Given their need for – and access to – unfathomable amounts of highly sensitive personal data, financial institutions experience a level of security compliance requirements and regulatory burden that few other industries have to contend with. However, the acquisition of such data isn't optional.
Financial institutions run on data. If such companies are to deliver competitive products and services, companies in the financial sector need personal data and need their customers to entrust them with it.
This has created a reality where banks, credit unions, insurance companies and other organisations that process cardholder data and information are firmly in hackers' crosshairs. Some of the most devastating cyberattacks in recent history have been on financial organisations, including the Equifax breach in 2017.
In fact, every year, the financial services sector experiences a steady stream of breaches. As details about each breach reach the media, the level of security compliance requirements and scrutiny from government regulators intensifies. This leads customers to sometimes feel driven to end their relationship with companies and institutions that they believe are unable to protect their data.
To highlight the size of the threat: of the 3,950 confirmed breaches reported in Verizon's 2020 Data Breach Investigations Report, the financial and insurance sector had the most (448 breaches).
Compliance in Financial Services: Cybersecurity Laws and Regulations for the Financial Sector
In response to pressure from consumers and the ever-present and growing threat of a data privacy breach and cybercrime, several security compliance requirements, critical laws and regulations have been designed to enforce security and reduce the likelihood of harmful cyberattacks.
Nevertheless, maintaining compliance requirements can prove complicated and can easily overwhelm even the most sophisticated financial institutions.
On the federal level, financial organisations must comply with the following security compliance requirements:
The Sarbanes-Oxley Act (SOX):
SOX establishes requirements for the secure storage and management of corporate-facing electronic financial records, including the monitoring, logging and auditing of certain activity. A SOX-related audit will focus on elements of information security, including the creation and management of robust access controls and routine backups of data.
Gramm-Leach-Bliley Act (GLBA):
GLBA regulates the collection, safekeeping and use of private financial information. For example, according to the Safeguards Rule, if an entity meets the definition of a financial institution, it must adopt measures to protect the customer data in its possession. Additionally, the Act requires covered companies and entities to be transparent with respect to information-sharing practices, which includes granting customers the right to opt out of the sharing of their data and information with third parties.
Payment Card Industry Data Security Standard (PCI DSS):
PCI DSS sets requirements for companies and organisations ‘that store, process or transmit cardholder data’. As is the case with any guideline or standard, compliance alone doesn't shield an organisation from legal liability in the event of a data and information breach. However, strict adherence to the standard as well as conformance to extensive guidelines and recommendations outlined by the Federal Financial Institutions Examination Council (FFIEC) can mitigate an institution's cybersecurity risks, as well as demonstrate to customers a concerted effort to protect their data wherever it resides.
SOX, GLBA and PCI DSS all require the tracking of user access logins to computers or systems that contain sensitive data and information. The reasoning for this requirement is simple: In order to protect customer data and information, companies in the financial sector must be able to police activity related to its access.
Broadly speaking, financial institutions and other organisations that must abide by PCI DSS are required to:
- Limit cardholder information and data access to as few employees as possible.
- Implement administrative controls that track account activity.
FFIEC has recommendations in place for the use of authentication (two-factor or multifactor) to help to verify the identity of authorised users.
The Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency reaffirmed the importance of response and resilience as they relate to business continuity, the role of authentication and the need to securely configure systems and services to prevent and mitigate the severity of an attack.
While a financial institution's defences may thwart most attacks, encryption can provide an additional layer of security to make it much more difficult for cybercriminals to steal data and use it to commit fraud.
To that end, PCI DSS prohibits the storage of the ‘full contents of any track from the card's magnetic stripe or chip’. Any cardholder data and personally identifiable information should be protected with encryption, both in storage and in transit over public or private networks.
Firewalls and Web Gateways
All companies and organisations that process cardholder data must install and maintain a firewall under PCI DSS guidelines.
The minimum suggested requirements recommended by the PCI Security Standards Council include:
- Changing the firewall's default password.
- Restricting access to payment systems to only what is necessary.
- The denial of unauthorised traffic.
Along those lines, when tasked with evaluating the effectiveness of a financial institution's IT security, auditors will check that:
- All connections are necessary for business purposes.
- All insecure connections are supplemented with additional security controls.
Likewise, banks and other financial institutions and companies are accountable under GLBA mandates for the deployment and ongoing maintenance of a firewall or anti-virus equivalent.
Financial institutions should use an intrusion detection system (IDS) to comply with PCI DSS, requirement 11.4, which calls for the use of ‘intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network’.
The firewall and IDS work together to prevent attacks. While the firewall works to prevent intrusions from outside the institution, the IDS monitors those that make it past the firewall for evidence of malicious intent. The deployment and ongoing maintenance of the IDS can help to assess the types of connections a firewall blocks and what it finds permissible.
The PCI DSS requirement also includes the need to monitor network traffic at the perimeter of the institution's cardholder data privacy environment. This helps to ensure that personnel are notified quickly in the event of an indicator of compromise (IOC). This is especially critical, as it relates to the mandatory disclosure of unauthorised access within a certain period after an incident occurs.
Logging and Data Collection
Under GLBA, all security event information must be logged and reviewed. FFIEC also has guidelines in place for identifying specific log sources (including firewalls, IDS and anti-spam) and analysing them for potentially threatening network activity, as well as related procedures for incident response and reporting IOCs.
According to requirement 10, PCI DSS also mandates continuous tracking and monitoring of access to network resources and payment data, including the use of logs to facilitate tracking and forensic analysis in the event of a breach.
Required Policies and Processes
Financial institutions and such companies, in accordance with GLBA, must establish and uphold security policies for incident reporting and responding. In addition, any staff who process and/or store GLBA data are expected to undergo annual security awareness training. These rules also apply to any third-party service provider handling GLBA data on behalf of another organisation.
GLBA also requires timely patching for security updates. Similarly, PCI DSS requires the use of up-to-date security controls (like firewalls). Finally, FFIEC has guidelines that cover everything from end-of-life management for applications to version control and more.
Since many financial institutions engage third parties to provide a broad range of products and services, many of the laws and regulations pertaining to information security require supplier due diligence. In fact, cybercriminals routinely exploit third parties' weak security to gain access to the larger entities that they serve.
In addition to conducting robust due diligence when onboarding a third party, institutions are also typically required to perform ongoing monitoring of the relationship.
While initial and ongoing due diligence can uncover potential weaknesses in a third party's IT security program, it also sends a strong message to suppliers regarding the priority that a financial institution places on customer data security.
How to Centralise Compliance Management
At the heart of all of these government regulations is a focus on ensuring the security and confidentiality of customer data and information. To that end, companies from the financial sector must possess the ability to anticipate and respond to a broad range of threats, while also taking steps to comply with increasingly onerous and complicated laws and regulations.
Without a formal security operations centre (SOC), centralising compliance management and optimising threat detection and response are extremely difficult. Instead of creating and staffing a SOC from the ground up or attempting to identify, integrate and train security personnel, many financial institutions enlist third parties that employ teams of security operations experts.
Get in touch to learn about our team of security operations experts and how we help financial institutions to ensure regulatory compliance.
For more information and a list of actionable steps to take to enhance security at your organisation, download the Financial Industry Cybersecurity Checklist.