< BACK TO BLOG

12 May, 2021
by Arctic Wolf

A Simplified Regulatory Checklist for Financial Institutions

Given their need for – and access to – unfathomable amounts of highly sensitive personal data, financial institutions experience a level of security compliance requirements and regulatory burden that few other industries have to contend with. However, the acquisition of such data isn’t optional.

Financial institutions run on data. If such companies are to deliver competitive products and services, companies in the financial sector need personal data and need their customers to entrust them with it.

This has created a reality where banks, credit unions, insurance companies and other organisations that process cardholder data and information are firmly in hackers’ crosshairs. Some of the most devastating cyberattacks in recent history have been on financial organisations, including the Equifax breach in 2017.

In fact, every year, the financial services sector experiences a steady stream of breaches. As details about each breach reach the media, the level of security compliance requirements and scrutiny from government regulators intensifies. This leads customers to sometimes feel driven to end their relationship with companies and institutions that they believe are unable to protect their data.

To highlight the size of the threat: of the 3,950 confirmed breaches reported in Verizon’s 2020 Data Breach Investigations Report, the financial and insurance sector had the most (448 breaches).

Compliance in Financial Services: Cybersecurity Laws and Regulations for the Financial Sector

In response to pressure from consumers and the ever-present and growing threat of a data privacy breach and cybercrime, several security compliance requirements, critical laws and regulations have been designed to enforce security and reduce the likelihood of harmful cyberattacks.

Nevertheless, maintaining compliance requirements can prove complicated and can easily overwhelm even the most sophisticated financial institutions.

On the federal level, financial organisations must comply with the following security compliance requirements:

The Sarbanes-Oxley Act (SOX):

SOX establishes requirements for the secure storage and management of corporate-facing electronic financial records, including the monitoring, logging and auditing of certain activity. A SOX-related audit will focus on elements of information security, including the creation and management of robust access controls and routine backups of data.

Gramm-Leach-Bliley Act (GLBA):

GLBA regulates the collection, safekeeping and use of private financial information. For example, according to the Safeguards Rule, if an entity meets the definition of a financial institution, it must adopt measures to protect the customer data in its possession. Additionally, the Act requires covered companies and entities to be transparent with respect to information-sharing practices, which includes granting customers the right to opt out of the sharing of their data and information with third parties.

Payment Card Industry Data Security Standard (PCI DSS):

PCI DSS sets requirements for companies and organisations ‘that store, process or transmit cardholder data’. As is the case with any guideline or standard, compliance alone doesn’t shield an organisation from legal liability in the event of a data and information breach. However, strict adherence to the standard as well as conformance to extensive guidelines and recommendations outlined by the Federal Financial Institutions Examination Council (FFIEC) can mitigate an institution’s cybersecurity risks, as well as demonstrate to customers a concerted effort to protect their data wherever it resides.

SOX, GLBA and PCI DSS all require the tracking of user access logins to computers or systems that contain sensitive data and information. The reasoning for this requirement is simple: In order to protect customer data and information, companies in the financial sector must be able to police activity related to its access.

Broadly speaking, financial institutions and other organisations that must abide by PCI DSS are required to:

Limit cardholder information and data access to as few employees as possible.
Implement administrative controls that track account activity.

FFIEC has recommendations in place for the use of authentication (two-factor or multifactor) to help to verify the identity of authorised users.

The Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency reaffirmed the importance of response and resilience as they relate to business continuity, the role of authentication and the need to securely configure systems and services to prevent and mitigate the severity of an attack.

Encryption

While a financial institution’s defences may thwart most attacks, encryption can provide an additional layer of security to make it much more difficult for cybercriminals to steal data and use it to commit fraud.

To that end, PCI DSS prohibits the storage of the ‘full contents of any track from the card’s magnetic stripe or chip’. Any cardholder data and personally identifiable information should be protected with encryption, both in storage and in transit over public or private networks.

Firewalls and Web Gateways

All companies and organisations that process cardholder data must install and maintain a firewall under PCI DSS guidelines.

The minimum suggested requirements recommended by the PCI Security Standards Council include:

Changing the firewall’s default password.
Restricting access to payment systems to only what is necessary.
The denial of unauthorised traffic.

Along those lines, when tasked with evaluating the effectiveness of a financial institution’s IT security, auditors will check that:

All connections are necessary for business purposes.
All insecure connections are supplemented with additional security controls.

Likewise, banks and other financial institutions and companies are accountable under GLBA mandates for the deployment and ongoing maintenance of a firewall or anti-virus equivalent.

Intrusion Detection

Financial institutions should use an intrusion detection system (IDS) to comply with PCI DSS, requirement 11.4, which calls for the use of ‘intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network’.

The firewall and IDS work together to prevent attacks. While the firewall works to prevent intrusions from outside the institution, the IDS monitors those that make it past the firewall for evidence of malicious intent. The deployment and ongoing maintenance of the IDS can help to assess the types of connections a firewall blocks and what it finds permissible.

The PCI DSS requirement also includes the need to monitor network traffic at the perimeter of the institution’s cardholder data privacy environment. This helps to ensure that personnel are notified quickly in the event of an indicator of compromise (IOC). This is especially critical, as it relates to the mandatory disclosure of unauthorised access within a certain period after an incident occurs.

Logging and Data Collection

Under GLBA, all security event information must be logged and reviewed. FFIEC also has guidelines in place for identifying specific log sources (including firewalls, IDS and anti-spam) and analysing them for potentially threatening network activity, as well as related procedures for incident response and reporting IOCs.

According to requirement 10, PCI DSS also mandates continuous tracking and monitoring of access to network resources and payment data, including the use of logs to facilitate tracking and forensic analysis in the event of a breach.

Required Policies and Processes

Financial institutions and such companies, in accordance with GLBA, must establish and uphold security policies for incident reporting and responding. In addition, any staff who process and/or store GLBA data are expected to undergo annual security awareness training. These rules also apply to any third-party service provider handling GLBA data on behalf of another organisation.

GLBA also requires timely patching for security updates. Similarly, PCI DSS requires the use of up-to-date security controls (like firewalls). Finally, FFIEC has guidelines that cover everything from end-of-life management for applications to version control and more.

Supplier Management

Since many financial institutions engage third parties to provide a broad range of products and services, many of the laws and regulations pertaining to information security require supplier due diligence. In fact, cybercriminals routinely exploit third parties’ weak security to gain access to the larger entities that they serve.

In addition to conducting robust due diligence when onboarding a third party, institutions are also typically required to perform ongoing monitoring of the relationship.

While initial and ongoing due diligence can uncover potential weaknesses in a third party’s IT security program, it also sends a strong message to suppliers regarding the priority that a financial institution places on customer data security.

How to Centralise Compliance Management

At the heart of all of these government regulations is a focus on ensuring the security and confidentiality of customer data and information. To that end, companies from the financial sector must possess the ability to anticipate and respond to a broad range of threats, while also taking steps to comply with increasingly onerous and complicated laws and regulations.

Without a formal security operations centre (SOC), centralising compliance management and optimising threat detection and response are extremely difficult. Instead of creating and staffing a SOC from the ground up or attempting to identify, integrate and train security personnel, many financial institutions enlist third parties that employ teams of security operations experts.

Get in touch to learn about our team of security operations experts and how we help financial institutions to ensure regulatory compliance.

For more information and a list of actionable steps to take to enhance security at your organisation, download the Financial Industry Cybersecurity Checklist.

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

Continue Reading

CVE-2024-3400: Follow Up: Patches Released for Actively Exploited Critical Vulnerability in GlobalProtect Feature of PAN-OS

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

SOLUTIONS

INDUSTRIES

Quickly detect, respond, and recover from advanced threats.

Detect and respond to advanced threats targeting your cloud infrastructure and applications.

Discover, assess, and harden your environment against digital risks.

Explore, harden, and simplify your cloud environment against misconfiguration vulnerabilities.

Engage and prepare employees to recognize and neutralize social engineering attacks.

Recover quickly from cyber attacks and breaches, from threat containment to business restoration.

HOW IT WORKS

Delivering security operations outcomes.

Collect, enrich, analyze.

Ecosystem integrations and technology partnerships.

Tailored security expertise and guided risk mitigation.

Security experts proactively protecting you 24×7.

Meet some of the security experts working alongside you and your team.

TRENDING RESOURCES

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees.

The elite security researchers, data scientists, and security developers of Arctic Wolf Labs share forward-thinking insights along with practical guidance you can apply to protect your organization.

Learn how our Concierge Security® and Triage Security Teams help end cyber risk.

SECURITY BULLETINS

CVE-2024-3400: Follow Up: Patches Released for Actively Exploited Critical Vulnerability in GlobalProtect Feature of PAN-OS

CVE-2024-26234 for Windows and CVE-2024-29053 for Defender for IOT highlighted in Microsoft’s April 2024 Patch Tuesday

CVE-2024-3400: Critical Vulnerability in GlobalProtect Feature of PAN-OS being Actively Exploited

COMPANY