Given their need for, and access to unfathomable amounts of highly sensitive personal data, financial institutions experience a level of regulatory burden that few other industries have to contend with. However, the acquisition of such data isn't optional.
Financial institutions run on data. If they are to deliver competitive products and services, companies in the financial sector need personal data and need their customers to entrust them with it.
This has created a reality where banks, credit unions, insurance companies, and other organizations that process cardholder data are firmly in hackers' crosshairs. Some of the most devastating cyberattacks in recent history have been on financial organizations, including the Equifax breach in 2017.
In fact, every year, the financial services sector experiences a steady stream of breaches. As details about each breach reach the media, the level of scrutiny from government regulators intensifies. This leads customers to sometimes feel driven to end their relationship with institutions they believe are unable to protect their data.
To underscore the size of the threat: of the 3,950 confirmed breaches reported in Verizon's 2020 Data Breach Investigations Report, the financial and insurance sector had the most (448 breaches).
Cybersecurity Laws and Regulations for the Financial Sector
In response to pressure from consumers and the ever-present and growing threat of cybercrime, several critical laws and regulations have been designed to enforce security and reduce the likelihood of harmful cyberattacks.
Nevertheless, maintaining compliance can prove complicated and can easily overwhelm even the most sophisticated financial institutions.
On the federal level, financial organizations must comply with the following:
The Sarbanes-Oxley Act (SOX):
SOX establishes requirements for the secure storage and management of corporate-facing electronic financial records, including the monitoring, logging, and auditing of certain activity. A SOX-related audit will focus on elements of IT security, including the creation and management of robust access controls and routine backups of data.
Gramm-Leach-Bliley Act (GLBA):
GLBA regulates the collection, safekeeping, and use of private financial information. For example, according to the Safeguards Rule, if an entity meets the definition of a financial institution, it must adopt measures to protect the customer data in its possession. Additionally, the Act requires covered entities to be transparent with respect to information-sharing practices, which includes granting customers the right to opt out of the sharing of their data with third parties.
Payment Card Industry Data Security Standard (PCI DSS):
PCI DSS sets requirements for organizations “that store, process, or transmit cardholder data." As is the case with any guideline or standard, compliance alone doesn't shield an organization from legal liability in the event of a data breach. However, strict adherence to the standard as well as conformance to extensive guidelines and recommendations outlined by the Federal Financial Institutions Examination Council (FFIEC) can mitigate an institution's cybersecurity risks as well as demonstrate to customers a concerted effort to protect their data wherever it resides.
SOX, GLBA, and PCI DSS all require the tracking of user access logins to computers or systems that contain sensitive data. The reasoning for this requirement is simple: In order to protect customer data, a financial institution must be able to police activity related to its access.
Broadly speaking, financial institutions and other organizations that must abide by PCI DSS are required to:
- Limit cardholder data access to as few employees as possible.
- Implement administrative controls that track account activity.
FFIEC has recommendations in place for the use of authentication (two-factor or multifactor) to help verify the identity of authorized users.
The Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency reaffirmed the importance of response and resilience as they relate to business continuity, the role of authentication, and the need to securely configure systems and services to prevent and mitigate the severity of an attack.
While a financial institution's defenses may thwart most attacks, encryption can provide an additional layer of security to make it much more difficult for cybercriminals to steal data and use it to commit fraud.
To that end, PCI DSS prohibits the storage of the “full contents of any track from the card's magnetic stripe or chip." Any cardholder data and personally identifiable information should be protected with encryption, both in storage and in transit over public or private networks.
Firewalls and Web Gateways
All organizations that process cardholder data must install and maintain a firewall under PCI DSS guidelines.
The minimum suggested requirements recommended by the PCI Security Standards Council include:
- Changing the firewall's default password.
- Restricting access to payment systems to only what is necessary.
- The denial of unauthorized traffic.
Along those lines, when tasked with evaluating the effectiveness of a financial institution's IT security, auditors will check that:
- All connections are necessary for business purposes.
- All insecure connections are supplemented with additional security controls.
Likewise, banks and other financial institutions are accountable under GLBA mandates for the deployment and ongoing maintenance of a firewall or anti-virus equivalent.
Financial institutions should use an intrusion detection system (IDS) to comply with PCI DSS, requirement 11.4, which calls for the use of “intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network."
The firewall and IDS work together to prevent attacks. While the firewall works to prevent intrusions from outside the institution, the IDS monitors those that make it past the firewall for evidence of malicious intent. The deployment and ongoing maintenance of the IDS can help assess the types of connections a firewall blocks and what it finds permissible.
The PCI DSS requirement also includes the need to monitor network traffic at the perimeter of the institution's cardholder data environment. This helps ensure that personnel are notified quickly in the event of an indicator of compromise (IOC). This is especially critical as it relates to the mandatory disclosure of unauthorized access within a certain period after an incident occurs.
Logging and Data Collection
Under GLBA, all security event information must be logged and reviewed. FFIEC also has guidelines in place for identifying specific log sources (including firewalls, IDS, and anti-spam) and analyzing them for potentially threatening network activity, as well as related procedures for incident response and reporting IOCs.
According to requirement 10, PCI DSS also mandates continuous tracking and monitoring of access to network resources and payment data, including the use of logs to facilitate tracking and forensic analysis in the event of a breach.
Required Policies and Processes
Financial institutions, in accordance with GLBA, must establish and uphold security policies for incident reporting and responding. In addition, any staff who process and/or store GLBA data are expected to undergo annual security awareness training. These rules also apply to any third-party service provider handling GLBA data on behalf of another organization.
GLBA also requires timely patching for security updates. Similarly, PCI DSS requires the use of up-to-date security controls (like firewalls). Finally, FFIEC has guidelines that cover everything from end-of-life management for applications to version control and more.
Since many financial institutions engage third parties to provide a broad range of products and services, many of the laws and regulations pertaining to information security require vendor due diligence. In fact, cybercriminals routinely exploit third parties' weak security to gain access to the larger entities they serve.
In addition to conducting robust due diligence when onboarding a third party, institutions are also typically required to perform ongoing monitoring of the relationship.
While initial and ongoing due diligence can uncover potential weaknesses in a third party's IT security program, it also sends a strong message to vendors regarding the priority a financial institution places on customer data security.
How to Centralize Compliance Management
At the heart of all of these government regulations is a focus on ensuring the security and confidentiality of customer information. To that end, financial institutions must possess the ability to anticipate and respond to a broad range of threats while also taking steps to comply with increasingly onerous and complicated laws and regulations.
Without a formal security operations center (SOC), centralizing compliance management and optimizing threat detection and response are extremely difficult. Instead of creating and staffing a SOC from the ground up or attempting to identify, integrate, and train security personnel, many financial institutions enlist third parties that employ teams of security operations experts.
Get in touch to learn about our team of security operations experts and how we help financial institutions ensure regulatory compliance.
For more information and a list of actionable steps to take to enhance security at your organization, download the Financial Industry Cybersecurity Checklist.