By David Wagner, President and CEO, Zix
The financial services industry relies more on information technology than any other sector. That makes perfect sense given the high-speed and detail-oriented nature of the industry. Unfortunately, it’s costing a lot more to protect and maintain financial data these days.
An April 2017 global survey by management consulting firm Accenture found that nearly a quarter of firms (23 percent) spend more than 5 percent of net revenue just on compliance, which can add up to millions or billions of dollars. That survey found that 90 percent of all firms expected compliance costs to go up over the next two years (a statistic that remained consistent in the 2018 survey), with one-fifth of executives prepared for cost increases of at least 20 percent.
Those rising costs are safe bets when you survey the current compliance landscape. Today’s firms are managing fraud and financial crime risk, business risk, and cyber risk simultaneously. They are also grappling with newer and more sophisticated threats, along with an expanding regulatory landscape. For all those reasons, preserving compliance will only become more expensive.
The Catch-22 of Data Protection
Financial data is highly vulnerable and subject to sweeping data protections as a result. As more business tools become available, the costs rise. Rather than increasing investment in compliance, some companies forgo using new business tools. While that may ease costs and save time, it jeopardizes opportunities to grow the business and opens a competitive edge to other firms in the market. It also leaves the business exposed if employees take risks and work around restrictions. Users might be happier in the short term, but data and compliance are vulnerable in the long term.
The end user’s ease of use is important; compliance should not get in the way of doing business. However, how can an organization achieve necessary compliance and simultaneously enhance end-user satisfaction?
It’s a delicate balance.
The scope of data protection is a common issue. Firms are dealing with enormous amounts of information traveling through dozens of formal and informal channels. It’s not just email or file-sharing anymore. Securing this massive morass of data at every point is a mad scramble in the best instances. As volumes continue to grow and branch deeper into social media and connected devices, securing all the data may seem impossible.
Compliance forces firms to weigh a difficult choice: Accept the rising cost of data protection, or decline the use of tools in the interest of compliance but lose opportunities for business growth.
Making a Calculated Investment
The GDPR regulations now in effect throughout the European Union affect almost every company that does business in Europe or collects data on Europeans, no matter where the company is based. Financial penalties for noncompliance depend on the size and severity of the infraction, but in the worst cases can total billions of dollars.
However, this does not mean any investment in compliance is a smart one. Companies can invest almost endlessly in cybersecurity only to find they are still vulnerable. Worse, those cybersecurity measures can create as many problems as they solve. It’s essential to invest in ways that have the largest positive impact at the lowest cost.
Usability is a crucial consideration. Cybersecurity tools that are confusing and time-consuming are more than just annoying. They also incentivize rogue users to ignore or bypass them. And in effect, the investment in security ultimately makes the company less compliant and secure. Solutions that eliminate friction for the end user are better investments overall. Instead of relying on end users, they make it an institutional obligation that runs behind the scenes. And because the tools don’t create confusion or frustration, compliance is no longer disruptive.
The second priority is finding compliance tools that are appropriate for the scale of today’s data. They must be able to secure huge volumes of information. But, more importantly, those protections must follow that data as it branches out across myriad channels — email, LinkedIn, Facebook, text messaging, video, and many more. Without this flexibility, data will never be fully protected. And when that is the case, compliance is impossible.
Creating a New Context for Compliance
Investing in cybersecurity measures that are as easy to use as they are expansive has an unexpected effect: Compliance becomes an opportunity rather than an obligation.
New rules for data protection are being demanded by citizens who have had their data exposed over and over again. Hackers are mounting an endless assault, and in the wake of repeated data breaches, there are few people who have not been victimized. The public is fed up with this situation, and in the absence of action from the private sector, they are turning to governments to require solutions.
GDPR is a direct reflection of this. It protects citizens in the EU, but it’s likely that other governments will adopt similar rules as cybercrime becomes an international scourge. Increasingly, governments are trying to shift the consequences of those crimes off the victim and onto the company that is ultimately responsible for the attack.
This is driving the mounting cost and complexity of compliance. But in return for greater security investments, firms regain consumer confidence as well. Consumers are understandably eager to work with financial services firms that take data protection seriously. Complying with newer and stronger data protection rules is an excellent way to demonstrate that commitment.
In that context, an investment in compliance is actually much more. It’s also an investment in reputation management, public relations, customer acquisition, and corporate stewardship. If that sounds hyperbolic, just consider the plight of Equifax. Would you be eager to give the company your financial data? The firms that can prove they keep data safe will attract a lot more attention from consumers.
In the end, compliance is not about satisfying regulators. It’s about satisfying end users. No court is more punitive than the court of public opinion, and few things hurt financial services firms more than lax privacy or security. An investment in compliance is an investment in stability and sustainability. It may be substantial, but it’s always sound.