Following the publication of the Basel (II and III) and Solvency Regulations, implementing Governance, Risk and Compliance (GRC) practices within financial institutions has gained predominance. To meet the challenges of data governance stated in the pillars of these regulations, companies have multiplied their efforts to recruit the best in GRC concerning Risk Management, Internal control, Internal Audit and Compliance.
According to a study conducted by the consulting company Optimind Winter and mandated by the Observatoire des métiers de la Banque (Banking Career Observatory)[1], “Banking companies are also victims of new risks and must create new job profiles to deal with these new challenges. GRC departments must face new challenges, such as coverage of systemic risk, development of Cloud Computing or Mobile Bank (technological nomadism).” Here, we refer to digitalizing the banking sector and using the Internet to manage personal bank accounts. Banks and insurance companies have thus implemented solutions to protect their customers’ data against cyber-attacks. While the efforts made to secure customer data have proven effective, the threat now lies within financial companies in their daily workflow.
Along with new working methods, a new phenomenon has emerged, known as “Shadow IT,” which is any application or method of transmitting information used in a business process without the endorsement of the internal IS department. Often unaware of its existence, IT departments don’t provide any support. Such processes generate “informal” and non-controlled data that can contravene existing standards and regulations such as Basel and Solvency.
Two examples of this phenomenon are BYOD[2] and the use of software/applications not listed in the IS internal catalog. Together, they represent a real danger for companies in terms of data traceability and governance characterized by data leakage and stealing.
Today, financial companies often do not consider automated translation when facing ways to combat these threats. Many companies may ask what is the purpose of buying a secure automated translation solution for their teams. Nevertheless, banks are increasingly becoming global and on a daily basis employees need to:
- Communicate in a multilingual environment with their colleagues and clients, whether they are in China, France, South Africa, or elsewhere
- Translate more material into a multitude of languages
Without automated translation software solutions in the IS catalog, employees will most likely use a free online service without worrying about the risk they are taking for their company. I am not referring to discussions between colleagues regarding the next company seminar, but rather to confidential email exchanges dealing with sensitive financial data, contracts that the Legal department must translate and revise, Audit Committee reporting, financial or operational risk analyses or IT architecture projects impacting entire IT infrastructures of the company.
It should be noted that such data is the property of the company, who is therefore legally responsible. Once data is exposed on the web, their integrity is seriously compromised. Regarding multiplicity of scandals and cyber-attacks, the inaction of organizations strikes me. Indeed, employees may unintentionally place confidential data not only in GAFA’s hands, but also in hackers’ hands! Logically, the question is not whether you are going to be hacked, but rather how and when?
Of course, it is possible to implement access restriction policies to these free online translation services in the workplace. But, in concrete terms, how can companies’ track their employees who occasionally work from home and translate confidential documentation and emails?
Before it is too late, CIO should implement an IT security program, led by the Chief Information Security Officer and Compliance department to supervise BYOD practices, making available a complete application portfolio, especially with an automated translation solution installed within their IT infrastructure. The immediate priority would be to let employees know about the existence of such a secure translation tool and provide training on its use and guidelines for internal communication.
Implementing this application into data processing will allow banks and insurance companies to comply with regulations that require full traceability of information. Such requirements relate to data quality as well as IS governance regarding data security and availability.
[1] http://www.observatoire-metiers-banque.fr/mediaServe/Etude_Les_metiers_du_risque_et_du_controle_dans_la_banque_site.pdf?ixh=2723623858704744574
[2] Bring Your Own Device refers to employees using their own personal devices for professional purposes when working from home or when travelling (email, company apps, etc.). Some companies already manage BYOD for IT security and legal reasons through a COPE (Corporate Owned, Personally Enabled) approach.