How to Improve Data Protection in Financial Services

On a near weekly basis, I read about breaches where much of the exfiltrated data was old data that the organization had no real reason to retain. See, e.g., https://lnkd.in/eaX53AWQ and https://lnkd.in/e4pVA6bT. According to IBM's 2023 Cost of a Data Breach Report, breaches cost organizations an average of $165 per record breached. Report at 2. That means that purging 100,000 records of unnecessary data could save you $16.5M in the event of a breach. Here are five tips: 1. PRACTICE DATA MINIMIZATION: Organizations should practice "data minimization." This means only collecting data that you have a good business reason for collecting and purging unneeded data when it is no longer needed. 2. ARCHIEVE DATA OFFLINE: In one recent example, the breached company apparently "ceased operations in December 2022 but, to comply with legal obligations, . . . maintained an archived copy of data previously stored on its computer systems." See https://lnkd.in/e4pVA6bT. To the extent you are only retaining old data is to satisfy regulatory requirements or just "in an abundance of caution," consider storing the data completely offline, so it is less likely to be breached. 3. CONDUCT A DATA MAPPING: These days it is common for data records to be duplicated in many places across an organization. Thus, consider conducting a regular "data mapping" to ensure that you know where all of your sensitive data is located, that you are adequately protecting it, and that you are purging it when appropriate. 4. IMPLEMENT A WRITTEN POLICY: Be sure to document your data retention and destruction policy in a written policy, and train your employees on the policy regularly. Remember to update the policy to reflect the changing realities in your organization. 5. OVERSEE THE DESTRUCTION OF DATA: Finally, when you destroy data, take reasonable steps to ensure that the data is actually being destroyed. One bank was recently fined $60M for failing to properly oversee a vendor responsible for purging personal data from digital devices. See https://lnkd.in/eutKzpU7.

A major financial services firm recently faced regulatory fines after an analyst, unable to access approved AI tools, uploaded sensitive customer data to a personal GenAI account just to meet a tight deadline. The external platform stored the data overseas, violating company policy and privacy laws-resulting in both financial and reputational damage. This isn’t an isolated incident. I read somewhere that 45.4% of sensitive exposures now happen through personal accounts-not out of carelessness, but necessity. When corporate tools can’t keep up, employees turn to Shadow AI, and data risks multiply. To address this, organizations must provide secure, approved GenAI tools, deploy real-time DLP and CASB for data monitoring, automate Shadow AI discovery and governance, and train employees on safe AI use. Let’s move beyond patchwork fixes and build unified, adaptive security that keeps pace with how people really work.

You’re hired as a GRC Analyst at a fast-growing fintech company that just integrated AI-powered fraud detection. The AI flags transactions as “suspicious,” but customers start complaining that their accounts are being unfairly locked. Regulators begin investigating for potential bias and unfair decision-making. How you would tackle this? 1. Assess AI Bias Risks • Start by reviewing how the AI model makes decisions. Does it disproportionately flag certain demographics or behaviors? • Check historical false positive rates—how often has the AI mistakenly flagged legitimate transactions? • Work with data science teams to audit the training data. Was it diverse and representative, or could it have inherited biases? 2. Ensure Compliance with Regulations • Look at GDPR, CPRA, and the EU AI Act—these all have requirements for fairness, transparency, and explainability in AI models. • Review internal policies to see if the company already has AI ethics guidelines in place. If not, this may be a gap that needs urgent attention. • Prepare for potential regulatory inquiries by documenting how decisions are made and if customers were given clear explanations when their transactions were flagged. 3. Improve AI Transparency & Governance • Require “explainability” features—customers should be able to understand why their transaction was flagged. • Implement human-in-the-loop review for high-risk decisions to prevent automatic account freezes. • Set up regular fairness audits on the AI system to monitor its impact and make necessary adjustments. AI can improve security, but without proper governance, it can create more problems than it solves. If you’re working towards #GRC, understanding AI-related risks will make you stand out.

A large financial services organization approached me for a regulatory-driven data strategy refresh. Like many enterprises, they had fallen into the "everything is critical" trap: Regulatory reports? Critical. Quarterly filings? Critical. Internal dashboards? Critical. The result? A bloated inventory where true priorities were buried, progress stalled, and regulators remained unimpressed. Instead of expanding their Critical Data Elements (CDEs), I advised to limit them. Here's the 3-step framework we implemented: 1. Reframe CDEs as Scope Management - Treated "critical" as a strategic filter, not just a label. - Used it to draw clear boundaries around what truly mattered. 2. Focus on Maximum Impact - Identified data that, when improved, would have the greatest effect on their most important business processes. - Prioritized based on business outcomes, not data volume. 3. Maintain a Ruthlessly Short List - Fought against "scope creep" mentality. - Established governance processes to prevent CDE list inflation. This led to, • Streamlined Focus: From an unmanageable inventory to a targeted, actionable list • Improved Outcomes: Resources concentrated on high-impact areas • Regulatory Confidence: Clear priorities that aligned with compliance requirements • Program Success: Avoided the "boiling the ocean" trap that derails most data initiatives In the world of Critical Data Elements, less truly is more.

𝐓𝐡𝐞 𝐑𝐢𝐬𝐤 𝐨𝐟 𝐈𝐧𝐚𝐜𝐭𝐢𝐨𝐧: 𝐋𝐞𝐚𝐫𝐧 𝐇𝐨𝐰 𝐓𝐨 𝐏𝐫𝐨𝐭𝐞𝐜𝐭 𝐘𝐨𝐮𝐫 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐀𝐬𝐬𝐞𝐭𝐬 𝐍𝐨𝐰 🔐 Are you worried that your current cybersecurity strategy might not be protecting your valuable digital assets, IP, and more? As leaders in finance and operations, it's often daunting to have to answer for the budgets, processes, policies, and more that are so critical for protecting your company’s sensitive data. 📊 However, neglecting this issue could expose your organization to grave risks such as severe data breaches, loss of trust with customers, financial penalties, and reputation damage. Take the lead in securing your sensitive information by implementing a robust data protection strategy: 🌐 Identify and rate your most sensitive and valuable information. 🌐 Utilize data encryption to safeguard sensitive information. 🌐 Perform regular backups to ensure data availability and proper recovery options. 🌐 Establish secure access controls to limit unauthorized and unwanted access. 🌐 Consult industry experts to evaluate and enhance your security measures. 🌐 Stay updated on the latest cybersecurity trends to stay ahead of potential threats. 🌐 Educate your staff about potential threats and the best practices to foster a security-conscious culture. Addressing these aspects not only reestablishes your confidence but also gives you peace of mind, knowing your digital assets are more secure. 💡 By protecting crucial data, you reduce risks, enhance trust among customers, and boost stakeholder confidence. 🤔 Have you faced similar challenges within your organization? Share your strategies and experiences below! #innovation #technology #cybersecurity #automation #dataprotection #riskmanagement