Thought Leadership

Security Connection: Who is responsible for keeping your financial information and data safe?

Diane McCracken
Executive Vice President and Chief Security Officer, Customers Bank


These days, just about everyone has been a victim of a data breach where their information was exposed or compromised and, in some cases, used to commit fraud. The proliferation of phishing scams and hackers have made the theft of information commonplace.

Whether the result of malicious parties, or in most cases an individual’s own doing (however unknowingly), the rate of victimization raises the stakes on a question we too often leave unanswered: who is ultimately responsible for monitoring and maintaining the safety of financial and personal data?

On the one hand, the institutions who operate our financial systems have the technical capacity and manpower to monitor and prevent many fraud incidents, and they are the gatekeepers to our data. One might also put the responsibility at the feet of individual customers: they demand anywhere-anytime access to their money, and so surely, they have a responsibility to follow safety protocols and not expose themselves to undue risk.

Ultimately, the answer to this question is that the responsibility falls on both parties to protect personal information and data. Neither organizations nor individuals can guarantee the safety of data or personal information on their own. The best approach to protecting financial information and data requires a combined effort between institutions and the individual.

On the institution side, financial firms like banks, brokerage firms and asset managers, as well as other institutions including retailers and credit unions must reasonably invest in firewalls, anti-virus protection, fraud prevention, encryption, vulnerability management and other technologies that protect customers’ accounts. And, because no system is perfect, these institutions must also employ security specialists to enable vigilance when combating the evolving threats of the cyber world.

To some extent, this is the result of regulatory requirements: financial institutions may be held liable for losses their customers sustain as a result of a bad actor’s infiltration of the institution’s systems. Those regulations unify the interests of the institution and that of their customers, and that unity is precisely why financial institutions so actively track and identify the sources of fraud: recovering their customers’ money may reduce their own liability.

This drive toward security must coexist with a fundamentally incompatible reality: customers want easy access to their money. As institutions meet their customers’ needs with these new systems—from online banking, to smartphone apps, to virtual assistants—they have to build in tools their customers can use to secure their accounts.

As individuals, we have to recognize that while we desire more control over our personal data and money, we have to take steps to ensure we are doing our part to maintain our security. That means enabling multi-factor authentication, using strong passwords, opting-in to account usage alerts, and being careful of insecure networks we use. The individuals who secure their accounts with these simple fraud countermeasures exponentially improve their security. At the end of the day, the security of our financial information and data is not just an issue for institutions or individuals to manage. Data is only as secure as its weakest link, therefore data security is the responsibility of both organizations and individuals, and requires a consistent and active effort by both parties.