Financial institutions experience a level of regulatory burden and security compliance requirements that few other industries must contend with. Since they’re a central target for attackers due to the money they move and the vast amounts of data they possess, they’ve become a central focus for regulators due to the danger to the global economy should one of them fall victim to a breach.
As the cost of breaches climb and the details surrounding the most high-profile attacks continue to be catnip for the media, financial service compliance increases. For security experts, it can feel like a never-ending game of whack-a-mole trying to understand the latest laws and regulations and achieving financial compliance.
Why Financial Regulatory Compliance Matters
In many cases these compliance regulations are also state or federal laws. Beyond that, however, keeping financial data safe is paramount to any financial organization’s operation due to the inherent risk involved.
Banks, credit unions, insurance companies, and other organizations that process cardholder data and information are firmly in threat actors’ crosshairs. In fact, these organizations are 300 times more likely to be targeted by a cyber attack, with the average cost of a breach in that sector topping $5.97 million. Non-compliance can also increase those breach expenses. According to the IBM Cost of a Data Breach Report 2023, “Organizations with a high level of noncompliance with regulations showed an average cost of USD 5.05 million, which exceeded the average cost of a data breach by USD 560,000, a difference of 12.6%.”
In addition, compliance is directly tied to cybersecurity. While understanding and implementing multiple cybersecurity practices can be complex, compliance requirements offer a built-in cybersecurity framework. If your organization is compliant, you’re also protected.
Key Cybersecurity Laws and Regulations for Financial Institutions
The Sarbanes-Oxley Act (SOX):
SOX establishes requirements for the secure storage and management of corporate-facing electronic financial records, including the monitoring, logging, and auditing of certain activities. A SOX-related audit will focus on elements of information security, including the creation and management of robust access controls and routine backups of data.
Important aspects of SOX:
- Applies to all publicly traded companies above a certain size
- Applies to all accounting firms that audit public companies
- SOX includes both financial and security provisions
Gramm-Leach-Bliley Act (GLBA):
GLBA regulates the collection, safekeeping, and use of private financial information. Additionally, GLBA requires covered companies and entities to be transparent with respect to information-sharing practices, which includes granting customers the right to opt out of the sharing of their data and information with third parties.
It’s important to note this act also includes the “Safeguards Rule’ which applies to auto dealerships and consists of nine specific requirements. Learn more about GLBA.
Payment Card Industry Data Security Standard (PCI DSS):
PCI DSS sets requirements for companies and organizations “that store, process, or transmit cardholder data.” As is the case with any guideline or standard, compliance alone does not shield an organization from legal liability in the event of a data and information breach.
However, strict adherence to the standard as well as conformance to extensive guidelines and recommendations outlined by the Federal Financial Institutions Examination Council (FFIEC) can mitigate an institution’s cybersecurity risks as well as demonstrate to customers a concerted effort to protect their data wherever it resides.
Broadly speaking, financial institutions and other organizations that must abide by PCI DSS are required to:
- Limit cardholder information and data access to as few employees as possible.
- Implement administrative controls that track account activity.
The standard has six goals:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
SOX, GLBA, and PCI DSS all require the tracking of user access logins to computers or systems that contain sensitive data and information. The reasoning for this requirement is simple: To protect customer data and information, companies in the financial sector must be able to police activity related to its access. This has spurred the creation of significant, specific regulations and compliance requirements for organizations in the financial sector.
23 NYCRR 500
This groundbreaking set of cybersecurity regulations aims to ensure that financial institutions under the supervision of the New York Department of Financial Services (NYDFS) protect their information systems and customer data from attack.
The regulation “requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Furthermore, the regulation requires senior management to file an annual certification that details the institution’s compliance efforts.
California Consumer Privacy Act (CCPA)
The CCPA puts more power in the hands of California consumers by giving them certain rights in terms of how companies process their personal information, including:
- The right to know what personal information a business collects, uses, shares, and sells
- The right to delete personal information on file with a covered company
- The right to opt-out of the sale of personal information
- The right to non-discrimination in pricing or services when consumers exercise their rights under CCPA
- The right to correct inaccurate personal information that a business has about them
- The right to limit the use and disclosure of sensitive personal information collected about them.
The CCPA applies to businesses with more than $25 million in annual revenues, entities that process personal information of 50,000 or more people annually, and organizations that earn 50% or more of their annual revenue from selling California residents’ personal information. Learn more here.
General Data Protection Regulation (GDPR)
Widely considered to be the strongest data protection rules in the world, GDPR “was designed to ‘harmonize’ data privacy laws” across EU member countries while providing individuals with greater protection and rights regarding their data. GDPR is built around the framework of seven key principles:
- Fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Financial Regulations and Compliance Requirements
While a financial institution’s defenses may thwart most attacks, encryption can provide an additional layer of security, making it more difficult for cybercriminals to steal data.
To that end, PCI DSS prohibits the storage of the “full contents of any track from the card’s magnetic stripe or chip.” Any cardholder data and personally identifiable information should be protected with encryption, both in storage and in transit over public or private networks.
Firewalls and Web Gateways
All companies and organizations that process cardholder data must install and maintain a firewall under PCI DSS guidelines. The minimum suggested requirements include:
- Changing the firewall’s default password
- Restricting payment system access payment to only what is necessary
- The denial of unauthorized traffic
Along those lines, when tasked with evaluating the effectiveness of a financial institution’s IT security, auditors will check that:
- All connections are necessary for business purposes
- All insecure connections are supplemented with additional security controls
Banks and other organizations in the financial industry are also accountable under GLBA mandates for the deployment and ongoing maintenance of a firewall or anti-virus equivalent.
Financial institutions should use an intrusion detection system (IDS) to comply with PCI DSS requirement 11.4 , which calls for the use of “intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network.”
The firewall and IDS work together to prevent attacks. While the firewall works to prevent intrusions from outside the institution, the IDS monitors those that make it past the firewall for evidence of malicious intent. The deployment and ongoing maintenance of the IDS can help assess the types of connections a firewall blocks and what it finds permissible.
PCI DSS requirement 11.4 also includes the need of an institution to monitor network traffic at the perimeter of their cardholder data privacy environment. This helps ensure that personnel are notified quickly in the event of an indicator of compromise (IOC). This is especially critical as it relates to the mandatory disclosure of unauthorized access within a certain period after an incident occurs.
Logging and Data Collection
Under GLBA, all security event information must be logged and reviewed. The FFIEC also has guidelines in place for identifying specific log sources (including firewalls, IDS, and anti-spam) and analyzing them for potentially threatening network activity, as well as related procedures for incident response and reporting IOCs.
PCI DSS requirement 10 mandates the continuous tracking and monitoring of access to network resources and payment data, including the use of logs to facilitate tracking and forensic analysis in the event of a breach.
Required Policies and Processes
In accordance with GLBA, companies within the financial sector must establish and uphold security policies for incident reporting and response. In addition, any staff who process and/or stores GLBA data are expected to undergo annual security awareness training. These rules also apply to any third-party service provider handling GLBA data on behalf of another organization.
GLBA also requires timely patching for security updates. Similarly, PCI DSS requires the use of up-to-date security controls (like firewalls). Finally, FFIEC has guidelines that cover everything from end-of-life management for applications to version control and more.
Since many financial institutions engage third parties to provide a broad range of products and services, many of the laws and regulations pertaining to information security require vendor due diligence. This is especially important because cybercriminals routinely exploit a third party’s weak security to gain access to the larger entities they serve.
In addition to conducting robust due diligence when onboarding a third party, institutions are also typically required to perform ongoing monitoring of the relationship.
While initial and ongoing due diligence can uncover potential weaknesses in a third party’s IT security program, it also sends a strong message to vendors regarding the priority a financial institution places on customer data security.
How to Centralize Compliance Management
Companies in the financial sector must possess the ability to anticipate and respond to a broad range of threats while also taking steps to comply with increasingly onerous and complicated laws and regulations. That is why, instead of creating and staffing a security operations center (SOC) from the ground up or attempting to identify, integrate, and train security personnel, many financial institutions enlist third parties that employ teams of security operations experts.
These institutions have realized that, without a security operations platform, tasks like centralizing compliance management and optimizing threat detection and response become difficult, time-consuming, and expensive.
For more information and a list of actionable steps to take to enhance security at your organization, download the Financial Industry Cybersecurity Checklist.
Take a deep dive into financial regulations with our comprehensive checklist.