Financial Professionals: 5 Questions to Ask When Performing a Technology Risk Assessment
/As a financial services professional, you've probably heard the term " technology risk assessment" before. Depending on the nature of your work, you may actually be required (or strongly encouraged) to perform one by regulatory rules, such as GLBA or FINRA regulations (see FINRA's recent 'Report on Cybersecurity Practices').
Technology risk assessment is exactly what it sounds like -- a systematic, documented review of the risks to the customer data your company stores, accesses, and transmits in order to get business done. This data includes both financial information as well as personallly identifiable information (PII), such as names, addresses, Social Security numbers, or any other information linked to customers' identity. Risk analyses are essential for creating a risk management strategy that will protect your customers' data and protect you against legal and regulatory liability.
Still, it may be hard to know where to start. After all, your specialty is financial services, not technology. While we certainly recommend partnering with qualified IT professionals to accomplish your risk analysis, here are five questions to get you started:
What to Ask During a Risk Assessment
1. Where is Customer Data Stored?
Where data is stored has a lot to do with what risks it faces. If the only place you ever store customer data is on a company server on a secure network, there is a relatively low risk that it will be compromised. Customer data stored, say, on a laptop's unencrypted hard drive is at much higher risk of being lost or compromised, since mobile devices like laptops are far more likely to be lost or stolen, and the risk to data compromise is higher when the laptop leaves your secure network.
Also, do you store any customer data in the cloud? This doesn't automatically mean that it's at high risk, but not all cloud solution providers are created equal. Low-risk providers encrypt your data, provide robust administrative controls, and store data redundantly in data centers located in different regions within the U.S.
2. Is Your Network Secure?
Do you have appropriate controls on your office network, such as a business-grade firewall? Is that firewall managed by a qualified systems engineer? Are all of your devices (servers, desktops, etc.) manged under a central domain and systematically patched with security updates? If not, your data may be at high risk for compromise.
3. How Is Customer Data Accessed?
Do you and your staff use unique usernames and strong passwords to log into all systems that provide access to customer information? If not, there's a moderate to high risk that customer data could be compromised. Even shared logins (usernames and passwords used by multiple staff members) pose extra risk because they make the source of data breaches difficult to track down.
4. How Is Customer Data Transmitted?
Really, any transmission of customer data outside of your secure network should be encrypted. The primary culprit for transmission breaches is, of course, email. Customer data sent over unencrypted email is at high risk for compromise. There are, however, a number of email encryption solutions available. The best solutions apply rule-based filters to all email that leaves your domain, automatically encrypting emails that contain customer information
5. What Would Happen if a Disaster Struck or Your Hardware Failed?
Even if your data isn't at risk of being stolen, that doesn't mean it's not at risk of being lost. What would happen if your server hardware failed, or if a fire destroyed your entire office infrastructure?
If you have a business-class backup strategy that stores backups redundantly both remotely and onsite, the risk of data loss and downtime is low. But some firms shouldn't stop there. If you or your customers need to access their data at a moment's notice regardless of the circumstances, you might want to consider disaster recovery solutions, which allow you to spin up a full virtual server environment at a remote location within minutes of hardware failure. Measures like this help you lower the risk to customer data, thus lowering your liability and moving your firm toward regulatory compliance.
Disclaimer: We are not lawyers, so this article should not be construed as legal advice. Instead, the information presented here is intended to acquaint you with some of the risks posed to customer data from a technical perspective.