Financial data is a desired target for cybercriminals. Hackers frequently attack financial institutions such as banks, loan services, investment and credit unions, and brokerage firms. Security incidents in the financial sector are extremely expensive (surpassed only by the healthcare industry), with the average total cost of a data breach reaching $5.72 million in 2021.
For efficient data security in the banking industry, you need to ensure proper compliance with banking cybersecurity standards, laws, and regulations, both local and international. In this article, we distill the main requirements and recommendations for the finance industry into twelve efficient best practices your organization can follow to ensure cybersecurity compliance.
Why does cybersecurity compliance matter for finance?
The importance of cybersecurity compliance in the financial sector is hard to overestimate.
Banks and financial institutions must constantly adjust their usual work processes and security controls to frequent cybersecurity landscape changes. With factors like the COVID-19 pandemic, increased teleworking, and digitalization, cybersecurity is becoming increasingly critical.
Financial institutions work closely with highly sensitive data such as personally identifiable information (PII) and financial records. Cybercriminals can compromise this data, use it for financial fraud, monetize it, and do other malicious activities for their own benefit.
According to the 2022 OneSpan Global Financial Regulations Report, nearly half of banks see reducing and preventing cyberattacks and fraud, along with protecting sensitive data, as their top challenges.
To ensure secure operations and the proper protection of sensitive data, local and international regulatory bodies establish security compliance requirements for financial organizations.
Cybersecurity requirements for financial services companies can help you determine:
1. What should be protected
What pain points to pay attention to when building an organization’s cybersecurity strategy
2. How to improve cybersecurity
What practices and technologies to implement for better protection of the organization’s IT infrastructure and data
Meeting financial cybersecurity compliance requirements can help your organization to:
- Get a clear view of the most critical data and systems
- Have a better understanding of deployed cybersecurity tools and practices
- Enhance the protection of valuable information
- Respond to cybersecurity incidents in a timely manner
Not complying with mandatory requirements, in turn, can lead to:
- Operational disruptions
- Reputational damage
- Lawsuits and criminal responsibility
- Fines for non-compliance
- Financial losses caused by cybersecurity incidents
Cybersecurity compliance vs. non-compliance
- Clear view of the most critical data and systems
- Better understanding of deployed cybersecurity tools and practices
- Enhanced protection of valuable information
- Timely response to cybersecurity incidents
- Operational disruptions
- Reputational damage
- Lawsuits and criminal responsibility
- Fines for non-compliance
- Financial losses caused by cybersecurity incidents
Fines for non-compliance can be extensive: the Spanish Data Protection Agency fined CaixaBank €6 million (≈ $6.27 million) for violating GDPR requirements in 2021. The maximum GDPR penalty can reach up to €20 million (≈ $20.9 million).
What can you do to make sure your organization stays compliant?
Organizations typically have to comply with more than one set of requirements. There are obligatory and advisory financial data security regulations as well as international, federal, and regional laws. By following the requirements of all applicable banking security standards, laws, and regulations, financial institutions can build advanced cybersecurity strategies to achieve the required level of cybersecurity.
It’s easy to get lost while looking for relevant IT standards, regulations, and local laws. So what should financial industry players focus on?
In the next section, we overview some of the key cybersecurity standards, laws, and regulations for banks and other financial institutions.
Major compliance requirements in the financial industry
Know what requirements you need to meet.
Compliance requirements have different purposes and different operational and jurisdictional areas for organizations working in the financial sector. Let’s take a look at the major ones, starting with global cybersecurity standards.
Global cybersecurity standards
There are three major international security standards in banking for financial institutions:
Any organization, institution, merchant, and payment solution provider must comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard specifies requirements for storing, processing, and transferring payment card data. The goal of the standard is to reduce cases of credit card fraud and improve cardholder data protections.
The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 standard is part of the large ISO/IEC 27000 family of cybersecurity standards. The 27001 standard outlines recommendations and proper procedures for managing security risks, including for managing financial information. Although the standard is not mandatory, it’s highly recommended for financial institutions.
Any financial organization using SWIFT services must comply with SWIFT Customer Security Programme (CSP) requirements. This framework specifies requirements for properly protecting data, managing access, and responding to incidents.
In addition to global cybersecurity requirements, there are also country-specific ones.
Local guidelines, laws, and directives
Some requirements vary from region to region. Let’s explore the most well-known:
The Sarbanes Oxley Act (SOX) outlines recommended practices that can prevent organizations from processing fraudulent financial transactions. In particular, it specifies what financial records should be stored, for how long, and how they need to be protected. This law is applicable to all public companies registered by the US Securities and Exchange Commission.
The Gramm–Leach–Bliley Act (GLBA) is a US law that governs the way financial institutions handle customers’ private data. In particular, it requires companies to establish strict data access policies and provide customers with full information on how their data is stored, processed, and secured.
This organization provides guidelines and sets requirements for US broker-dealers. Key Financial Industry Regulatory Authority (FINRA) requirements include having written data protection policies for preventing the compromise of consumer data. FINRA also outlines rules for detecting and mitigating cyber threats.
The Payment Services Directive (PSD 2) regulates electronic payments within the European Union. This EU directive outlines requirements for the way electronic payments are initiated and processed and sets strict rules for the protection of customers’ private data.
The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, is a US law that requires financial institutions to prevent and notify authorities about money laundering, terrorist financing, and tax evasion. BSA also requires banks to have incident response plans addressing cyber-related crimes.
Make sure you know your local cybersecurity laws and standards, as some cities and districts have their own, such as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation and the California Consumer Privacy Act (CCPA).
Industry-specific cybersecurity requirements are not the only ones that should be considered by financial institutions.
Other requirements to consider
In addition to industry-specific laws, standards, and regulations, there are other requirements that banks and financial institutions should pay special attention to. In particular, guidance from the National Institute of Standards and Technology and the General Data Protection Regulation can be rather helpful for securing sensitive data, ensuring flawless operations, and avoiding expensive fines.
The National Institute of Standards and Technology (NIST) is a US government agency providing a variety of information security standards, such as NIST 800-53. NIST has recommendations on cybersecurity risk management, data protection, threat detection, and incident response. While targeted mostly at federal institutions, NIST recommendations can be followed by any organization that wants to ensure a high level of security for its sensitive assets.
The General Data Protection Regulation (GDPR) is a data privacy framework that sets rules for collecting, storing, transferring, and processing the personal data of EU residents. Compliance with GDPR requirements is mandatory for any organization that processes the private data of EU residents, no matter where such an organization is registered and operates. In fact, eight out of ten US companies have taken steps to comply with the GDPR. Apart from the EU version of the GDPR, there are similar localized laws such as the UK-GDPR and CCPA.
While having a lot of differences and peculiarities, major data privacy and cybersecurity requirements still have common ground. In the next section, we outline twelve helpful practices for meeting most cybersecurity requirements.
12 best practices for ensuring cybersecurity compliance in the financial sector
Protecting critical data and systems is a continuous process, not an end state.
Each cybersecurity standard, data protection law, or regulation imposes different requirements and makes different recommendations. That’s why we’ve compiled a set of twelve best practices that cover the most prevalent requirements and help improve your organization’s security.
Let’s look closer at each of these practices.
1. Regularly assess risks and audit your cybersecurity
Keep your finger on the pulse of your data security.
To begin, you need to inventory your organization’s security posture and identify potential threats. The GLBA Safeguards Rule, for example, requires financial institutions to conduct periodic written risk assessments. By doing so, you will get full visibility over your IT infrastructure and be able to identify internal and external risks to the security of your systems and data.
Start with identifying vulnerabilities that could result in the compromise of sensitive data: potential insider threats, cyberattacks, and third-party-related risks. Make sure to consider risks stemming from information systems as well as data processing, storage, and exchange.
Based on the identified risks, assess the sufficiency of your cybersecurity tools to respond to cyberattacks and system failures.
2. Establish a cybersecurity policy
Strive for coherence.
A cybersecurity policy is what coordinates an organization’s cybersecurity movement. Serving as a single guideline, your cybersecurity policy documents all the measures and tools your company must adopt to protect your valuable assets from cyber threats. Having a written cybersecurity policy in place makes it easier for banks to establish an effective cybersecurity routine and maintain proper data security in the long term.
For the best results, consider implementing a hierarchical cybersecurity policy, with strict agreement between policies, standards, and procedures. Also, keep policy requirements and recommendations up to date, and make sure your employees are aware of and follow your cybersecurity policy.
3. Appoint a data protection officer
Hire a security expert.
The GLBA, GDPR, PCI DSS, and some other regulations and standards require organizations to appoint a data protection officer (DPO). Hiring a professional DPO is a win-win situation: on the one hand, you’ll be one step closer to compliance; on the other hand, having a professional DPO increases your organization’s resilience to data security threats. However, you might also use the services of a DPO consultant if having a full-time in-house specialist isn’t financially realistic for your organization.
A DPO can give your organization valuable data protection advice and recommendations on implementing proper security controls as well as ensure timely notification of cybersecurity incidents to all stakeholders and relevant authorities.
When looking for a DPO, pay special attention to expertise in data protection and cybersecurity compliance for financial institutions. Knowledge of how financial organizations operate is also a plus. And remember: to make it work, your company must be open to changes and assist your DPO when needed.
4. Secure your network
Build a fortress no one can break.
Protecting your environment is a must for your organization’s cybersecurity compliance. The SWIFT Customer Security Controls (CSC) Framework, for example, recommends restricting internet access to sensitive systems alongside reducing the possible attack surface. You may also segment your main network into smaller subnetworks and segregate the most critical assets from the rest of the IT environment to make them less vulnerable — not to mention deploying fundamental security measures such as firewalls.
The more advanced your security is, the less likely is a breach of any of its components. For this matter, consider applying the layered security approach by using multiple strategies at different levels of security, including systems, networks, applications, processes, and data management.
5. Encrypt valuable data
Data can only be compromised if it can be read.
Required by ISO/IEC 27001, GLBA, GDPR, PCI DSS, and other standards and regulations, encryption is an efficient way to secure your data. First, it’s recommended to encrypt critical records and information on your customers: personally identifiable information (PII), clients’ income, collection history, credit score, etc. Information about any financial transactions such as payment histories, deposit balances, purchases, and account numbers must also be encrypted.
To protect your data in full, look for solutions that allow you to encrypt data both in storage and in transit. This way, you can significantly minimize the risk of a devastating data breach.
6. Limit access to critical assets
Prohibit access unless necessary.
By cutting the number of people with access to sensitive information, you can considerably reduce the risk of a security breach. To minimize the likelihood of privilege abuse, you may implement the principle of least privilege, giving everyone in your organization only the access rights necessary to carry out their job duties.
This is where privileged access management (PAM) solutions might come in handy, Ekran System being one of them. As a universal insider risk management platform, Ekran System provides sophisticated PAM capabilities, allowing you to granularly manage access rights for individual accounts, user roles, and even groups of users. With Ekran System, you can also provide your employees with one-time access, grant access by request, and limit the time period for which access is given.
7. Verify user identities
Make sure your users are who they claim to be.
Unsecured user authentication can lead to unauthorized access and result in data theft, malware installation, fraud, and other negative outcomes. That’s why it’s critical to follow the basic principles of zero trust and always verify user identities. One way of doing this is by using multi-factor authentication (MFA), which is a requirement of the majority of cybersecurity requirements in the financial sector.
Ekran System offers two-factor authentication (2FA) for verifying users’ identities by sending a unique code to a trusted mobile device. Ekran System’s identity management capabilities can also enable you to distinguish users of shared accounts.
8. Establish secure password management
Seventy-one percent of companies claim credential compromise to be one of the main routes into breaching an organization’s security. That’s why NIST Special Publication 800-63, PCI DSS, the GDPR, and other standards and regulations give recommendations and requirements on creating password policies. To automate and optimize password handling in your organization, you can also look for a dedicated password management solution.
Ekran System’s password management functionality allows you to generate and efficiently manage user credentials in your organization, perform automatic password rotation for Windows and Active Directory accounts, provide users with one-time passwords, and more. For better protection, all passwords and other secrets are stored in Ekran System’s secure vault and encrypted with AES 256-bit encryption.
9. Continuously monitor user activity
Watch and record users’ actions.
User activity monitoring plays a crucial role in detecting and preventing both insider and outsider threats. It’s also the key requirement of many cybersecurity regimes, including PCI DSS and SOX. By watching and analyzing users’ actions in your network, you can proactively detect suspicious events and see early signs of an attack in progress. And if a cybersecurity incident happens, you will have all the evidence of the crime.
With user activity monitoring functionality in Ekran System, you can monitor the actions of all users in your organization and record them in a comprehensive video format. Screen captures are accompanied by useful metadata, allowing you to search by parameters such as visited websites, launched applications, and typed keystrokes.
Ekran System’s advanced reporting capabilities allow you to generate various reports on the specific monitored data you might need. You can easily check your employees’ productivity, active and idle time, websites visited, etc. All reports in Ekran System are fully customizable.
10. Manage third-party risks
Don’t trust outsiders accessing your systems.
Third parties are often granted more access rights than they need. Yet a mistake made by a third party can result in anything from a minor service crash to a major data breach. In fact, 74% of breached organizations claim to have had at least one third-party-related security incident in 2021 according to the A Crisis in Third-Party Remote Access Security report by the Ponemon Institute.
This is why financial institutions and banks need to closely monitor and carefully manage their third parties. Ekran System can help you do that by monitoring the activity of third parties and managing their access to critical data using the platform’s PAM capabilities. You may also ensure your subcontractors comply with the same cybersecurity requirements that you do by adding a corresponding requirement to your service-level agreement.
11. Build an incident response plan
What will you do if your security is breached?
Alongside a cybersecurity policy, every financial institution should have a well-thought-out incident response plan (IRP). This document should provide clear response scenarios for cybersecurity incidents that might happen in your organization. A written IRP will serve as a guideline and help direct your security team’s actions in urgent conditions.
An IRP should specify what can be considered a cybersecurity incident and what actions are needed if one occurs, what to do to restore lost data or affected systems, and other possible details that will help you mitigate the consequences of an incident. It should also clearly describe the roles within your incident response team and state who to call and notify first in case of an incident.
Ekran System’s automated incident response functionality enables you to respond to security incidents both manually and automatically. Response actions include displaying a warning message to a user, blocking their session, terminating a particular process, and blocking an unapproved USB device.
To top it off, you can export a user’s working session in an immutable standalone format for forensic investigators to view and analyze evidence of a potential cybercrime.
12. Report security incidents in a timely manner
Never conceal an incident.
Most bank security compliance requirements compel organizations to notify governing institutions and involved parties about any data breaches. Notification terms can vary from within 72 hours, as set by the GDPR, to as soon as possible, as requested by the GLBA. To report a problem quickly, you have to detect it fast. For this, you need an efficient incident response tool.
The actionable alert and notification system in Ekran System can help you proactively detect suspicious events and expeditiously report them to your security team. Additionally, the AI-powered user and entity behavior analytics (UEBA) module in Ekran System automatically analyzes user behavior for any inconsistencies, notifying you about unusual activity in a timely manner.
Consider describing the reporting procedure in your incident response plan, as it’s one of the most important compliance requirements.
The financial sector is one of the most strictly regulated, as banks and financial institutions work closely with customers’ private information, social security data, and financial records. To reduce cybersecurity risks and properly protect valuable information in your organization, make sure to meet the requirements of relevant laws, regulations, and cybersecurity standards we have mentioned in this article.
You can make use of these twelve best practices for banking and financial cybersecurity compliance to get a full view of your organization’s most critical data and systems and protect them with the right cybersecurity controls. Ekran System’s access management, user activity monitoring, alerting, and reporting capabilities can aid your financial organization in cybersecurity compliance, data protection, and timely detection and response to cybersecurity incidents.
Download a FREE 30-day trial version of Ekran System to see if it’s the right fit for your financial data protection and cybersecurity compliance needs!