Maxim_Kazmin - Fotolia

Financial services CISOs prioritise GDPR – but their service providers might not have

Survey shows 52% of CISOs working in the finance sector have made compliance with the EU’s General Data Protection Regulation an investment priority

More than half of financial services companies are prioritising compliance with the new EU data protection regulation as the clock ticks down to its arrival this time next year.

According to data from Network Group Events’ 2017 Financial Services Information Security Network, 52% of CISOs working in the finance sector have made General Data Protection Regulation (GDPR) compliance an investment priority.

The data, gleaned from 70 financial services CISOs or security heads, showed that they are getting their act together for GDPR. Three-quarters (74%) of the CISOs have prioritised security governance and compliance management in cyber security strategies this year, compared with 64% last year.

But the CISOs must look beyond their own four walls and analyse what their suppliers are doing to prepare themselves for GDPR if they are to avoid indirectly becoming liable for data loss. If a supplier is at fault, the enterprise that owns the data will still be targeted by the regulator.

The EU’s GDPR will come into force on 28 May 2018, with the aim of strengthening data privacy and protection for all EU citizens. It places new obligations on organisations, including: having to build privacy into systems by design (and switched on by default); conducting regular privacy impact assessments; implementing stronger consent mechanisms (particularly when processing data pertaining to minors); following stricter procedures for reporting data breaches; and documenting any use of personal data in far more detail than before.

Organisations that fail to comply could face fines of up to €20m or 4% of their annual turnover, whichever is greater. The UK government has signalled its intention to implement the GDPR fully to ensure there is no interruption to the free flow of data between the UK and the EU after Brexit.

Jake Summerfield, managing director at Network Group Events, said financial institutions face what can seem like an overwhelming challenge. “However, as our data shows, investment in GDPR compliance is clearly a key priority for CISOs,” he said. “With this new regulation on the horizon, it’s not surprising that three-quarters of CISOs are prioritising investment in security governance and compliance management.

Read more about GDPR compliance

“Ensuring compliance with GDPR is going to be a momentous task for financial services firms as they adapt their processes and systems in line with the new regulation, but it is crucial that these firms do not do so at the expense of investing in other vital security measures.”

But it is not just organisations’ own processes and systems that must comply with the regulation. Monitoring the progress of GDPR compliance by IT suppliers is an important factor in the financial services sector, where firms are heavily reliant on IT service providers and increasingly dependent on cloud suppliers.

Sarthak Brahma, head of pricing advisory at Everest Group, said he is surprised Everest’s advisers have not yet been approached by supplier clients – including many offshore IT suppliers – about GDPR. This could be a case of companies having a lot of their plate, he said, and added: “I think this is a case of ‘which fire do you quell first?’. The suppliers are dealing with immigration issues as well as offshore inflation, which could be seen as more important right now.”

Bob Fawthrop, outsourcing consultant at Bob Fawthrop Associates, said he thinks many enterprises and suppliers have their heads in the sand over GDPR. “The lawyers are certainly thinking about it, but I am not sure about the CEOs,” he said. “And some of the suppliers are still only thinking about it.”

Read more on Privacy and data protection