NEW YORK, Jan. 8, 2009 (GLOBE NEWSWIRE) -- Financial services firms, traditionally considered leaders in privacy and information security, are discovering that the process of protecting sensitive customer and employee information has become increasingly complex, according to PricewaterhouseCoopers LLP (PwC).
Based on responses from 665 financial services executives -- part of the sixth annual Global State of Information Security Survey(r) 2008 conducted by PwC in conjunction with CIO and CSO magazines -- more than half (54 percent) of financial services respondents indicated that their firm does not have an accurate inventory of where personal data for employees and customers is collected, transmitted or stored. Just over half (51 percent) of financial services respondents said they do not require third-party service providers to comply with their company's privacy policies.
"Financial services firms have been leaders in privacy and security, but their policies and capabilities are being outstripped by changes in technology and business practices," said Sergio Pedro, managing director, PricewaterhouseCoopers. "Firms must address customer demand, competitive pressure and stringent, ever-changing regulatory requirements by developing comprehensive, integrated privacy and data protection programs."
Financial services firms' increased use of their non-U.S. locations and offshore third-party service providers to handle and process sensitive data has exposed these international organizations to a maze of privacy-related requirements. Numerous laws have been passed in countries around the world since the late 1990s, covering privacy, data protection, telemarketing, fax and Web communication, and security. The survey found that just 45 percent perform due diligence of third parties that handle the personal data of customers and employees. This appears to be a blind spot for financial services firms: Despite this lack of due diligence, most (81 percent) consider themselves either "somewhat" or "very" confident in the information security practices of their partners and suppliers.
In the U.S., almost every state has an individual notification statute that is triggered when specific unencrypted data elements are breached. In the event of a security breach, many statutes require that firms notify affected parties. Nonetheless, 41 percent of financial services respondents reported that their organization's security policies do not address incident response, and 56 percent do not have a process to address breaches involving data entrusted to third parties. When asked about the number of data security incidents that occurred in the past year, 38 percent of financial services respondents did not know the number of incidents that occurred, 44 percent did not know what types of security incidents occurred, and 45 percent could not identify the likely source of incidents.
Other findings from the study include:
- Many financial services firms focus predominantly on protecting customer data, but employee data can be a far richer trove of information for identity thieves. Survey results support this: When security breaches occurred, financial services respondents indicated that employee records were just as likely as customer records to be affected (40 percent versus 38 percent).
- Although encryption technology has advanced greatly, 41 percent of financial services respondents said that their firms do not encrypt data stored in databases; 52 percent do not encrypt file shares; and 43 percent do not encrypt backup tapes. Furthermore, 33 percent do not deploy laptop encryption, a key data security safeguard for an increasingly mobile workforce.
New regulatory requirements in the U.S. will continue to strain the resources of internal compliance departments already grappling with a global privacy regulatory labyrinth. For example, the "Identity Theft Red Flags" rule, which went into effect in November 2008, requires financial institutions to implement a written Identify Theft Protection Program to help detect, prevent, and mitigate identity theft. Furthermore, the Securities & Exchange Commission is expected to adopt amendments to its Regulation S-P, which requires the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information related to customers. These and future regulations will require firms to enhance their privacy, data security, fraud reporting, and anti-money-laundering related Know-Your-Customer controls.
"Financial services firms should re-examine their security networks to help ensure compliance with privacy and data-protection regulations, embed a culture of privacy and security in their operations, and embrace security as a key element of their risk management structure and a potential competitive differentiator," said Pedro.
PricewaterhouseCoopers suggests that financial services firms consider the following when beginning to assess whether they adequately address privacy concerns:
1. Before deciding to move business processes or operations cross-border, does your firm consider whether there are country-specific privacy-related requirements and risks that might impact its operations in a given country?
2. Does your firm identify applicable privacy-related requirements in all the jurisdictions where it conducts business and stores, processes, or collects sensitive data?
3. Are your firm's third-party service providers contractually obligated to protect the sensitive data of your firm's customers and/or employees?
4. Does your firm understand the flow of sensitive data throughout its lifecycle, across the entire firm, and to/from third-party service providers?
5. Does your firm have a written plan to monitor, respond to, and remediate incidents where there is a potential risk of a data breach?
The Global State of Information Security Survey(r) 2008 is a worldwide survey conducted by PwC in conjunction with CIO and CSO magazines. Of the 665 respondents from the financial services sector (commercial banking, consumer banking, property and casualty insurance, investment management, mortgage banking, capital markets and real estate), 48 percent were from North America, 23 percent from Europe, 19 percent from Asia and 9 percent from South America. One-third (34 percent) reported annual revenues of at least US$1 billion.
About PricewaterhouseCoopers
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 155,000 people in 153 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
"PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity.
CONTACT: PricewaterhouseCoopers LLP Laura Schooler (646) 471-3229 laura.schooler@us.pwc.com; The Hubbell Group, Inc. Steven Maguire (781) 878-8882 smaguire@hubbellgroup.com