Data Protection Within the Financial Industry

Presentation to WAIFEM
CONTENTS

Introduction 3

Data Protection Regulations 10

Data Security Measures 17

Data Protection and Risk Management 22

Conclusion 27

Questions 28

2
INTRODUCTION
• Background
• Data and Data Protection
• Data Protection Principles
• Need for Data Protection
Background

In today's digital age, safeguarding sensitive data

within the financial industry is paramount to
maintaining trust and security. As financial
institutions increasingly rely on technology to
manage transactions and customer information,
robust data protection measures are essential to
mitigate risks, comply with regulations, and
uphold the integrity of the financial system
Data and Data Protection

Data refers to any information, whether digital or non digital

form, that is collected, processed, stored or transmitted by
organizations

Data Protection refers to the practices, policies, and technologies

implemented to safeguard sensitive data from unauthorized access, use,
disclosure, alteration or destruction. It aims to ensure the confidentiality,
integrity and availability of data.
Some common categories of data

Unstructured Data

Structured Data Personal Data

Metadata

Transactional Geospatial
Types of Protected Data in Financial Institution

Personal Identifiable Information Authentication credentials Customer Profiles

(PII)

Financial Information Transaction Data

Payment Card Data Business Confidential Information

Data Protection Principles

Seven Core Principles of Data Protection

Storage Limitation: Data should be kept in a form

Lawfulness: Processing of personal data should adhere that permits identification of data subjects for no
1 to legal requirements 5 longer than is necessary for the intended purposes.

Integrity and Confidentiality: Data should be processed

Purpose Limitation: Data should be collected for
2 specified, explicit and legitimate purposes. 6 in a manner that ensures unauthorized access,
modification and destruction

Data Minimization : Only the minimum amount of data Accountability: Data controllers should ensure
3 necessary for the intended purpose should be collected compliance with data protection principles and
and processed.
7 compliance through documentation

Accuracy: Data should be accurate, kept up to date and

4 corrected when necessary to ensure its reliability and
relevance for the intended purposes.
Need for Data protection

Data Protection is a critical issue that has 9

gained significant attention in recent years
due to the increasing use of personal data
in various industries including the financial The financial industry is particularly vulnerable to
sector. data protection risks due to the sensitive nature of
the personal data they collect and process such as
financial information, social security numbers, and
other identifying information.
DATA PROTECTION REGULATIONS

• Background
• Financial Data Regulations
• Compliance Requirements for Financial Industry
 Data Protection Regulations

Data protection regulations are legal framework established by governments or regulatory bodies to govern the
collection, processing, storage and sharing of personal data. These regulations aim to protect the privacy and
rights of individuals by imposing obligations on organizations that handle personal data.

Financial Industry Considerations

Financial industry operates on a foundation of trust. Customers entrust financial institutions with some of their
most sensitive personal information, such as account details, financial history, and social security numbers. Data
breaches in this sector can have devastating consequences, leading to financial losses, identity theft, and
reputational damage.

Data Protection Regulations in Financial

Industry

Data protection regulations within the financial industry are specifically tailored to address the unique
challenges and risks associated with handling sensitive financial data. These regulations aim to safeguard the
privacy and security of consumers' financial information while also ensuring the integrity and stability of
financial markets.
Financial Data Regulations
Data regulations vary in scope , with some being broad and applicable across industries, while others are
specific to certain sectors. Within the Financial industry, there are regulatory bodies that oversee data
protection measures.

General Data Protection Regulation (GDPR) (European Union

GDPR is a comprehensive data protection regulation that applies to organizations that process
the personal data of individuals residing in the European Union, regardless of the organization’s
location. Financial Institutions collecting personal data from EU residents must comply with
GDPR requirements, including obtaining explicit consent for data processing.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a set of security standards established by major credit card companies to protect
cardholder data. PCI DSS applies to merchants, financial institutions and service providers
that process, transmit, or store payment card data.
Financial Data Regulations

Gramm-K=Leach-Bliley Act (GLBA)

GLBA regulates the collection, safekeeping, and use of private financial information, requiring
transparency and customer opt-out rights.

Basel 3
This is a global regulatory framework established by Basel Committee on Banking
supervision to strengthen the regulation, supervision and risk management practices of
bank.
Compliance Requirements for Financial Institutions

Data Privacy Requirements Securities Regulations

Financial Institutions are required to protect Compliance with regulations set forth
the privacy of customer data and comply by regulatory bodies such as the
with data protection laws such as GDPR. Securities ad Exchange Commission
(SEC) in the United States.

Cybersecurity Requirements Know your Customer Requirements

Implementation of robust cybersecurity Financial Institutions must verify the
measures to protect against cyber threats identity of their customers and assess their
and data breaches. risk profiles to prevent fraud.
Compliance Requirements for Financial Institutions

Compliance Reporting and Audits Consumer Protection Regulations

Financial Institutions must regularly report Consumer protection laws and
compliance activities to regulatory regulations must be adhered to to
authorities and undergo audits to verify ensure fair and transparent practices
compliance with regulations and industry such as lending, deposit accounts and
standards. financial products.

Anti-Money Laundering (AML)

Capital Adequacy Requirements Financial Institutions are required to
Financial Institutions are required to implement policies, procedures and
maintain adequate capital reserves to controls to prevent money laundering.
mitigate financial risks and ensure stability.
Compliance Requirements for Financial Institutions

Payment Card Industry Data Security Standard (PCI DSS)

Financial Institutions that handle payment card data must comply with
PCI DSS requirements to ensure the security of cardholder data and
prevent unauthorized access.
DATA SECURITY MEASURES

• Overview of Data Security Measures

• Encryption
• Access Control and Authentication
• Common Threats faced by Financial Institution
Data Security Measures

Data Security Measures are techniques and practices implemented to protect data from unauthorized
access, use, disclosure, alteration or destruction. These measures aim to ensure the confidentiality, integrity
and availability of data, safeguarding it against various threats and vulnerabilities.

Encryption Physical Security

Access Controls Endpoint Security

Firewalls and Network Security Security Awareness Training

Encryption

Encryption is a data security measure that involves converting data into ciphertext using
encryption algorithms and keys. This process makes the data unreadable to anyone who
does not possess the corresponding decryption key.

In financial Industry, encryption plays a crucial role in protecting sensitive financial data
from unauthorized access, ensuring confidentiality and Integrity.

Encryption takes different form and vary based on the algorithms and methods used to
convert plaintext into ciphertext. Some common encryption techniques include;

• Symmetric Encryption
• Asymmetric Encryption
• Hash-Functions
• Stream Ciphers
• Block Ciphers
Access Control and Authentication

Access Control is the process of regulating who can access what resources
within a system or network. It involves defining and enforcing policies and
permission to restrict access to data, systems, and applications based on user
identity, roles, and privileges. Some Access control mechanisms include;

• Role-Based Access Control(RBAC)

• Discretionary Access Control (DAC)
• Mandatory Access Control(MAC)

Authentication is the process of verifying the identity of users or entities

attempting to access a system or resource. It ensures that users are who they
claim to be before granting access.
Common Threats facing the Financial Industry

Phishing
Malicious mail sent by
attackers to trick
Supply Chain Attack individuals into revealing Data Breaches
A cyber attack strategy sensitive information. A security incident where
where attackers target sensitive, confidential data
vulnerabilities in a is accessed, disclosed or
company’s supplier or stolen by unauthorized
service providers to parties.
infiltrate their systems.

Ransomware
A malicious software
DDOS Attack designed to encrypt files or
A large volume of request block access to a computer
been sent to a target or system until a ransom is
SQL Injection paid.
system with the objective of
rendering that service or A cyber attack technique used
application unavailable to to exploit vulnerabilities in
its intended users. web applications.
DATA Protection and Risk Management

• Background
• Key Component of Data Protection
• Data Protection Challenges
• Best Practices for Data Protection
Data Governance and Risk Management

Data Governance Risk Management

Data Governance is a comprehensive Risk Management is the process of

framework and set of processes established identifying, assessing and mitigating risks
within an organization to ensure the effective associated with the collection, storage,
management, integrity, quality and security of processing and transmission of sensitive to
data throughout the data lifecycle. Effective ensure its confidentiality, integrity and
data governance ensures that data is availability. It focuses on safeguarding data
consistent and trustworthy and doesn’t get assets from unauthorized access, disclosure,
misused. alteration or loss.
Key Components of Data Governance and Risk Management

The process of categorizing data assets based on their sensitivity, criticality and usage.
Data Classification It can be achieved by labelling, tagging data to indicate its level of confidentiality,
access and restrictions.

Restricting access to data based on a set of robust policies designed to keep

Access Controls personally identifiable Information and other confidential data from unauthorized
access, modification and destruction.

Encryption of data in use, data in transit and data at rest. Implementation of strong
Data Encryption encryption algorithm and ensuring that encryption is consistent, interoperable, and
compliant with industry and regulatory requirements.

Adherence to the laws, regulations and guidelines that govern the protection and
Data Privacy Compliance handling of personal data. Furthermore, Ensuring compliance with data privacy
regulations such as the GDPR,PCI DSS.

Establishing incident response procedures and protocols to address data breaches,

Incident Response security incidents, and compliance violations. This involves incident detection,
containment, investigation and remediation.
Data protection challenges faced by Financial Institution

Insider threats

Data Privacy
Excess data concerns

Cyberattacks Human error

Compliance
Complexity
Best Practices for Data Protection

Data Loss Prevention Multi-Factor

Authentication
Security awareness Training

Regular Security Audits Incident Response Planning

CONCLUSION
Questions
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related
entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.
Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte & Touche, a member firm of Deloitte Touche Tohmatsu Limited, is a professional services organization that provides audit, tax, consulting, business process solutions,
financial advisory and risk advisory services.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member
firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their
most complex business challenges. Deloitte’s more than 245,000 professionals are committed to becoming the standard of excellence.
© 2024. For information, contact Deloitte & Touche. All rights reserved.
www.facebook.com/DeloitteNigeria twitter.com/DeloitteNigeria