Banks, wealth managers, insurers, and other organizations comprising the financial services ecosystem are designed to provide one thing above all: security. Whether that takes the form of an impenetrable iron vault, a life insurance policy, a well-diversified portfolio, timely financial assistance, or something else entirely, these institutions must meet customer demands for security in order to persist and profit. Yet many are now struggling to meet that demand.
The short answer is digital transformation. Like companies in virtually every other industry, financial services institutions have worked hard in recent years to become more efficient and effective by digitizing core processes. Doing so allows them to take full advantage of the vast amounts of customer data collected, processed, and stored in their internal systems. However, it also poses risks that many simply aren’t prepared to handle.
Into the Unknown
It’s not that digital processes are new to the financial services industry. Lenders have been utilizing software to facilitate customer transactions and streamline employee workflows for years. But digital transformation in 2020 means moving networks and data into the cloud, and for most institutions in the sector, the cloud is relatively uncharted territory.
Historically, lenders of all sizes have relied on technology providers and MSPs to implement bespoke on-premise solutions that are built to facilitate existing processes and workflows. Lacking the personnel and technical expertise to manage these technologies themselves, institutions have generally been content to let technology providers take responsibility for securing the data stored in their systems. Amidst the rush to cloud adoption, many are now finding that they’re unprepared to secure data that isn’t housed within their organization. Worse still, some don’t even realize that they’re responsible for securing that data.
The shared-responsibility model governing many cloud services agreements provides a security framework that makes providers and users accountable for different aspects of data security. For most users in the financial services industry, this is a completely foreign approach to technology implementation.
Not only are many institutions unaware of their obligations under this framework, but they're also ill-equipped to uphold their end of the bargain. This is especially the case among middle-market lenders that lack the personnel and capital resources of big banks and the agility of fintech startups threatening to overtake them. Without the right expertise or prior experience overseeing cloud technology implementations, these firms might also be more susceptible to budgeting errors when evaluating technology costs. Oftentimes, community banks, credit unions, and other local lenders will allocate funds to procurement and migration, but not configuration and ongoing security maintenance. These types of mistakes can eventually lead to negative ROI and countless hours of lost time — and could even force a firm to exit a market that's suddenly evolving faster than ever before.
Even larger institutions are entering uncharted territory when it comes to implementing processes like cloud-based loan origination, and these firms often underestimate the level of effort required to securely implement and maintain a cloud solution. Generally, this is because security is a secondary objective during the technology procurement and implementation process, while the main focus is on aligning solutions with core capabilities and ensuring new technologies can be effectively integrated with existing tools.
That’s a big problem for a couple of reasons.
The Cost of Failing to Plan
First, there’s the unfortunate reality that cyber risks are mounting fast. High-profile data breaches make headlines regularly; when the target is a financial services institution, recovery costs tend to be substantial. According to Accenture’s Ninth Annual Cost of Cybercrime report released last year, no other industry was more financially impacted by cybercrime in 2018.
Whether breaches are a result of malware and hacking, insider threats, or accidental disclosures, the fallout can be catastrophic. No organization is immune. Global financial institutions like JPMorgan Chase, Capital One, and Equifax have all fallen victim to breaches over the past several years. And research from Boston Consulting Group indicates that financial services organizations are disproportionately targeted by cybercriminals thanks to the sheer quantity and sensitive nature of the data they hold.
The second factor underpinning the need for a greater emphasis on long-term security is regulation. While most organizations have at least started making data governance a strategic priority, new regulations are introducing increasingly severe consequences for those that get governance wrong. New cyber and privacy requirements mean that boards must think beyond merely securing cloud environments; they have to develop sustainable policies governing data usage and access, customer privacy issues, and information security. They also have to think about how their policies might evolve as more comprehensive privacy-related legislation makes its way through state and federal courts in the coming years. Amidst ongoing technological disruption and heavy competition in the present, such foresight is understandably rare among most executive teams.
Pushing Ahead Anyway
Despite the substantial security challenges now facing many financial services institutions, the benefits of digital transformation are undeniable. The modern bank encompasses a variety of disparate business units that have historically relied on disconnected systems to facilitate workflows. Sales, service, and engagement journeys have often felt equally disconnected from the perspective of both customers and employees as a result. Platforms like Salesforce are allowing institutions to replace a patchwork of solutions with one tool, seamlessly connecting organizations across business units, geographies, and channels.
Moreover, digital transformation is now an industry imperative. At a time when consumer expectations are being shaped by tech companies like Amazon and Apple, financial services organizations must find a way to provide customer experiences that are both consistently positive and profitable. Salesforce’s Financial Services Cloud (FSC) — tailor-made for banks, insurers, and wealth management firms — gives users a comprehensive view of their customers and includes a number of out-of-the-box, industry-specific features. Native digital, sales, engagement, and marketing tools (along with on-platform lending functionality) allow advisors, branch managers, and agents to provide more personalized customer experiences with less effort, incentivizing adoption across the organization.
Not surprisingly, when employees aren’t struggling to provide optimal customer experiences while interfacing with an array of disconnected applications and legacy banking systems, they tend to be less stressed and more productive. Even in the digital age, which is now increasingly defined by touchless brand-consumer interactions, personalized engagement with customers is vital to the success of a financial institution. By giving these critical employees more power with less responsibility for troubleshooting and coping with session timeouts and access issues, organizations put them in the best position to meet client needs and strengthen customer relationships.
Expanding Capabilities, Endless Possibilities
A critical factor in the success of FSC has been Salesforce’s willingness to partner with specialized third-party vendors to deliver more robust functionality. Perhaps the most notable of these is nCino, which completed a $51 million funding round led by Salesforce Ventures back in 2018. Developed by bankers at Live Oak Bank in Wilmington, N.C., nCino was launched as a spinoff enterprise software company in 2012 and quickly gained traction. Billed as a bank operating system by its creators, the platform works alongside a lender’s core systems to provide functionality that includes retail customer account opening and loan origination, among other features. Built natively on the Salesforce platform, nCino is now at the heart of the software giant’s retail banking solution.
Both FSC and nCino contain built-in mechanisms for improving data security and supporting regulatory compliance, but that doesn’t mean users are off the hook when it comes to addressing these issues. Effectively leveraging any cloud platform requires lenders to manage huge amounts of sensitive data. CISOs and CIOs responsible for developing their organizations’ governance strategies should take the following steps to ensure their customers' data is managed the right way:
- Understand your obligations.
Make no mistake: Your organization — not your platform provider — is in charge of data security. Under the shared responsibility model, platform providers must ensure the security of application services, network services, and infrastructure services, but they’re not responsible for the development and configuration of applications you choose to run on their platforms. Salesforce offers numerous built-in features that your team can use to help protect the data stored in your org, but if you’re used to receiving comprehensive IT and cybersecurity support from legacy solutions providers, you’ll need to hire experienced personnel or partner with a cloud security specialist to fill that void moving forward.
- Focus on access management.
Among relatively recent nCino/Salesforce adopters, anywhere from 10-15% of the information fields in their orgs might be classified as high-risk. That percentage is typically greater among more mature users. Within many of these organizations, the number of employees who can easily access sensitive information is substantially higher than it should be.
Internal data breaches — whether malicious or accidental — constitute a real and growing threat to all organizations that collect and store customer data. Understanding which employees and partners have access to sensitive data is critical to risk mitigation, as is the adequate use of features like field change tracking and history retention. Because of the elevated sensitivity of the data stored by financial services institutions, a Zero Trust information security model —essentially, the idea that organizations should verify any user attempting to connect to its systems before granting access — might well be your best approach to access management.
- Understand the consequences of failure.
Under Europe’s GDPR framework and the CCPA that went into effect in California at the beginning of this year, fines for noncompliance are stiff. The latter statute affects any company with customers in California and imposes a $2,500 penalty for each individual violation not rectified within 30 days. Given that the legislation equates individual violations with individual victims of a breach, and that breaches often impact millions of customers, it’s not hard to see how compliance failures can be financially crippling for firms of all sizes.
Beyond the financial repercussions, a breach will also lead to potentially permanent damage to your reputation. Growing public awareness of the value of personal data and heightened concern surrounding corporate data policies have driven an ongoing shift in consumer expectations regarding the use of private information. In 2020 and beyond, financial services customers will have little tolerance for institutions that misuse or fail to properly secure their data. In an industry that’s still largely driven by relationships and referrals, companies can ill afford to compromise their customers.
Turning Your Weaknesses Into Strengths
At RevCult, we help financial services institutions address Salesforce security using a holistic approach that accounts for your firm’s past experience with the platform as well as potential regulatory developments that might affect your usage in the future. Our goal is to make security an integral part of your customer experience architecture.
To accomplish that goal, we’ll start by evaluating your current platform usage and existing security posture. We’ll conduct a comprehensive Salesforce Security Risk Assessment designed to pinpoint any vulnerabilities across six key areas: data protection, data loss prevention, authentication, authorization, monitoring, and integrations. If you’re like 100% of our customers, you’ll have some security gaps.
Our next step is to develop an actionable remediation plan that allows you to adequately address those gaps based on your available resources and future plans for leveraging the platform. We’ll identify and classify the data you have stored in Salesforce across your entire organization, and then map classified data to the appropriate controls. When you’re ready, we’ll help you implement these essential controls and other security best practices to protect highly sensitive data from loss or theft — without compromising platform usage.
In our experience, most bank leaders assume that their IT teams make decisions about platform usage and application development in the context of a centralized system of oversight. In reality, this is usually not the case. We’ll assess your current data governance strategy and review your agreements with providers to ensure your policies accurately reflect your obligations under those agreements.
Data can leave your organization in any number of ways. Our job is to make sure that it doesn’t. That’s why we evaluate internal security policies, organization wide sharing activities, coding practices, high-risk permission usage, and an array of other important factors when looking for vulnerabilities and helping you develop your governance strategy. No matter how limited or robust your Salesforce experience is now, you’ll be a leader in providing exceptional customer experiences that are both seamless and secure after working with us.
Ready to Elevate Your Customer Experience?
Do you rely on Salesforce to hold valuable data and information? Are you unsure about what’s stored in your Salesforce instance? RevCult’s Salesforce Security Risk Assessment can give you a better understanding of your current security posture and provide an actionable playbook for remediating security risks.
Want to improve your ability to implement and manage your Salesforce Security Controls? Request a demo of our Cloud Security Cockpit® and experience the benefits of maintaining data classification, user access management, data retention, encryption at rest, and data privacy — all in one place that’s easily accessible in a Salesforce-native user interface.
Have you already started on your Salesforce security journey? RevCult can help you maximize the value of your investment in Salesforce Shield with a Shield Implementation Workshop. Get in touch today to learn more about how our experts can help you define a Shield security strategy and prioritize your implementation.
Here's more to explore:
- 3 Things to Keep in Mind When Planning nCino Integration
- Salesforce Is Shaping Customer Experience in Banking: Here’s What That Means for Banks
- Cloud-Based Loan Origination: Obstacles and Opportunities
- Learn about Cloud Security Cockpit® to implement, manage and prove Salesforce security controls
- Contact us to learn about a Salesforce Security Risk Assessment