Financial institutions experience a level of regulatory burden and security compliance requirements that few other industries must contend with. Since they’re a central target for attackers due to the money they move and the vast amounts of data they possess, they’ve become a central focus for regulators due to the danger to the global economy should one of them fall victim to a breach.
The financial sector’s need for—and access to—unfathomable amounts of extremely sensitive personal data comes with a high degree of risk. Banks, credit unions, insurance companies, and other organizations that process cardholder data and information are firmly in hackers’ crosshairs. Some of the most devastating cyberattacks in recent history have been on financial organizations and, according to IBM , the average total cost of a breach in the financial industry in 2021 was $5.72 million.
As the cost of breaches climb and the details surrounding the most high-profile attacks continue to be catnip for the media, the scrutiny from government regulators intensifies. The security compliance requirements, critical laws, and regulations they have created have been designed to enforce security and reduce the likelihood of harmful cyberattacks. But they have also greatly increased the compliance burden, potentially overwhelming even the most sophisticated financial institutions.
For security experts in the financial sector, it can feel like a never-ending game of whack-a-mole trying to understand the latest laws and regulations and achieving regulatory compliance. Thankfully, Arctic Wolf is here to help with our simplified regulatory checklist for financial institutions.
Compliance in Financial Services: Cybersecurity Laws and Regulations
The Sarbanes-Oxley Act (SOX):
SOX establishes requirements for the secure storage and management of corporate-facing electronic financial records, including the monitoring, logging, and auditing of certain activity . A SOX-related audit will focus on elements of information security, including the creation and management of robust access controls and routine backups of data.
Gramm-Leach-Bliley Act (GLBA):
GLBA regulates the collection, safekeeping, and use of private financial information. Additionally, GLBA requires covered companies and entities to be transparent with respect to information-sharing practices , which includes granting customers the right to opt out of the sharing of their data and information with third parties.
Payment Card Industry Data Security Standard (PCI DSS):
PCI DSS sets requirements for companies and organizations “that store, process, or transmit cardholder data.” As is the case with any guideline or standard, compliance alone does not shield an organization from legal liability in the event of a data and information breach. However, strict adherence to the standard as well as conformance to extensive guidelines and recommendations outlined by the Federal Financial Institutions Examination Council (FFIEC) can mitigate an institution’s cybersecurity risks as well as demonstrate to customers a concerted effort to protect their data wherever it resides.
Broadly speaking, financial institutions and other organizations that must abide by PCI DSS are required to:
Limit cardholder information and data access to as few employees as possible.
Implement administrative controls that track account activity.
SOX, GLBA, and PCI DSS all require the tracking of user access logins to computers or systems that contain sensitive data and information. The reasoning for this requirement is simple: To protect customer data and information, companies in the financial sector must be able to police activity related to its access. This has spurred the creation of significant, specific regulations and compliance requirements for organizations in the financial sector.
23 NYCRR 500
This groundbreaking set of cybersecurity regulations aims to ensure that financial institutions under the supervision of the New York Department of Financial Services (NYDFS) protect their information systems and customer data from attack. The regulation “requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Furthermore, the regulation requires senior management to file an annual certification that details the institution’s compliance efforts.
General Data Protection Regulation (GDPR)
Widely considered to be the strongest data protection rules in the world, GDPR “was designed to ‘harmonize’ data privacy laws” across EU member countries while providing individuals with greater protection and rights regarding their data. GDPR is built around the framework of seven key principles:
Fairness and transparency
Integrity and confidentiality (security)
Financial Regulations and Compliance Requirements
While a financial institution’s defenses may thwart most attacks, encryption can provide an additional layer of security, making it more difficult for cybercriminals to steal data.
To that end, PCI DSS prohibits the storage of the “full contents of any track from the card’s magnetic stripe or chip.” Any cardholder data and personally identifiable information should be protected with encryption , both in storage and in transit over public or private networks.
Firewalls and Web Gateways
All companies and organizations that process cardholder data must install and maintain a firewall under PCI DSS guidelines . The minimum suggested requirements include:
Changing the firewall’s default password
Restricting payment system access payment to only what is necessary
The denial of unauthorized traffic
Along those lines, when tasked with evaluating the effectiveness of a financial institution’s IT security, auditors will check that:
All connections are necessary for business purposes
All insecure connections are supplemented with additional security controls
Banks and other organizations in the financial industry are also accountable under GLBA mandates for the deployment and ongoing maintenance of a firewall or anti-virus equivalent.
Financial institutions should use an intrusion detection system (IDS) to comply with PCI DSS requirement 11.4 , which calls for the use of “intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network.”
The firewall and IDS work together to prevent attacks. While the firewall works to prevent intrusions from outside the institution, the IDS monitors those that make it past the firewall for evidence of malicious intent. The deployment and ongoing maintenance of the IDS can help assess the types of connections a firewall blocks and what it finds permissible.
PCI DSS requirement 11.4 also includes the need of an institution to monitor network traffic at the perimeter of their cardholder data privacy environment. This helps ensure that personnel are notified quickly in the event of an indicator of compromise (IOC). This is especially critical as it relates to the mandatory disclosure of unauthorized access within a certain period after an incident occurs.
Logging and Data Collection
Under GLBA , all security event information must be logged and reviewed. The FFIEC also has guidelines in place for identifying specific log sources (including firewalls, IDS, and anti-spam) and analyzing them for potentially threatening network activity, as well as related procedures for incident response and reporting IOCs.
PCI DSS requirement 10 mandates the continuous tracking and monitoring of access to network resources and payment data, including the use of logs to facilitate tracking and forensic analysis in the event of a breach.
Required Policies and Processes
In accordance with GLBA, companies within the financial sector must establish and uphold security policies for incident reporting and response. In addition, any staff who process and/or stores GLBA data are expected to undergo annual security awareness training. These rules also apply to any third-party service provider handling GLBA data on behalf of another organization.
GLBA also requires timely patching for security updates. Similarly, PCI DSS requires the use of up-to-date security controls (like firewalls). Finally, FFIEC has guidelines that cover everything from end-of-life management for applications to version control and more.
Since many financial institutions engage third parties to provide a broad range of products and services, many of the laws and regulations pertaining to information security require vendor due diligence. This is especially important because cybercriminals routinely exploit a third party’s weak security to gain access to the larger entities they serve.
In addition to conducting robust due diligence when onboarding a third party, institutions are also typically required to perform ongoing monitoring of the relationship.
While initial and ongoing due diligence can uncover potential weaknesses in a third party’s IT security program, it also sends a strong message to vendors regarding the priority a financial institution places on customer data security.
How to Centralize Compliance Management
Companies in the financial sector must possess the ability to anticipate and respond to a broad range of threats while also taking steps to comply with increasingly onerous and complicated laws and regulations. That is why, instead of creating and staffing a security operations center (SOC) from the ground up or attempting to identify, integrate, and train security personnel, many financial institutions enlist third parties that employ teams of security operations experts.
These institutions have realized that, without a security operations platform , tasks like centralizing compliance management and optimizing threat detection and response are extremely difficult, time-consuming, and expensive.
For more information and a list of actionable steps to take to enhance security at your organization, download the Financial Industry Cybersecurity Checklist.