker's influence over the compromised infrastructure.

Step 1: Reconnaissance

Attackers gather information on potential vulnerabilities within SaaS applications used in finance. This includes scanning for weak spots in public cloud-based accounting systems, CRM tools, and other SaaS offerings of cloud vendors that manage sensitive financial data.

Step 2: Initial Penetration

Using identified vulnerabilities, cybercriminals often deploy social engineering—from generic phishing scams to highly targeted spear-phishing attacks—to gain initial access. This step may involve manipulating users or exploiting weak authentication processes despite the presence of security measures like Multi-Factor Authentication (MFA) and Single Sign-On (SSO).

Step 3: Expansion of Access

Once inside, attackers aim to broaden their access. They may capture session tokens or exploit SSO configurations, allowing them to store data and traverse interconnected SaaS platforms seamlessly.

Step 4: Entrenchment

At this point, attackers solidify their presence by targeting high-level users, like system administrators, through platforms like LinkedIn. They might also initiate supply chain attacks, striking at centralised vulnerabilities that ripple through interconnected systems.

Step 5: Exploitation

With a firm grip on the systems, attackers can unleash harmful activities through such attacks as ransomware, which encrypts critical data, crippling financial operations and business processes and causing extensive damage ranging from financial losses to legal team's regulatory repercussions.

10 ways financial organisations can protect sensitive data

1. Use a data security solution

Implementing an intuitive data security platform that can protect sensitive data across multiple platforms is imperative. Not only can it give security teams full visibility into where their data lives, it can also help them control it with remediation and redaction techniques.

2. Educate employees on security policies

The responsibility of the organisation’s security shouldn’t lie solely with the security team. With 95% of data breaches involving a human element, there is a clear need for the workforce to be engaged with data security policies to ensure that data isn’t leaked by malicious insider threats or negligent employees.

3. Focus on data minimisation

While data can be a valuable asset to the business, it shouldn’t be retained for longer than necessary, in order to minimise the attack surface, and comply with industry regulations.

Our research has shown that 86% of data stored in Google Drive has not been updated in 90 days, creating more risk for the organisation. Data minimisation can be carried out through an automated solution to ensure the risk of data being accessed by unauthorised users is mitigated.

4. Encrypt data in transit and at rest

Encryption adds another layer of security to sensitive financial data, so that it’s unreadable to unauthorised users. If intercepted, a user will still need an encryption key to understand the sensitive information contained within.

5. Implement strong access controls

Access controls are key to keeping unauthorised users out of sensitive data files. Basing these on an individual’s role within the business can give only senior personnel access to confidential information. Ideally, there should be a minimal amount of users with access to sensitive data files.

6. Monitor systems for anomalies

Constant monitoring of threats within an organisation’s system is the best way to combat them as soon as they arise. Implementing event management (SIEM) or insider threat solutions can help you detect any anomalies within the organisation’s ecosystem.

7. Conduct regular data security risk assessments

Regular data security assessments help identify vulnerabilities and key risks, so that they can be resolved quickly. They should be conducted annually, at the very least, to ensure there is no disruption to business operations.

8. Keep data security software updated

Whether it’s antivirus software, firewalls, or intrusion detection systems, they will need to be regularly updated and patched to ensure that any known vulnerabilities are covered.

9. Secure the supply chain

While a financial organisation in itself may have all the necessary security measures in place to avoid a data breach, their supply chain could introduce a threat if due diligence is not carried out effectively.

Any third-party connections that process sensitive data should have security measures such as secure file transfer protocols (SFTP) to ensure data is not put at risk.

10. Maintain an incident response plan

An incident response plan should be tried and tested so that individuals are able to respond effectively to any security incidents that should occur. With everyone involved aware of their responsibilities and the process they’ll need to follow, a response plan can be executed quickly.

How can Metomic help?

With the growing need for reliable robust data security in financial services, Metomic presents effective data security solutions for securing SaaS applications in the following ways:

• Automated Data Discovery: Metomic's automatic data discovery software seamlessly integrates with an organisation's SaaS applications. It provides deep visibility at an individual data point level, which is crucial for financial institutions handling sensitive customer data. This feature helps identify where critical data resides across various SaaS platforms, facilitating better control and protection.
• Data Loss Prevention (DLP): Metomic offers DLP capabilities integral to financial data security. The platform can automatically prevent sharing sensitive information across apps or within isolated areas. This is particularly valuable in preventing accidental disclosures or leaks of financial data, such as credit card numbers or transaction details.
• Real-Time Alerts and Human Firewall: Our Human Firewall feature enables real-time employee notifications upon policy violations, fostering a proactive security culture. This immediate feedback loop helps educate users about security best practices and reduces the risk of data breaches due to human error.
• Advanced Access Controls: With Metomic, financial firms can control who accesses what data and when. This capability is essential for minimising data exposure and managing internal risks, especially in environments where data access needs to be tightly regulated.
• Insider Threat Detection: Metomic provides visibility over anomalous activities within any SaaS application, an essential feature for identifying and mitigating insider threats. This functionality ensures that unusual or unauthorised data access is quickly detected and addressed.
• Compliance with Global Regulations: Metomic aids in aligning SaaS applications with various global regulations like HIPAA, PCI DSS, and GDPR. Our platform’s features assist in maintaining compliance, which is a significant concern for financial institutions operating in a heavily regulated environment.

By integrating Metomic into their security strategy, financial services firms can enhance the protection of their customer data and achieve a higher degree of operational efficiency and regulatory compliance.

The combination of advanced technology and user-friendly interfaces makes Metomic a powerful ally in the quest for effective robust data security in the SaaS-dependent financial sector.

To find out more about how Metomic can support your data security policy, book a personalised demo or get in touch with one of our team.