Wealth Access Report FINAL - Flipbook - Page 20
“You cannot put implicit trust in a vendor for your
security. You have to own your security. You have to
manage your risk.”
Will Rhoads, Sonata Bank
data in new ways and with new applications. Most institu-
“You need to have a reason to see the data. Make sure
tions will partner with a vendor for data storage, and many
there’s a use case for the data, that it’s provisioned appropri-
will use third parties to analyze that information. As a result,
ately and that the access is maintained,” Zinn says.
they may need to update their vendor due diligence to incorporate these new use cases. Financial institutions should
ensure they remain compliant with customer privacy regulations, such as the financial privacy rule in the Gramm-LeachBliley Act. They may also need to update their customer
privacy policies to ensure they legally disclose these uses and
applications.
Cybersecurity best practices also apply to data storage and
usage. The Haverford Trust Co., which has $183.5 million in
assets at its bank unit and $15 billion in assets under management, uses a third party to monitor its data in real time
to detect anomalous activity, says Chief Operating Officer
John Supplee. It also focuses on employee cybersecurity
training to communicate the expectation that it’s everyone’s
MSU Federal Credit Union risk-rates every vendor it uses to
job at the Radnor, Pennsylvania-based firm to keep client
assess their data access: what data is sent to the vendor as
data safe.
well as where the outside firm transmits information, Maxim
says. Vendors with the highest risk ratings must have certifications like SOC 2, which is a cybersecurity compliance framework, to ensure the data is safe. The credit union also refined
its privacy policy over time to better reflect the kind of data
sharing and marketing it was doing with fintech partners.
Brentwood, Tennessee-based Sonata Bank uses detection
tools and dashboards that monitor its application programming interface, or API, connections, how they function
and what they’re receiving and transmitting, says Chief
Innovation Officer Will Rhoads. The $222 million bank, a
unit of Sonata Financial Holdings, also follows the cybersecurity framework from the National Institute of Standards
and Technology, along with strong security controls and mul-
Ensuring Cybersecurity
Organizations can use a “least privilege access” approach
when it comes to data access and permissions, says Andy
Zinn, chief innovation officer at Wealth Access, the sponsor
of this report. Data storage should include compartmentalization; data owners should be able to access only the infor-
tifactor authentication.
“You cannot put implicit trust in a vendor for your security.
You have to own your security. You have to manage your
risk,” he says. “That’s what banks do, right? We manage
risk. Applying that to technology and data is just as important as margin or rate sensitivity.”
mation relevant to their functions. For instance, an institution may want to include employee salary information in a
Kiah Lau Haslett is the banking & fintech editor for
data lake, but give only certain members of the finance and
Bank Director.
human resources departments permission to access it. This
is especially crucial as the dataset grows and an institution
begins using more information in reports and dashboards.
18 | FINXTECH INTELLIGENCE REPORT
