For many years, banks have maintained a major separation between core banking data and marketing data. The former consists of information such as account numbers, transaction histories, and credit information which are highly regulated. Conversely, marketing databases used for customer outreach and engagement campaigns represent an operational support asset for banks. However, the recent Anderson Bancshares, Inc. data breach, which occurred when an unauthorized actor gained access to a third-party marketing vendor—vividly illustrates that this separation is becoming progressively less helpful and much more risky.

Currently, marketing data is routinely comprised of sensitive personal identifiers which are also prevalent in regulated financial environments such as banks' core systems. For example, names, addresses, date of birth, Social Security numbers and financial relationships are often sent to third-party vendors to facilitate personalised communications and track engagement activities. In terms of cyber risk, this marketing information is as precious - and potentially as harmful - as any information held by a bank on its core systems.

The Financial Risks Associated with Marketing Data

Integrative Financial Marketing and Digital Marketing rely heavily on Integration between multiple platforms or providers. Financial Marketing systems will typically require access to Customer Personal Data in order to provide Customer Relationship Management (CRM), Email Marketing Automation, Print Mail Vendors and analytics services that drive Financial Market Success, although none of the systems actually conduct any transactional activities, all of the Marketing systems contain sufficient amounts of information regarding the Customer to potentially lead to Identity Theft, Account Takeovers, or other forms of targeted Fraud.

Criminals are well aware of the changes in the way that Financial Institutions conduct business. They are less likely to attempt to penetrate hardened Banking Security, and are instead, opting to attack those systems that receive and replicate the Customer's Data by way of several different means or channels and have fewer Security and Privacy Requirements on them. Therefore, Criminals have begun to focus on these Market Platforms due to the fact that they generally operate under much less strict Security Compliance than that of Financial Institutions.

The Lack of Compliance Regarding the Handling of Customer Data.

Although the GLBA is used by regulatory agencies to protect customer data, regulatory enforcement of the GLBA has historically focused on the core functional area of finance. Marketing data, on the other hand, usually lives in a grey area; the use of marketing data is widespread, marketing data is kept longer than is necessary, and the use of marketing data is based on vendor contracts rather than the financial institution's internal security policy.

This results in a lack of compliance regarding the use of customer sensitive data in marketing databases. When a financial institution uses marketing databases to store sensitive customer data but does not employ appropriate controls (e.g., encryption standards, access logging, vendor audits, breach response protocols), the financial institution has effectively decreased its overall security posture. A breach of a financial institution's marketing database may lead to regulatory scrutiny, reputational damage, and/or legal liability.

Vendor Relationships Expand the Attack Surface

Third-party vendors provide the backbone for many financial institutions' marketing operations, regardless of whether that vendor is considered a "core" of the financial institution's business. Once the customer's data has been transferred to the vendor, the financial institution is responsible for protecting that data as well.

This shift in perspective has caused a rethinking of the traditional view of data breaches as being confined only to the systems owned and operated by banks. Increasingly, many data breaches are occurring with outsourced functions and the level of security of the outsourced function can vary significantly. The possibility that the marketing data may not have been treated as regulated data increases the chances that it will be handled, transmitted or accessed in ways that would have been unacceptable if that data were inside the bank's systems.

Data Minimization and Data Purpose Limitation Are Important

Another overlooked consideration in the marketing world is the volume of data that is typically requested by the marketing department or team. Many teams will request many times more data than is necessary, simply because they believe they will need it for segmentation or for a future campaign. Over time, this has resulted in marketing departments being created using vast amounts of data, and therefore, increasing the financial institution's risk of exposure without creating corresponding value.

When marketing data is treated as regulated data, it creates a discipline of data minimization and purpose limitation. Financial institutions must not only assess if they can use this data, but they must also consider whether the data should be released at all, and how long it should be retained. These concepts will be incorporated into cybersecurity best practices and will also be incorporated in regulatory expectations.

A Change In Perspective Is Needed

To combat the risk posed by marketing data, financial institutions do not require legislative changes; instead, they are in need of a fundamental change in their view of marketing information. In reality, the majority of marketing data is viewed as part of an institution's financial assets.

When aligning marketing practices with the enterprise security practices and procedures used for all of the institution's other data (such as due diligence associated with vendor selection, controlling access to the data, encrypting the data, and implementing incident response strategies for the data), there is a reduction in risk without reducing the effectiveness of marketing activities. The types of breaches that have recently occurred demonstrate that hackers are not respecting organizational boundaries. As a result, every institution that views their marketing systems as low risk is opening themselves up to attack in areas they may be least prepared to defend.

With the increased interconnectivity between different platforms and partners, the distinction between "marketing information" and "regulated financial information" has diminished. Therefore, the security strategies of financial institutions must evolve accordingly.