How to comply with financial sector regulations through a data-centric approach to security

Partilhe em    

The financial services sector is struggling, according to a report published by Allianz, to a period of great risks. The Covid-19 pandemic has caused one of the biggest shocks to the world economy, triggering unprecedented economic and fiscal stimulus and record levels of public debt. Despite the better economic outlook, considerable uncertainty persists in the sector and it should also focus on so-called “non-financial” risks. According to this report, the biggest non-financial risk facing this sector is cybersecurity incidents.
 
Among the insurance claims to which the sector has been subjected, the main cause of loss of value is due to cyberattacks. The pandemic sparked a rapid and unplanned rise in remote work, and accelerated digitization, which have paved the way for cybercriminals. Financial institutions face risks of business interruption, derived from cyberattacks. On the other hand, a mistake in the supply chain can affect the financial institution, as third-party service providers can be a weak link in the cybersecurity chain of these institutions.

Analysis of data leaks in the financial sector

According to the latest report from Verizon DBIR 2021 (Data Breach Investigations Report), the insurance and financial services area, has undergone a host of changes when it comes to the cybersecurity environment. Since 2017, security gaps or information leaks in the sector caused by internal actors have been growing, currently reaching 44% of the total. For the most part they have been due to emails sent to the wrong recipients. 56% of leaks are due to external actors, where phishing and ransomware attacks dominate other sectors. The attackers’ motivations are 96% financial and the compromised data is 83% personal data followed by credentials and bank details.

Regulations and technological changes in the sector

These information leaks and cybersecurity incidents have a great impact at the level of regulatory compliance, this being one of the greatest challenges for the financial services industry, with growing regulations around cybersecurity and a constantly evolving technological environment. The consequences of data breaches are having a great reach in the sector, leading to higher fines and litigation. New technologies such as artificial intelligence, crypto currencies, and biometrics will generate greater risks and responsibilities in the near future and this will increase regulatory pressure in the sector.

Financial services companies work with highly sensitive information that includes personal data and financial records, of high interest to a cyber-attacker. To ensure that this sensitive data is protected appropriately, local and international institutions have established compliance regulations at the cybersecurity level for companies and organizations in the sector.
 
Failure to comply with these regulations can lead to high penalties or financial fines, financial losses derived from a data breach, litigation, business interruptions, reputational damage and loss of customers. However, following the requirements of these regulations helps to have greater security over sensitive information, better manage cyber risks, have a broader view of the organization’s critical systems and data, and better understand which cybersecurity techniques to prioritize over other. 

What kind of regulations and safety standards exist in the sector?

Next, we list some national and international regulations that apply to the sector. Some more specific to financial services, and others common to various sectors, and therefore also affect this sector.

1. International data security standards

1.1  Specific to the financial sector

There are international data security standards that affect organizations in this sector. Some of the main are specific to the financial sector. They are:

• PCI-DSS (Payment Card Industry Data Security Standard): The Payment Card Security Standards Council (PCI SSC) oversees the administration of the Payment Card Industry Data Security Standard (PCI-DSS). This standard address card issues and ensures secure data storage, processing and transmission. Although it was developed in the USA, and has global implications since card providers (VISA, Mastercard) operate in many countries. The aim of the standard is to reduce credit card fraud and improve the protection of card users. Any institution or provider of means of payment must comply with this standard.

• SWIFT CSP (SWIFT Customer Security Program): SWIFT’s Customer Security Program (CSP) helps financial institutions ensure their defenses against cyber-attacks are up-to-date and effective, to protect the integrity of the financial network. Any financial institution using SWIFT services must comply with the SWIFT SCP requirements.

1.2  General or Multisectoral

• An international data security standard, not specific to the financial sector, but also critical to it is the ISO 27001. It is a standard for information security approved and published as an international standard in October 2005 by ISO (International Organization for Standardization) and by IEC (International Electrotechnical Commission). It specifies the necessary requirements to establish, implement, maintain, and improve an information security management system (ISMS) and affects financial institutions in addition to other sectors.

On the other hand, there are local banking and financial services regulations. We are going to highlight some of them.

2. European regulations

2.1  Specific for the financial sector

• PSD2 (Payment Services Directive 2): It is a Directive of the European Union to regulate payment services and payment service providers of the European Union (EU) and the European Economic Area (EEA). The key objectives of the PSD2 Directive are to create a more integrated European payment market, making payments more secure and protecting consumers.

• PSD2-RTS (PSD2 Regulatory Technical Standards): The European Commission published at the end of 2017 a delegated regulation on Regulatory Technical Standards (RTS) that details the responsibilities and obligations of payment agents. The RTS lists the specific protocols to protect customer communication and data. The RTS requires the use of electronic identification, authentication and trust services (eIDAS).

2.2  General or Multisectoral

• EU-GDPR: The General Data Protection Regulation (RGPD) is the European regulation regarding the protection of natural persons about the processing of their personal data and the free circulation of these data. It is a regulation at the European Union level, so any company, including financial services companies, of the Union, or those companies that do business in the European Union, that handle personal information of any kind, must adhere to it. Fines for non-compliance with the RGPD can reach 20 million euros.

• NIS Directive (Network and Information Systems Security): Provides legal measures to increase the global level of cybersecurity in the European Union, ensuring the preparedness of Member States, requiring them to be properly equipped (with cybersecurity incident response teams – CSIRT, national authority competent NIS); promoting the cooperation of the Member States through the creation of cooperation groups; increasing the culture of safety in all sectors vital to the economy and highly dependent on ICT (Energy, Transport, Water, Banking, Financial Services, Health and Digital Infrastructure). The new European cybersecurity strategy includes two directive proposals: one to establish a common level of cybersecurity in the Union (called ‘NIS2’) and the Critical Entity Resilience Directive.

3. US financial regulations

3.1  Specific for the financial sector

US regulations cover transactions, data storage, fraud, and money laundering. Some of them are highlighted below, however, there are many more specific laws across the country.
 

• GLBA (Gramm-Leach-Bliley Act): Also known as the Financial Services Modernization Act. By law, companies must inform consumers about data protection measures and how their data is shared. Additionally, GLBA compliant companies must give consumers the option to opt out of sharing data with third parties. Protected account activity is also tracked to ensure fraudulent activity is detected as soon as possible.

• SOX (Sarbanes Oxley Act): This law describes best practices that can prevent organizations from processing fraudulent financial transactions. It specifies which financial records should be stored, for how long, and how they should be protected. This law is applicable to all public companies registered by the US Securities and Exchange Commission.

• FINRA (Financial Industry Regulatory Authority): This is not a regulation per se, but an independent non-governmental organization that provides guidelines and sets requirements for US stock brokers. FINRA’s key requirements include having written data protection policies for prevent compromise of consumer data. FINRA also describes the rules for detecting and mitigating cyber threats.

• BSA (Bank Secrecy Act): The Bank Secrecy Act is a law intended to prevent financial organizations from being used to hide or launder money by verifying the legitimacy of currency transactions. Since cybercriminals use data manipulation tactics to tamper with currency records, many auditors will also analyze an organization’s cybersecurity system when conducting an assessment. Additionally, auditors will review an organization’s incident response plan to ensure that, in the event of a breach, appropriate steps are taken to contain all threats.

• MOBILE Act. (Making Online Banking Initiation Legal and Easy Act; Repeal of the Dodd-Frank Act): Allows banks to onboard customers through an easier online verification process. For example, potential customers can scan a form of identification (eg, passport) and use an electronic signature for confirmation. This new law overrides the previous limitations imposed by the Dodd-Frank Act.

3.2 General or Multisectoral

NIST Cybersecurity Framework (National Institute for Standards and Technology): NIST created a comprehensive threat management framework for all industries. The framework can be adapted to the needs of each business. However, NIST specifically highlighted regulations for the healthcare, financial, and retail industries. Financial institutions report to the Financial Industry Regulatory Authority (FINRA) and NIST guidelines go hand in hand with the requirements of the Financial Industry Regulatory Authority (FINRA) of the processes and controls necessary to manage and mitigate cybernetic risks. Authentication controls, internal risk assessments, and vulnerability disclosures are included.

4. Other national regulations

In many countries there are specific security frameworks for financial entities (eg India – Digital Payment Security Controls, Saudi Arabia – SAMA Cyber Security Framework), Peru – Resolución SBS Nº 504-2021, etc.), or multisectoral (Spain – National Security Scheme, Regulation for the Protection of Critical Infrastructures, France – CIIP Framework, etc.) that also have a direct impact on public financial institutions in addition to other institutions such as critical infrastructures.

Five good practices to facilitate regulatory compliance in the financial sector

The previous regulations and standards impose various security requirements on financial institutions that cover multiple areas of the organization. However, we can facilitate regulatory compliance in this sector with the following good practices:

1. Encrypting sensitive data: These regulations do not mandate the use of a certain product, but they do require or recommend data encryption as an effective mechanism to protect sensitive information (financial, personal data, etc.). If data is stolen, exfiltrated, lost, it will not be accessible if it is encrypted. Efficient encryption works to protect data at rest, in transit, and in use.This way you can minimize the risk of sensitive data leaks.
2. Applying an access control to each resource: SFollowing the principle of least privilege security, we should only give access to sensitive data to whoever should have it. And if possible, limiting what you can do with them (just view, edit, print, copy and paste, etc.). The Zero-Trust security framework, very used now, follows this same recommendation of limiting access only to the necessary users on any resource of the organization, including confidential files and data.
3. Auditing access on sensitive data: In order to generate alerts and risk indicators on sensitive data, it is necessary to be able to monitor access to them, wherever they are. This information traceability will always allow you to know how the data is used, if someone is trying to access without permission or unprotect it and if there is a risk of information leakage.
4. Controlling information in third parties (suppliers, subcontractors, etc.): As indicated at the beginning of this article, a weak link in the security chain is the management of our data by third parties. We can control our systems and security, but it is difficult to control that of a third party such as suppliers or subcontractors. If there is a security leak in them, this can affect us and we will be at risk of breaking the regulations.
5. Educating Users: Another of the weakest links in the organization in terms of information security are the end users. We must educate and train them to carefully manage the organization’s sensitive data. It is necessary to extend a culture of security within the organization, so that users know when they are managing sensitive data and how to protect it.

A data-centric security solution such as SealPath can help Financial Institutions in implementing and complying with regulations, complementing other measures. SealPath allows to protect data both inside and outside of the organizations. The organization will have its most important documents under control, limiting who can access, with what permissions (only view, edit, print, etc.), from what networks or IPs, in what time frame, etc.

In addition, it has advanced controls for traceability and monitoring that can help identify risk situations on corporate data. Also, through its revocation functionalities it can virtually destroy information when necessary by preventing anyone, or certain users or groups from accessing the data.

SealPath is a leader in the field of data-centric cybersecurity, allowing companies to protect and have their most sensitive data under control wherever they travel. SealPath helps organizations of all sizes and sectors, including financial entities and multinationals, to keep their data safe and comply with different data privacy and security regulations. To find out how SealPath can help you protect your data at rest, in transit and in use, feel free to download our datasheet here.

You can see the original article here.