How Can Cybersecurity Help You Re-Design Your Data Governance Model?

When Colonel Edwin Drake drilled the first successful well through rock to produce crude oil in 1859 in Titusville, Pennsylvania, little did he know he was dropping the bombshell that would sky-rocket the oil economy. We’ve come a long way since then, and the recent years in human history have kindled another such phenomenon that has garnered even more attention than oil. I’m speaking of, of course, data.

Data is soon to be the world’s most valuable asset, and who best to understand the importance of it than financial institutions? Financial institutions are heavily responsible to gather, process and store massive quantities of data and in most cases are described as “information technology companies with balance sheets”.

However, we’re yet to harbor the complete potential advantage that data can bring to the spectrum of banks, insurers and asset managers simply because along with an expanded ability to profit from the same, it opens wound to a host of new and large vulnerabilities.

The founding pillars that financial institutions rest upon are the institutions of trust and security. Governance of data thus, has sprung to a board level issue, with severe implications for strategy, business models, IT architecture, capital investment and management structures. It is a matter of extreme urgency that we learn how to value data properly and assess a clear path ahead to monetize information.

These form the twin axels of priority for financial institutions. Let’s see how such institutions can redesign their data governance models to ramp up the level of security to combat sophisticated breaches and fraud.

1)    A strategic approach to data governance

Data governance is not just about protecting existing data through various cybersecurity measures but also about how to use the data available to these institutions. It requires an in-depth understanding of the frameworks of data usage, data security, systems and technologies for storing, analyzing and securing data, management and governance structures etc.

The easiest way to keep a secure and water-tight data governance model is thus, to have regulators set a clear direction that will help boards to understand the implications of data protection.

Cybersecurity regulations have become increasingly popular in the past. However, many industries have deemed these requirements as inflexible and costly and creating the additional risk of regulatory arbitrage.

What do these regulations look like?

Let’s look at an example. In late 2016, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the Federal Reserve released an advance notice of enhanced cybersecurity standards for large entities. Imposed on financial institutions with greater than $50 billion in assets, the rules required boards to approve management’s cyber risk strategy and ensure management status within a cyber risk tolerance framework.

Another solution is for financial institutions to undergo a full stakeholder assessment, which understands what is beneficial to all parties, keeping customer interest at priority.

2)    Technology that drives value to data assets

The recent years have seen an information boom like nothing we’ve ever seen before. By one estimate, the amount of data generated worldwide grew tenfold between 2020 and 2016. However, the flip side of the coin is that much of this growth is in “unstructured” data such as images etc.

This leads to creation of a host of technologies, such as facial recognition technologies and voice patterns, wherein start-ups are doing natural language processing that can measure the tone of voice on quarterly investor calls to find patterns that give clues about the next quarter’s results. Other technology also includes biometric data and behavioral patterns, along with AI and blockchain- all which can have significant impact on financial services organizations, only if they can derive meaningful insights from it.

Banks and insurance companies can use AI systems to decide whether to offer credit or how to price an insurance policy, based on analyses that is not possible for humans to perform.

A recent study from the Financial Stability Board (FSB) noted that machine learning is being used to “uncover non-linear relationships among different attributes and entities, and to detect potentially complicated behavior patterns of money laundering and the financing of terrorism that isn’t directly observable through suspicious transactions filing from individual entities.”

Your data governance model can employ the use of these technologies to store data in a credible and useful way.

Cybersecurity, thus integrated with these technologies focuses largely on addressing hardware and software vulnerabilities to prevent or recover loss of data or damage to systems.

3)    Management and government’s role in cyber risk

The nature of cyber risk is dynamic and growing and the governance of the same remains to be a work in progress.

What can you do to ensure your data governance model isn’t the same?

• Establish a cyber risk tolerance: One way to approach this is to roll up cyber risks to create a strategic metric. The second is to create granular tactical metrics
• Prioritizing security efforts: Having vulnerabilities is one way to do this. Consider vulnerabilities to be the fence of your house- someone may get through the fence regularly, but nobody should be able to get to the safe, where your high priority data is stored.
• Long term investment: Financial institutions need to spend as much as they can manage financially, specifically because trial and error too is bound to take place. Interconnectivity creates avenues for hackers which is why our capabilities need to be insanely mature.
• Focus on response and resiliency: Security and resiliency are two difference things, one is about prevention and one is when you have a system outage and the efficiency with which your system can come back up. Clarify your response goals before an attack takes place, since tradeoffs are likely to occur to a large degree.

The entire basis of this article can be rested upon a singular analogy. If the good twin is digital transformation, then they evil twin is cyber risk. Risk and data thus, has to managed extremely effectively by institutions with extreme emphasis upon making better progress towards cyber governance.