Key Points:

• Financial institutions are prime targets for hackers due to the valuable data they store, such as bank account details and social security numbers. This data can be used for fraud or sold on the black market.‍
• They must comply with stricter data security regulations than most organisations, such as PCI DSS and GLBA. They also store data in a variety of places, including data centres, the cloud, and on-premise servers. All of these locations require robust security measures.
• Financial institutions can protect their data by using a variety of methods, such as data security software, employee security training, data minimisation, encryption, strong access controls, system monitoring, regular risk assessments, software updates, supply chain security, and incident response plans.

In 2023, the global fintech market size hit $226.71 billion, and research from the World Economic Forum suggests that it’s going from strength to strength.

With the majority of FinTech's specialising in digital payments and lending, there is a significant amount of sensitive data being stored within their systems and networks, including bank details, home addresses, and more.

So, how can FinTech organisations protect one of their most valuable assets?

We take a closer look at why financial organisations are typically targeted by hackers, and the best ways to ensure their sensitive data is protected.

What sensitive data do financial organisations hold?

FinTech companies handle sensitive data on a daily basis, due to the nature of their work.

They will hold Personally Identifiable Information (PII) such as names, addresses, social security numbers, and contact details, as well as specific pieces of financial information that can be very attractive to fraudsters.

For instance, a FinTech organisation will store data such as bank account numbers, credit card numbers, and transaction details, that can prove valuable to those who want to sell data on, or take advantage of it themselves.

Because financial institutions, including fintech companies, are handling more sensitive data than most, they are held to more rigorous standards, and must adhere to more regulatory requirements such as PCI DSS, and GLBA.

Where is sensitive customer and financial data held?

FinTech companies can store sensitive data in a number of locations, depending on the tools they use, and the infrastructure they have in place.

Many organisations will have their own data centres or use third-party data centres to store and manage sensitive data. Having their own data centres ensures they have full control over their data and how it is handled, including using security measures such as firewalls, encryption, and physical access controls to prevent any leakage of sensitive data.

Any third-party data centres or payment processors handling sensitive data on behalf of a financial service provider should be vetted thoroughly to ensure that they have stringent security measures in place, and will remain compliant with industry regulations.

With businesses now working across countries and borders, cloud services are often employed to store customers’ financial data too, so that it can be accessed from anywhere at any time. This comes with its own security risks, as organisations must ensure that the correct access controls are in place, as well as additional factors like multi-factor authentication, and data is securely stored to mitigate the chances of a bad actor accessing data in the cloud, or an employee accidentally leaking sensitive data by storing data in the wrong environment.

Finally, financial data can also be held on secure servers within the organisation’s premises, which require physical security measures to ensure sensitive data isn’t accessed by unauthorised individuals.

Regular data risk assessments and a holistic data security posture can help FinTech companies keep sensitive data protected, and retain the trust of their customers.

Why are financial organisations targeted more than most?

In 2023, finance surpassed healthcare to become the most breached industry, according to a report by Kroll.

Due to the amount of sensitive data they hold, and the types of financial data they store, financial organisations are often targeted for the valuable data they have on record. This type of data can be used for fraudulent purposes, including making transactions from an individual’s bank account into a hacker’s account, or sold on the dark web.

As financial organisations also handle large amounts of money, criminals may target them for monetary gain, such as using ransomware to withhold data until a significant fee has been paid.

It’s crucial that financial organisations stay one step ahead when it comes to protecting their infrastructure; the more sophisticated cyber attackers become, the more vulnerabilities they can find to exploit in complex, often interconnected, systems, networks, and databases.

What are cyber attacks trying to achieve by accessing sensitive data?

Primarily, cyber criminals will be aiming to access sensitive data for financial gain, hoping to sell data on, commit fraud, or make unauthorised transactions. However, they can also be looking to gain notoriety among other cyber criminals by hacking into the systems of large financial institutions who should have a resilient cybersecurity posture in place.

Other motives involve being paid for corporate espionage by rival companies, or deliberately sabotaging organisations if they do not agree with actions they have taken.

The challenge for FinTech companies is that a cyberattack not only damages them financially, it can also leave lasting effects on their reputation too. As a result, their customers and partners can lose trust in them, which can lead to a loss of business.

Top 10 ways financial organisations can protect sensitive data

1. Use a data security solution

Implementing an intuitive data security platform that can protect sensitive data across multiple platforms is imperative. Not only can it give security teams full visibility into where their data lives, it can also help them control it with remediation and redaction techniques.

2. Educate employees on security policies

The responsibility of the organisation’s security shouldn’t lie solely with the security team. With 95% of data breaches involving a human element, there is a clear need for the workforce to be engaged with data security policies to ensure that data isn’t leaked by malicious insider threats or negligent employees.

3. Focus on data minimisation

While data can be a valuable asset to the business, it shouldn’t be retained for longer than necessary, in order to minimise the attack surface, and comply with industry regulations.

Our research has shown that 86% of data stored in Google Drive has not been updated in 90 days, creating more risk for the organisation. Data minimisation can be carried out through an automated solution to ensure the risk of data being accessed by unauthorised users is mitigated.

4. Encrypt data in transit and at rest

Encryption adds another layer of security to sensitive financial data, so that it’s unreadable to unauthorised users. If intercepted, a user will still need an encryption key to understand the sensitive information contained within.

5. Implement strong access controls

Access controls are key to keeping unauthorised users out of sensitive data files. Basing these on an individual’s role within the business can give only senior personnel access to confidential information. Ideally, there should be a minimal amount of users with access to sensitive data files.

6. Monitor systems for anomalies

Constant monitoring of threats within an organisation’s system is the best way to combat them as soon as they arise. Implementing event management (SIEM) or insider threat solutions can help you detect any anomalies within the organisation’s ecosystem.

7. Conduct regular data security risk assessments

Regular data security assessments help identify vulnerabilities and key risks, so that they can be resolved quickly. They should be conducted annually, at the very least, to ensure there is no disruption to business operations.

8. Keep data security software updated

Whether it’s antivirus software, firewalls, or intrusion detection systems, they will need to be regularly updated and patched to ensure that any known vulnerabilities are covered.

9. Secure the supply chain

While a financial organisation in itself may have all the necessary security measures in place to avoid a data breach, their supply chain could introduce a threat if due diligence is not carried out effectively.

Any third-party connections that process sensitive data should have security measures such as secure file transfer protocols (SFTP) to ensure data is not put at risk.

10. Maintain an incident response plan

An incident response plan should be tried and tested so that individuals are able to respond effectively to any security incidents that should occur. With everyone involved aware of their responsibilities and the process they’ll need to follow, a response plan can be executed quickly.

How can Metomic help?

Metomic can help financial organisations, including FinTech companies, protect sensitive data by giving them full visibility over where sensitive data lives, and who has access to it.

Download our report, ‘The State of Data Security in Financial Services’ to find out more.