The Financial Services industry tends to be at the cutting edge of technology, and as a result, is often the group to be ahead of the curve of both its benefit and hazards. Whether it’s faster transactional processing in support of gaining even the slightest edge in trade execution or leveraging big data to gain unprecedented insights, financial services is the place to be. On the other hand, the power of all that technology and data has also led to businesses running the risk of exposing customer’s data and committing fraud.
Heists such as the $81 million stolen from the Bangladesh central bank and $6 million from the Russian bank have only heightened the attention. These risks have not gone unnoticed by the regulators. The Federal Financial Institutions Examination Council (FINRA), Office of the Comptroller of the Currency (OCC), Financial Industry Regulatory Authority (FINRA) and other regulatory bodies have been at it for a while. More recently, New York State Department of Financial Services (NYS DFS), SWIFT and the SEC have gotten in the act and soon the European Union. For those trying to comply, especially smaller entities, it can be a daunting web of compliance that can end up overshadowing the cyber risk management that it is trying to promote. Interestingly, they each have related, but somewhat different areas of focus.
NYS DFS took an overarching approach that requires financial services organizations large and small that operate in the state of New York to establish a cyber security program. At the heart of it, DFS requires a comprehensive risk-based program of management oversight, policies, procedures, tools and technologies that are best suited to protect each company, as well as its customer and shareholders. Rounding out the regulation are a 72-hour breach disclosure requirement and a certification of compliance with the regulation. As of March 1, covered financial institutions are accountable for much of the regulation's mandates, with the rest taking effect in September 2018 and March 2019. Penalties have not been specified, but are expected to be in line with other DFS regs.
SWIFT’s Customer Security Controls Framework of 16 mandatory controls, which took effect in January 2018, is primarily focused on protecting the network and its participants. Many of its requirements, like multifactor authentication, continuous monitoring, and anomalous behavior detection overlap with DFS and other regulations and frameworks. However, SWIFT operates in many countries outside the US, many of which have far fewer regulations and are often generally less sophisticated and less resourced when it comes to security. In addition to potential sanctions, such as suspension from the network, SWIFT’s publication of compliance attestations to others on the network creates a peer pressure effect that allows participants to know who they are transacting with, so they can manage their risk exposure accordingly.
The SEC’s recent guidance covers all public companies, not just financial services, but is notable in that it frames cyber as an operational risk like any other. In line with that concept, public companies are required to mitigate, manage and disclose operational risks that have or are likely to materially impact the company. It is a recognition of the significance of cyber as an operational risk, but at the same time highlights the fact that operational risk management has long been a requirement and a best practice. The guidance specifically also calls out the need to put the appropriate controls in place to prevent insider trading by individuals that may have knowledge of a breach ahead of the public markets. An issue that has come to light after recent breaches. While the SEC cyber guidance does not call out specific penalties related to cyber, it reiterates reporting requirements that have been in place with regard to disclosure requirements of operational risks.
Finally, the upcoming Global Data Protection Regulation (GDPR) out of the European Union, is not focused on cyber security, but on protecting the privacy rights of EU citizens. It recognizes that a person’s personal data is their own and requires companies to ensure the protection of the data of those citizens throughout their lifecycle and processing. In addition to protection of that data, features like the “right to forget” and “data portability”, requires those holding and processing the personal data of EU citizens to be able upon request to delete all vestiges of that data or provide it to the subject. Of all the recent cyber regulatory requirements, GDPR presents unique challenges, in that companies need to have a real handle on where this data resides and how it is processed. Not a simple task. GDPR takes effect May 25 and has associated penalties of up to 4% of annual global revenue. Many are waking up late to the game to get into compliance with GDPR, and as you would expect with such significant penalties, are scrambling to make sure they do.
Is all of this regulation necessary? How are financial services industry and other companies supposed to comply while focusing on their primary businesses?
While you would think that the financial and operational risk to their businesses would motivate leaders to make the investment and take the necessary steps to secure their environments, the many significant but preventable breaches over the past few years indicates otherwise. Nearly every industry, especially financial services, has recognized the need for regulation as motivation for participants to do the right thing. It would have been great if all the regulatory bodies across government and industry would have coordinated their efforts to create one uber framework, but the need for each group and jurisdiction to cover their own bases, led to where we are today.
While this does create an additional compliance burden to ensure all the boxes are checked, it should not create much of an additional load for the security practitioners on the front line. In most cases, nothing being mandated is much different than what needs to be done anyway. The establishment of a comprehensive risk based program will cover most of the bases across all the regulations. With deadlines already passed and threats knocking at everyone’s door, there is no time to pause and start from scratch to establish a ground up program. Financial industry leaders of companies that are behind the curve, need to take a triage approach, much like a chief information security officer hired by a company that has recently suffered a major breach. Start with the basics. Take stock of where your information assets reside, their current security posture and the impact of their losing confidentiality, integrity or availability. A risk based approach is one that understands assets, their business impact and their intersection with threats and vulnerabilities. To make the most of your resources, not all assets should be treated equally. At the same time, security needs to be promoted as a core value of the organization, just like financial management and customer service. Make it a core part of each individual’s goals and objectives.
There is obviously a lot of heavy lifting to do around people, process and technology, but Rome was not built in a day and that is certainly the case with corporate transformations. Stay laser focused on the right priorities each and every day, and over time, you will work your way down the list. Having a structured risk based plan will also go a long way when the regulators come knocking. Remember security is not something you take care of once and move on. It is a daily ongoing process that needs to be managed constantly and reinvented periodically.