File Sharing Use Cases in Financial Services

© 2016 BlackBerry. All Rights Reserved. 1
1
File Sharing Use Cases in Financial Services
Jeff Holleran
Vice President, Corporate Strategy
July, 2017

2
Agenda
 Secure File Sharing in Financial Services
 Financial Services Use Cases
 Next Steps

Secure File Sharing in Financial Services

4
Financial Services: Key File Security Drivers
 Regulations - Multiple Requirements:
 Data Security and Encryption
 Strong Authentication and User Management
 Protection of Customer Data
 Chain of Custody and Compliance Reporting
 DLP Support
 Intellectual Property Protection
 Internal Technology and Systems
 Management and Maintenance of Client IP
 Corporate Governance and Confidentiality
 Mergers and Acquisitions
 Executive-Level Communications
 Maintenance of Mandated Internal Business Firewalls
 Threat Intelligence Sharing

5
Regulatory Requirements
NYDFS 500 GLBA/ FFIEC PCI DSS GDPR
Protection of Customer Info X X X X
Encryption X X X X
Access Controls X X X X
Compliance Logging and Reporting X X X X
Oversight of External Users X X X X
Incident Monitoring and Reporting X X X
Section 500.15 Encryption of Nonpublic Information.
(a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement
controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both
in transit over external networks and at rest.

6
Best-Practices Security Standards
 ISO/IEC 27001 Certification
 ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving an information security management system."
 SOC2 Type 2 external audits against AICPA auditing standards
 A SOC 2 report helps to address third-party risk concerns by evaluating internal controls, policies, and
procedures that directly relate to the security of a system at a service organization.
 FIPS 140-2
 U.S. government (NIST) computer security standard used to approve cryptographic modules.
Financial Services firms and their technology partners should conform to the following standards:
The following standards provide best-practices security benchmarks for technology providers:
 US DoD ITAR & DFARS Compliance (NIST 800-53 and NIST 800-171)
 US HIPAA compliance and reporting
 UK Cyber Essentials Standards

7
File Sharing Throughout the FS Enterprise
CEO
Board of
Directors
• SEC filings
• Tax/audit filings
• SOX reports
• Placements
• Board reports
CIO /
CTO
Investment
Banking
Human
Resources
• Compliance reports:
GLBA, SOX, PCI,
etc.
• Contracts
• Proprietary systems
• Compensation
• Bonus data
• Employee equity grants
CFO
Market
Research
Legal
Real Estate
Services
• Contracts
• Corp dev/M&A
• eDiscovery
• Outside counsel
Business
Partners
Investors
Banking
Customers
M&A
Parties
Banking
Services
• Board documents
• Strategy plans
EXTERNAL
• Buy-side research
• Sell-side research
• Advisory Services
• M&A deal materials
• Mortgage documents
• Ecological assessment
documents
• Property debt documents
• Loans, Letter of Credit
• Performance report
• Wealth Management/
Investment fund
performance data
Regulators
Outsourced
Operations
Industry
Groups
Outside
Attorneys
Risk
Assessment
Sharing

8
File Sharing Today: Major Risk Factors
The average organization has
13 file sync applications in use – most
not approved or managed by IT
13 76% of organizations send traffic
to Dropbox (2GB/mo. on average)
76%
Source: Netskope, Palo Alto Networks, Gartner
Of non-sanctioned cloud
services used in FS firms are
cloud storage and webmail apps
40% Of cloud DLP violations at FS
Firms involve Webmail, Cloud
Storage or Collaboration Apps
72%

Secure Enterprise File Sharing Requirements
Security & Compliance Productivity
 File Encryption
 Encryption at rest, in transit and in use
 FIPS 140-2 certified crypto-modules
 File Access and Usage Controls
 Only Authorized Users May Access Data and Files
 Restrict File Redistribution
 DRM, watermarking and online-only mode
 Administrative Controls
 Fine-Grained User and Policy Management
 Ability to Revoke or Change Access Automatically or
Manually
 Logging and Auditing
 All Data Access Events Must Be Captured and Logged
 Flexible Compliance Reporting
 DLP Integration and Support
 Collaborative Workspaces
 Accessible via browser and apps
 Cross-Platform Support
 Platform Agnostic
 Secure Access, Productivity and Synchronization
 Extend and Secure Existing Repositories
 “Protect-in-Place”
 Provide Access and Sharing W/O File Migration
 Support Existing Workflows & Systems
 Robust Integration Architecture
 Development API’s and SDK’s

Financial Services
Case Studies

11
Common Financial Services Requirements
SHARING TO AGENTS / MERCHANTS
EXTERNAL AUDIT REPORTING
M&A / COMMERCIAL TRANSACTIONS
LOAN / CREDIT INFORMATION
Remote access / mobile productivity
• Control sensitive / regulated information shared to agents
• Capture data from remote locations on mobile devices
• Securely synced folders
Securely collaborate with 3rd parties
• Sharing spreadsheets, models, numbers, etc.
• Control how files are used, who is accessing them, when and where
• Revoke access to documents after deal
Regulated, non-public information
• Share confidential, non-public documents with outside auditors
• Compliance regulations
Protecting customer statements (PII)
• Collaborating on loan / credit information throughout lifecycle
• Providing regulated statements, capital calls, tax documents
LITIGATION / TRAIL CASES
Sharing to outside counsel
• Simple and secure sharing of files (some large – 10 GB)
• Prevent forwarding of information and revoke access after trial

12
USERSBUSINESS NEED BENEFITS
Requirement 3.4: All credit
card data needs to be encrypted or
rendered unreadable.
• PCI certification on portfolio basis
• Already adopted for secure
collaboration  Easy to apply to
PCI
• Executives (SVP / VP)
• Managers
• Customer representatives
• Anyone who touches customer
credit card information
• Persistent AES-256 encryption
• Encryption and controls
travel with the file
• All file activities are fully tracked for
auditability
Case Study: PCI DSS Compliance -
Protecting Customer Personal Data
Customer Overview
American financial services company operating in
business banking, retail banking and wealth management
Payment Card
Industry Data
Security Standard
(PCI DSS)

13
Case Study: Agent Network Regulatory Audit
 Each of the 2,500 agencies must
undergo regulatory audit every 18
months
 Requires collection of policies
from 10-20 customers, approx. 20
documents per customer
 No secure standard process for
sharing files
 Auditors (India)
 Audit Manager
 Regional Sales Manager
 Independent Agency
 Minimize security risk by
standardizing the process.
 Control who has access, how long,
what they can do with the file, etc.
 Track activity for access to
sensitive data. Export audit logs for
records.
Customer Overview
Global provider of insurance, annuities and employee benefit programs, serving 90 million customers.

14
Need to protect business documents
for transactions.
• Replace Intralinks with a mobile-
friendly solution
• Globally accessible by 1,000
internal users and 15,000 limited
partners
• Board members
• Internal employees and contractors:
Sales, PR, Legal
• Limited partners
• Rolled out globally
• Easily integrated with existing portal
with APIs – no change to user
experience
• Added security controls on
business documents
Case Study: Securing Investor Relations
Customer Overview
One of the world’s largest private equity firms.

15
Case Study: Wealth Management Advisors
Establish a mobility strategy
• Securely share and work on
mobile devices
• WMAs spent hours printing &
shredding files
• Must be easy enough to use for
senior executives and board
members
• Wealth Management Advisors
(WMA)
• Clients
• Senior executives and board
members
• Reduce the amount of paper used,
resulting in $440K worth of carbon
credits
• Save time to spend with clients,
doing more value-added work
Customer Overview
Large European bank, operating in more
than 50 countries globally.

17
Perform a Security Audit and Review
BlackBerry Shield Security Audit and Review Program
 Option One: Online Self-Assessment
 Option Two: 90-Minute Detailed Personal Review
For more information:
https://us.blackberry.com/enterprise/security/mobile-security-best-practices
• Device security policy management
• Security administrator controls
• OS integrity and malware controls
• Encryption (at rest, in transit)
• Authentication
• Data leak prevention
• Secure communications and content protection
• Application security
• Availability
Technical Controls Administrative Controls
• Mobile Device Lifecycle Management
• Application security
• Organizational security structure
• Security configuration change management
• Risk assessment
• Security incident and response
• Governance/HR and Legal
• Security awareness training
BlackBerry Offers a FREE Security Audit

File Sharing Use Cases in Financial Services

More Related Content

What's hot

Similar to File Sharing Use Cases in Financial Services

More from BlackBerry

Recently uploaded

File Sharing Use Cases in Financial Services