On November 3, 2022, according to the administrative punishment decision issued by a local supervisory bureau of the China Banking and Insurance Regulatory Commission, an insurance company limited company did not manage the case prevention in place, and the former employees used their positions to disclose the policyholders known in business activities. , Personal information of the insured and other violations of laws and regulations, a fine of 100,000 yuan was imposed, and two of the responsible persons were banned from business for 10 years and 3 years.
On November 4, 2022, according to the administrative punishment decision issued by a certain provincial banking and insurance regulatory bureau, a certain bank had serious failure to implement regulatory requirements, risk of leakage of sensitive data information, lack of outsourcing management responsibilities, and concealment of information system. For emergencies and other violations of laws and regulations, a fine of 1.4 million yuan was imposed, and many people were warned.
Data breaches in the financial industry continue to hit the headlines. According to incomplete statistics, in the first half of 2022, the People's Bank of China and the China Banking and Insurance Regulatory Commission issued a total of 685 data fines to various financial institutions such as banks, insurance companies, and non-bank payment companies, with a fine amount of about 620 million yuan, a year-on-year increase of 67.5% .
When data leakage occurs, for enterprises, on the one hand, they will lose public trust and damage the company’s reputation, which will lead to a drop in the company’s stock price and loss of users, which will have a direct impact on the economic interests of the company; on the other hand, the company will face the loss of data assets Loss will affect the company's business, increase the company's costs, and reduce profits; in addition, victims of data sources may be held accountable, and the company will face legal charges such as lawsuits.
Some data breaches are caused by hacking attacks, while others are caused by internal problems. According to the survey, only 20%-30% are caused by hacking or other external reasons, and 70%-80% are caused by the negligence of internal employees or intentional leaks.
So, what is the problem with such frequent internal data breaches in financial institutions?
Business scenarios are becoming more and more complex
1. There are many and complicated data
In the digital age, data connects everything, drives everything, and reshapes everything. Data is the core element of an enterprise's digital transformation. Due to the wide variety of data assets in the business environment of the financial industry, there are as many as a dozen types of databases, and management is difficult; and with the development of business, the amount of data is exponentially explosive, and the data is complex and massive.
2. There is no distinction between sensitive data
With the development of society, in addition to basic customer information data (such as name, ID card, etc.), current customer information data not only includes financial asset feature information, stock account information, but also new identities such as WeChat ID, GPSD location, and QQ number. Features, and new energy vehicle information... These business data are of various types and have different values. Some data has a high level of confidentiality, some has a low level of confidentiality, some can be disclosed, some cannot be disclosed, some can be disclosed in advance, and some cannot be disclosed in advance. Some financial institutions are not clear about which data is sensitive data, where the data that needs to be protected is distributed, and whether the sensitive data is protected.
3. It is difficult to control internal personnel
Internal employee data leakage, one is intentional damage to infrastructure, theft or tampering with data; the other is lack of security awareness, violation of operating procedures, resulting in data leakage, system damage and other consequences. Or a departing employee walking away with sensitive data, or a disgruntled employee sabotaging a system.
4. The scene is complex
In the era of digital economy, financial institutions, governments, and third-party companies have a large number of business or cooperation intersections, data sharing and opening scenarios are more complex, boundaries have become blurred and "dynamic", and data security management mechanisms under the traditional data governance framework are extremely difficult. Adapt to the data risks brought about by "digital assets and elements".
Faced with these problems, how does the financial industry deal with the risk of internal data leakage?
Regulatory "zero tolerance" crackdown
First of all, financial institutions should sort out laws and regulations, understand regulatory requirements, and not step on the "red line".
With the continuous development of information technology, laws and regulations such as "Network Security Law", "Data Security Law" and "Personal Information Protection Law" have been promulgated one after another, making clear arrangements for corporate data and information compliance requirements and regulatory requirements.
2021 is the "first year of data security". On December 3, with the release of the "Financial Data Security Data Security Evaluation Specification" (Draft for Comments) by the Gold Standard Committee, the financial industry took the lead in implementing the construction of data security standards, marking the beginning of data security. The top-level design is officially moving towards the industry. The financial industry faces unprecedented data compliance risks.
(1) In terms of administrative penalties, Article 45 of the "Data Security Law of the People's Republic of China" stipulates that organizations and individuals that carry out data processing activities fail to perform Articles 27, 29, and 30 of this law. If the data security protection obligation is stipulated, the relevant competent authority shall order corrections, give a warning, and impose a fine of not less than 50,000 yuan but not more than 500,000 yuan, and the directly responsible supervisor and other directly responsible personnel may be fined 10,000 yuan. A fine of not less than 100,000 yuan; a fine of not less than 500,000 yuan but not more than 2 million yuan for those who refuse to make corrections or cause serious consequences such as a large amount of data leakage, and may be ordered to suspend relevant business, suspend business for rectification, revoke relevant business licenses or The business license shall be revoked, and the directly responsible supervisor and other directly responsible persons shall be fined not less than 50,000 yuan but not more than 200,000 yuan. In case of violation of the national core data management system and endangering national sovereignty, security and development interests, the relevant competent authority shall impose a fine of not less than 2 million yuan but not more than 10 million yuan, and order the suspension of relevant business, suspend business for rectification, and revoke relevant business licenses according to the circumstances or revoke the business license; if a crime is constituted, criminal responsibility shall be investigated according to law.
(2) In terms of civil liability, according to the provisions of the "Civil Code", in addition to being liable for compensation for the disclosure of personal information by a financial institution, the parties concerned also have the right to demand an apology from the financial institution, restoration of the original state, and compensation for mental loss.
(3) In terms of criminal liability, Article 253-1 of the "Criminal Law" stipulates the crime of violating citizens' personal information. For financial institutions, employees who illegally obtain, sell or provide customer credit information in the course of work, It also constitutes a crime of infringing on citizens' personal information. The sentencing and conviction for the crime of infringing on citizens' personal information is as follows: if the circumstances are serious, in violation of relevant state regulations, selling or providing citizens' personal information to others, they shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and shall also be sentenced to a fine; if the circumstances are particularly serious, they shall be sentenced to Not less than three years but not more than seven years of fixed-term imprisonment and a fine. Units that commit crimes in the preceding three paragraphs shall be fined, and the directly responsible managers and other directly responsible personnel shall be punished in accordance with the provisions of each of these paragraphs.
Comprehensive deployment and control, multi-pronged approach
The country's regulatory posture is clarified and, more importantly, a robust response is in place.
1. Improve employee data security awareness
Regularly promote data security awareness, strengthen employees' awareness of information security, and guide employees to actively implement the corporate confidentiality system. At the same time as data security training, data security system assessments are conducted to encourage employees to actively pay attention to corporate data security.
Formulate detailed regulations for employees to standardize computer operation, and make data security education a necessary item for employee induction training......
2. Establish a data governance system
Taking the "Data Security Law" as the starting point, taking relevant laws, regulations, and standards as input, and taking the "Financial Data Security Data Security Assessment Specification" as the basic framework, to clarify the key work items of data security governance, and to ensure that enterprise-level management and control objectives and protection strategies are true. Penetrate into various business scenarios to implement data security management requirements.
3. Data security technical support
Build a data security protection system covering the entire data life cycle, provide core technical support for data security such as digital desensitization, encryption permissions, access control, digital watermarking, and privacy calculations around data protection scenarios, and connect with a security operation platform to continuously carry out data protection. Security operations to support data security management activities. Use enterprise-level security architecture to establish a security internal control system to block data leakage risks from various channels in a timely manner.
Recommend a sharp tool for data security management and control - Jishidun · Tracking , by analyzing the operation behavior of internal personnel in the enterprise, scanning the core data assets involved in business operations, and building a zero-trust data security system around business and personnel. Combined with visualized business scenario burying points, modular risk indicator algorithm, user and entity behavior analysis (UEBA), sensitive data discovery model , automated business data classification and grading mechanism , etc., it can effectively reduce and control the risk of data leakage caused by internal personnel in the enterprise .