Financial Data Governance: Prevent Today’s Compliance Risks

Today, financial institutions are complying in a complex and dynamic environment to protect their customers.  

The Australian Information Commissioner published that between July and December 2021 there were 464 data breach notifications with a 43% increase due to human error.  Finance is the second highest reporting sector notifying 12% of these breaches. The environment is only going to become more complex and interconnected with cyber threats increasing in velocity and intensity.  

This highlights the necessity to protect our critical data to not only avoid reputational damage, financial losses to individuals and the organisation and hefty fines, but to foster trust with customers and stakeholders. This helps create a better digital customer experience.  

We need a well-defined risk management framework, understand the risks that apply to financial services, and apply the appropriate controls to mitigate risk. 

Compliance challenges for financial services organisation  

In Australia, banks, insurance, and superannuation organisations are regulated by the Australian Prudential Regulations Authority (APRA). A key challenge for financial services is the vast regulatory load. Today we are seeing a continued uplift in the next wave of regulation and expectation for financial services, plus a more stringent view on non-compliance.  

A maturity to handle the load 

Organisations need to orchestrate their businesses to face the regulatory and risk load according to their size, maturity, and capital available to them. There should be a continuation to drive maturity that’s appropriate for the market. This should sit above first- and second-line risk.  

Choosing the right technology to grow with your business and continuous testing will help the organisation on the maturity journey.  

A virtuous circle of maturity 

CPS 234 is a standard recognised globally that provides comprehensive coverage across the obligations to keep valuable data safe.  

There are four main components to CPS 234 to consider for a virtuous circle where organisations are effectively on an increasing maturity journey around cyber. 

1. The standard clearly defines information security-related roles and responsibilities of the Board, senior management, governing bodies, and individuals.  

1. Paragraph 20 outlines the requirement to list all information assets and assess the risks associated with those assets in terms of sensitivity and criticality. 

1. Paragraph 21 and 22 outlines the requirement to articulate the specific controls to manage the risks around their information assets in accordance with the overall risk appetite of the organisation.  

1. Paragraph 27 outlines the obligation to test the operation of those controls. Testing requires the organisation and internal auditors to consider whether the controls are designed to achieve the objective of reducing risk and are they operating in accordance with their design. The results are reported back to those who are charged with governance of cyber.  

Using technology on your journey to maturity 

Historically, we see technologies being deployed for single-use cases, so you don’t get that proliferation of good technologies, strong levels of control in an orchestrated systematic way. Microsoft can help by streamlining controls in cyber security across the whole data ecosystem rather than a pinpoint solution approach. 

Learn more 

Join us for our Microsoft data governance, risks and compliance and security webinar series where our expert panel will discuss the importance of compliance in data security and common challenges for financial institutions. Learn how partnering with Microsoft can help with a holistic and streamlined approach to mitigate risk, foster trust and meet compliance.