In fintech, user’s data protection is among the top priorities requested by regulations, but surprisingly they are mapped onto real-world risks.
As a data security engineer, I can say that while it might look like much work to comply with GDPR, CCPA, PCI DSS, FFIEC, etc., these regulations exist not to add problems but to prevent them and protect the users and your business as well. They point out
risky assets (data, processes) and allow extending your security efforts to cover them.
Different regulations require different kinds of personally identifiable information (PII) to be encrypted. Take encryption as a risk-narrowing approach:
- Define which regulations are you under and what processes they require.
- Enumerate sensitive assets, choose which can be encrypted.
- Encrypt them and pseudonymise the rest.
Why not just “encrypt everything”? Well, encrypted data is binary data, and it’s hardly usable, while many fintech applications need to run analytics and database queries on collected data; thus, they can’t just “encrypt everything”.
To choose which fields to encrypt and which to leave in plaintext, you must clear up the risks and demands of regulations you fall under (ok, google, what we really need to encrypt).
Let’s have a closer look at your business. What do regulations protect your business and your users from?
- Breach of confidentiality of sensitive data might lead to inability to execute corporate strategy. Here we can speak of
- Breach of availability/integrity of sensitive data might lead to inability to continue the regular company routine. These are
operational risks. In fintech, they cost an arm and leg.
- Also, in case of an incident, those strenuous efforts you made to build trust and loyalty in customers suffer greatly. These are
reputational risks. While many companies still downplay such risks, according to a
PwC survey on digital trust, in 2021, data protection and privacy became a top focus area (63%) for executives of SMEs across US sectors. No wonder, no wonder.
- Another tricky and underestimated risk is related to the inside job. It’s
insider risk, one of the greatest troubles after all. According to the latest
Data Breach Investigations Report by Verizon, this year in financial services, “44% of the breaches were caused by internal actors (having seen a slow but steady increase since 2017)”. As for the data compromised, it was mainly personal (83%), bank (33%),
credentials (32%) data. Firewalls won’t protect against insiders, but encryption will.
- Adversarial attacks also should not be underestimated. Some of the leaked data (like customer loan scoring strategy) might be used by active adversaries to exploit your systems and execute fraudulent activities.
- On top of that, one of the worst-case scenarios for data leaking is when a business operates on the assumption that their commercially sensitive data (like client base) is safe, while it’s not, and the competitor is able to manipulate it. Here we talk about
- Compliance (or rather the failure to comply with the regulations) and
changes in regulations cause real-world risk as well: the fines are significant and can lead to kicking your product out of the market.
Summarizing. Different regulations require different kinds of PII to be encrypted. In any case, you’ll be better off if you start with encrypting the data defined as risky by the data privacy regulations first (to lift that external pressure
of your operations) and proceeding to extend data security to other types of risks next.
Regulations can teach hard, but actually, they take care of handling risks correctly and serve as a pointer mapping where experience, goals, and data security meet for strategic decisions.