Financial firms' data security found wanting

Over half of global financial firms have no accurate record of where customer and employee data is collected, transmitted or stored, according to new research from consultancy PricewaterhouseCoopers (PwC).

In addition, 51 per cent of financial services providers said that they do not mandate third parties to adhere to their own privacy policies.

Although 81 per cent of respondents to the PwC survey said they are 'somewhat' or 'very' confident in their own or their partners' information security procedures, only 45 per cent carry out due diligence on third parties that handle sensitive customer and employee data.

"Financial services firms have been leaders in privacy and security, but their policies and capabilities are being outstripped by changes in technology and business practices," said Sergio Pedro, managing director of PwC.

"Firms must address customer demand, competitive pressure and stringent, ever-changing regulatory requirements by developing comprehensive, integrated privacy and data protection programmes."

The research also found that many financial firms focus too much on protecting customer data, neglecting to adequately secure employee records.

Encryption has also been neglected by many of the companies. Some 41 per cent do not encrypt data stored in databases, 52 per cent do not encrypt file shares, 43 per cent do not encrypt backup tapes, and 33 per cent do not deploy laptop encryption.

PwC urged firms to implement a written plan to monitor, respond to and remediate incidents where there is a potential risk of a data breach, and to contractually oblige third parties to protect sensitive data.