Check out our previous article
How Compliance Controls Can Minimize Data Loss
Introduction
It’s news that has been turning quite a few corporate heads lately.
According to a report released in July by the IT Policy Compliance Group, nine in 10 firms are exposed to financial risk from data loss and theft. These risks, which can cost organizations customers, reduced revenues, and even a decline in share price, could be significantly reduced by implementing core procedural and technical controls and monitoring those controls at least once every two weeks.
“Among larger enterprises,” the report concluded, “the probability of a publicly disclosed data loss is likely once every three years if the firm is currently operating as a laggard. In contrast,organizations with the best results have delayed the probability of data loss to once in every 42 years. The benchmarks show that the organizations excelling at compliance are the same firms with the least data losses and the least business disruptions from IT downtime.”
Turning to the costs of data breaches, the IT Policy Compliance Group found that organizations experiencing a publicly reported data loss expect to see an 8% decline in customers and revenue, an 8% decline in the price per share for publicly traded firms, and additional expenses averaging $100 per lost customer record for firms experiencing publicly disclosed data losses and thefts.
This article looks initially at some of the implications of compliance spending. It then considers a number of compliance, risk, and governance practices that, if implemented correctly by financial institutions, can significantly reduce the frequency and impact of data loss.
The return on spending
In its report, the IT Policy Compliance Group found that, based on financial losses sustained after a publicly exposed data loss (including lost customers and revenues, stock price declines, and additional costs and total cumulative spending on compliance and data protection activities), the returns on compliance and data protection spending are positive for almost all organizations.
“Perhaps most important,” the report continued, “the amount spent on improving compliance and data protection is a very small percentage of the financial value that is at risk. With returns on compliance spending for larger enterprises starting at 1,000% and climbing to 100,000%, it is obvious that compliance is good for business. Not only is good governance the right thing to do, but better compliance pays for itself through the avoidance of predictable financial risk.”
The report also found that most large enterprises are auditing and monitoring IT compliance once every 140 days, “whereas the industry leaders are conducting these measurements once every 21 days.”
High-profile breaches in the news
The IT Policy Compliance Group’s report is particularly timely, coming as it does at a time of several high-profile financial services breaches. For example:
- TTD Ameritrade announced in September that a compromised computer at the company had leaked the email addresses of potentially all of its 6.3 million customers. A New York law firm has filed a class-action lawsuit against the brokerage, charging that the company knew that email addresses were leaking to spammers and failed to inform customers.
- Electronic payment processor Fidelity National Information Services Inc. fired an employee in its Certegy Check Services Inc. unit for allegedly stealing, then selling to marketers, bank and credit card data from as many as 2.3 million customers.
- MoneyGram International reported that approximately 79,000 people had their personal information -- such as names, addresses, phone numbers, and, in a few cases, bank account information -- stolen. The data was illegally accessed over the Internet.
