Data generated through customer relationships is a key component of modern business operations. It enables manufacturers to optimize production, retailers to sell more efficiently, financial services providers to tailor products and tech experts to create more useful digital tools.
Though data collection has become a business imperative and competitive advantage, it also carries a range of potential risks that businesses must plan for, including cybersecurity risk.
It is crucial that companies foster a culture of data risk management and enhance data controls, given the increase in cyber events, insider threats, reliance on third-party data processing and evolving data-related regulations.
The widening scope and reach of data protection, privacy and cyber regulations has led to fines and other consequences when regulators allege companies did not meet their obligations.
While big businesses make headlines, small and midsize companies can just as easily mishandle data or fall victim to a data breach. Or, they may be hamstrung by a lack of cybersecurity resources that impacts their cyber awareness, resources, controls and culture.
These areas of focus can help businesses eliminate gaps, tighten controls and better integrate data privacy into organizational risk management.
What’s the risk? Global e-commerce makes it easier for businesses to transact internationally. But cross-border relationships can create risk if companies mishandle data for customers abroad.
What can be done? Fundamentally, companies should know the where, why and how of data collection. They must understand their obligations for stewardship across the data life cycle, from creation through destruction. That includes knowing what jurisdictions they’re collecting data from, why they’re collecting that data and how it is being stored. Understanding these essentials can help companies establish a baseline for their data privacy obligations and uncover hidden liabilities.
What’s the risk? Employees who have more access than they need can become vulnerabilities if phished or hacked, or if they use the data in an improper way.
What can be done? Companies may consider determining access on a need-to-know/role-based basis: The more sensitive the data, the smaller the population that should have access. This helps root out needless cyberattack exposure and centralize data in hands that thoroughly understand the applicable regulations.
What’s the risk? Third parties with weak cybersecurity can become big problems for companies that otherwise are vigilant with data privacy.
What can be done? It’s important to learn what controls vendors have and what data-sharing relationships are in place. A hack on a vendor could compromise a company that takes protecting customer data seriously: One weak link undoes the chain. Organizations should have cybersecurity standards for vendors and a standardized process to continually validate effective controls, as well as to reconsider if they absolutely need to share certain data.
What’s the risk? External movement of data may be unavoidable in some cases, but each instance is also a prime opportunity for cybercriminals.
What can be done? Limiting counterparty data flow is the best way to minimize risk, but it’s not the only option. Encryption can offer a cybersecurity advantage whenever disseminating data outside the organization. There are numerous tools and configurations, and businesses should research options.
What’s the risk? Not paying attention to developments in the regulatory landscape can put compliance at risk.
What can be done? Business leaders need to keep apprised of regulatory current events. Doing so not only improves strategy preparation and fine-tunes ongoing compliance, but it also promotes a culture of security and vigilance.
It’s not enough that businesses simply have controls for upholding data privacy—they should also have dependable processes for enforcing and adhering to these controls. That means building a culture of cybersecurity that prioritizes:
Recognizing—at a C-suite level—the importance of strategic planning
JPMorgan Chase is dedicated to cybersecurity, and we have a number of tools, products and resources to help protect your business. Talk to your relationship team about how we can help you mitigate cybersecurity risks.
This material is not intended to provide legal, tax, investment, accounting, financial, business, real estate, technology or other advice, and should not be used for or relied upon for these purposes. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.
JPMorgan Chase Bank, N.A. Member FDIC. Deposits held in non-U.S. branches are not FDIC insured.