The Expanding Role of Finance in Protecting Sensitive Data

The insights drawn from financial data play a critical role in helping organizations achieve their business goals. Information contained within sensitive records such as bank account details, payroll documentation, tax filings, and other financial data enable finance teams to align strategic objectives with tangible metrics. It’s a valuable asset for businesses — but that also makes it a valuable target for cybercriminals. 

While IT and cybersecurity professionals have long been at the forefront of safeguarding data, modern threats require an enterprise-wide effort to mitigate risks to financial data and maintain compliance with evolving regulations. This need places finance teams at the heart of conversations regarding data security, with an opportunity to proactively address risks related to compliance, operations, reputation, and other critical business functions. 

Financial functions are seldom discussed with respect to things like “security” and “compliance” and yet the Finance group often operates critical clearinghouses for enabling or directing risk-related investment: 

• Internal Audit – Do we have appropriate controls for our marketplace trust and our data assets? 
• Enterprise Risk Management – Where does information security risk sit relative to other business risks?  Are we likely to stay resilient in our revenue commitments if we have a cyber event? 
• Insurance – What is the size and scale of acceptable loss, and is our controls environment consistent with the terms our carriers require to reimburse us in the course of an incident?

The Need to Balance Financial Data Security and Business Goals

According to research by Gartner, only 14% of security and risk management leaders believe their organizations effectively balance data security with business objectives. The risks this imbalance poses to the business can have lasting effects that extend far beyond the initial impact of a data breach, with ramifications that can include breach of contract claims, regulatory penalties, and additional monitoring. 

A data security incident can also lead to business continuity issues that result in disruptions to normal operations. For example, a data breach that compromises internal systems during tax season could cause delays in filing reports, compromise the integrity of financial information, and prevent employees from accessing critical applications. Additionally, if personal information related to clients or employees were to be leaked, that could then lead to legal action and regulatory penalties against the company. 

Regulations

The need for robust data security has become a priority for governments and regulatory bodies both domestically and around the world. While the United States does not currently have comprehensive federal privacy law, more than 20 states have enacted their own. Internationally, laws like the EU’s General Data Protection Regulation (GDPR) include detailed requirements that organizations must abide by when collecting, storing, and processing personal data. Finance departments and their organizations must be cognizant of the various privacy laws that impact their operations to maintain compliance, which includes understanding contractual obligations in master service agreements and engagements with third-party vendors. Outsourcing a service does not outsource the risk, meaning companies must conduct proper due diligence to verify their outside vendors are compliant as well. 

Addressing Data Security Across the Enterprise

Protecting financial data is an enterprise-wide obligation, and no single group within an organization is solely responsible for the task. Instead, finance and IT teams must work together to establish and maintain data security across workflows, systems, and data repositories. This collaboration includes: 

• Implementing logical access controls, such as multifactor authentication, to prevent unauthorized access. 
• Monitoring payment workflows to detect anomalies and prevent fraud, especially in tax-related transactions. 
• Reviewing security logs to identify suspicious activity before it escalates. 
• Participating in tabletop exercises to test incident response plans and maintain business continuity.

Organizations should also evaluate whether they have data retention policies in place or if existing policies require updates. Holding onto data that is no longer relevant or useful for business purposes that the company isn’t legally required to store presents a liability that can exacerbate data breaches and other cyber incidents. 

The Role of Finance in Building a Culture of Compliance

Even if a company hasn’t been affected by a cybersecurity incident, they must still adhere to the various data security laws and regulations that apply to the business. While creating a culture of compliance requires a consistent effort across the organization, finance teams are in a strong position to take a leading role in modeling best practices. One of the steps finance teams can take is participating in regular cybersecurity training, with an emphasis on recognizing phishing attempts and identifying deepfakes. Finance teams can also proactively conduct data life cycle reviews to eliminate unnecessary records that could increase risk exposure. 

Employing Established Frameworks to Help Manage Cyber Risks

No matter where companies stand in their efforts to enhance financial data security, there are existing frameworks that can help guide them. These standards provide auditable, objective criteria to evaluate how data is being protected within the organization. Examples of these frameworks include: 

• SOC for Cybersecurity: An attestation report that outlines how an organization’s cybersecurity risk management program is structured and assessed 
• NIST Cybersecurity Framework: A government-developed model for identifying, protecting, detecting, responding to, and recovering from cyber threats 
• ISO/IEC 27000 Series: A family of international standards focused on information security management and technology-specific risks, including artificial intelligence

Bringing in Third-Party Support

External advisors offer companies another resource to enhancing their data security posture. In addition to helping finance teams and their organizations develop actionable plans, third-party advisors can offer guidance in following cybersecurity frameworks and maintaining compliance with regulations. Additionally, a trusted advisor can evaluate an organization’s existing controls and assist in tailoring an approach for the business’s specific needs.