Financial Tech Gaps: What Firms Miss Most

What Do Financial Services Firms Actually Need From Their Technology?

The compliance gaps, the print security blind spots, and what we see most often when we work with financial firms for the first time.

Financial services firms face a specific problem most other businesses do not.

The data you hold, client account numbers, Social Security numbers, financial plans, loan files, and transaction records, is exactly what attackers want most. And the regulations that govern how you protect it are among the strictest of any industry, with real enforcement consequences when something goes wrong.

Novatech works with more than 450 banks, credit unions, RIAs, insurance agencies, and financial advisory firms across the Southeast. This guide answers the compliance and technology questions we hear most often from operations managers and compliance officers who are trying to close their gaps before an examiner or auditor finds them.

From the Field

We work with financial firms across Tennessee, Georgia, Texas, and Virginia. The most common finding in our assessments is not a sophisticated vulnerability. It is a combination of basic controls that were never implemented: MFA not enabled on all systems, backups not tested, departed employee access not removed, and no written information security program as required by the updated Safeguards Rule.

What Regulations Actually Govern Technology at Financial Services Firms?

Quick Answer

What compliance requirements apply to technology at financial services firms?

The primary federal framework is the FTC Safeguards Rule under the Gramm-Leach-Bliley Act, which applies to non-bank financial institutions including mortgage companies, title companies, auto dealers, tax preparers, and investment advisors. The updated 2023 Safeguards Rule requires MFA on all systems containing customer NPI, encryption of NPI in transit and at rest, a written information security program, a designated security officer, and annual risk assessments. SEC-registered firms face additional cybersecurity disclosure and examination requirements. State-level regulations vary, with states like New York imposing some of the strictest requirements in the country.

Tennessee, Georgia, Virginia, and Texas all have data breach notification laws that require financial firms to notify affected customers when NPI is compromised. Tennessee requires notification within 45 days of discovery. Virginia requires notification in the most expedient time possible. Georgia’s law was updated in 2023 to add specificity around what triggers notification.

For most financial firms with fewer than 50 employees, achieving and maintaining Safeguards Rule compliance is a matter of implementing a set of specific controls and documenting that you have done so. It is less complex than it sounds when approached systematically.

What Are the Most Common Technology Gaps We Find at Financial Firms?

Multi-Factor Authentication That Is Not Actually on Every Account

The 2023 Safeguards Rule update made MFA a specific requirement for any system containing customer NPI. Most financial firms have turned on MFA for some accounts but not all. The accounts most often missed:

• Front desk staff who access the CRM but are not considered administrators
• Part-time or seasonal employees whose accounts are set up quickly
• Shared service accounts used for specific functions like document scanning
• Cloud platforms adopted recently that were not included in the original MFA rollout

From the Field

In our technology assessments at financial firms in Tennessee and Virginia, incomplete MFA deployment is the most consistent finding. It is almost never intentional. The accounts that lack MFA are usually the ones that were set up quickly, by someone who was not the primary IT contact, for a specific purpose. A quarterly access review that confirms MFA is enabled on every account is the practical fix.

The Networked Copier As a Compliance Liability

Every networked multifunction copier stores images of documents it processes on its internal hard drive. At a financial firm, those documents include client statements, loan files, financial plans, account opening paperwork, and any other document that has run through the device.

Quick Answer

What does a financial firm need to do about its copier’s hard drive?

Four things: enable hard drive encryption on all networked devices so stored data is unreadable if accessed, implement PIN or badge-release printing so documents containing NPI are not left sitting in an output tray, require certified hard drive destruction or overwrite as a written condition of any device return or end-of-lease, and obtain and retain a certificate of data destruction for your compliance records.

No Written Information Security Program

The Safeguards Rule requires financial institutions to have a written information security program. Most small and mid-sized financial firms do not have one. This is not a criticism. It is one of the most common gaps we find, and it is one of the first things an FTC examiner or your E&O carrier will ask about.

A written information security program does not need to be a 100-page document. For a firm with fewer than 50 employees, a clear, practical document of 10 to 15 pages that covers your risk assessment process, your security controls, your vendor oversight approach, your incident response plan, and your training program is sufficient. What matters is that it exists, is reviewed annually, and is actually followed.

Vendor Access That Was Set Up and Never Reviewed

Financial firms typically use multiple software vendors who have some level of access to systems containing client data. Portfolio management software. CRM systems. Document management platforms. Tax preparation software. Each of these represents a vendor relationship that needs to be formally managed under the Safeguards Rule.

• Every vendor with access to NPI should have a signed agreement that includes data security requirements and breach notification obligations
• Vendor access credentials should be unique to the vendor, not a shared password used by multiple people
• Vendor access should be reviewed at least annually and when the relationship changes

What Does Business Continuity Planning Look Like for a Financial Firm?

Quick Answer

What should a financial services firm include in its business continuity plan?

For SEC-registered firms, business continuity planning is an examination topic. Your plan should address what happens when your CRM or portfolio management system is unavailable, how staff communicate if email is down, what the process is for accessing client data if your primary system is offline, and who has authority to make key decisions during an incident. The plan should be tested at least annually, documented with results, and updated when significant technology changes occur.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to independent financial advisors and RIAs?

Yes. The FTC Safeguards Rule applies to financial institutions as defined by GLBA, which includes investment advisors that are not SEC-registered and other non-bank financial service providers. SEC-registered RIAs are subject to the SEC’s cybersecurity rules rather than the FTC Safeguards Rule, but the practical requirements are similar. If you are unsure which framework applies to your firm, your compliance counsel can clarify, and your technology partner should be familiar with both.

How often should a financial firm conduct a security risk assessment?

The Safeguards Rule requires at least annual risk assessments. Most examiners and auditors want to see that the assessment is documented, that findings were addressed, and that the process was repeated the following year. In practice, we recommend a formal annual assessment supplemented by continuous monitoring that flags new risks as they emerge, such as when a new vendor is added or a staff member with elevated access leaves.

What is the first thing a financial firm should do if it suspects a data breach?

Contain the incident first: disconnect affected systems from the network if possible, preserve logs and evidence, and contact your managed IT provider or incident response team. Then notify your cyber insurance carrier, as most policies require prompt notification. Contact legal counsel to understand your notification obligations under the applicable state law. Document every step of the response. Do not attempt to clean up the situation before you understand the full scope, and do not communicate about the incident on systems that may be compromised.

Is cyber insurance enough to cover a data breach at a financial firm?

Cyber insurance covers some of the cost of a breach but not all of it, and coverage has tightened significantly in recent years. Most policies now require demonstrated security controls as a condition of coverage, including MFA and documented security programs. A breach that occurs because you did not implement required controls may result in a reduced payout or a coverage dispute. Insurance is a transfer mechanism for residual risk, not a substitute for controls.

Memphis, TN novatech.net/locations/memphis

Chattanooga, TN novatech.net/locations/chattanooga

Virginia Beach, VA novatech.net/locations/virginia-beach

 

Visit novatech.net/locations to find your nearest office.

About Novatech

Novatech is a managed office technology provider serving businesses across the Southeast and beyond. We manage more than 75,000 devices and support clients across IT infrastructure, cybersecurity, cloud solutions, copiers, printers, and document software, all under one roof.

To learn more about how Novatech serves the banking and finance industry, visit novatech.net https://novatech.net/who-we-serve/banking-finance or call your local Novatech office.