Regulators are required to respond to changes and emerging technologies in both the financial and IT sectors, as well as take into account the opinions and interests of citizens and business participants, and reflect all this in regulations, laws and standards accordingly. Therefore, the regulation of the financial sector every year becomes more complex, voluminous and strict.
And that is why it is becoming increasingly difficult for businesses to operate within the legal framework, adhere to strict cybersecurity regulations and financial data security rules, in order to protect their business and assets. In this article, we will look at a few general questions, and some of the most significant laws and standards that affect cybersecurity and data security in the financial sector. Read on to find out more.
What are security compliance standards?
Information security standards are mandatory or recommended documents that specify security requirements for information systems. They serve to increase the security of confidential information and assets, as well as to ensure the competitiveness and quality of products and services, and reduce potential risks in the case of cyber threats. Examples of such standards are ISO 27001 and PSI DSS.
Why does cybersecurity compliance matter for financial industry?
The financial sector is one of the most vulnerable to cyberattacks, as banks and financial service businesses are a sweet spot for hackers and attackers. Not only because financial companies handle large sums of money and securities, but also because these institutions collect and process a lot of personal and confidential information from clients.
Financial industry standards and laws
GDPR (General Data Protection Regulation) is an international law passed by the European Union (EU) to protect the rights and prevent unauthorized or illegal processing of personal information of citizens and residents of EU countries. This law applies to all companies that process the data of individuals from the EU.
The GDPR contains various security recommendations for both data processors and data controllers, the expected results of data management, but does not describe any technical details on the methods or means by which the goals of the law should be achieved. Therefore, companies are offered to independently understand this issue, taking into account the specifics of their activities.
Among the main requirements and principles of the GDPR are:
- Personal data must be processed in a lawful manner and obtained with the consent of the data subject;
- Keep information for no longer than is necessary to achieve the purposes for which the information was collected;
- Information should not be more than necessary to achieve the purposes;
- The data must be accurate, complete and up-to-date, and, if necessary, updated in a timely manner;
- Personal data must be protected from unauthorized or unlawful processing, destruction, damage or loss.
Read more about GDPR compliance here.
The Revised Payment Services Directive (PSD2) is a European Union directive that was developed to regulate payment services and payment service providers in the European Union (EU) and the European Economic Area (EEA) to make online payments more efficient and secure.
Accordingly, PSD2 includes standards for the protection of online payments, strict customer authentication, risk analysis in transactions, and other regulations aimed at increasing the security of customer data of financial institutions.
This directive applies to all financial institutions operating in the EU. And if you plan to do business in the financial sector in the EU, you must ensure that your company is also PSD2 compliant. Failure to comply with the directive can result in multi-million dollar fines.
ISO/IEC 27001 is an international standard that establishes requirements for the creation, implementation, maintenance and improvement of an enterprise information security management system (ISMS). Roughly speaking, this standard defines how to improve a company’s cybersecurity posture in any area of business.
Therefore, it is widely used to reduce security risks and protect information systems, as well as certification of enterprises. ISO 27001 certification is especially relevant for financial institutions, as obtaining a certificate involves a significant increase in cybersecurity, improved security policies, and employee training.
Having a certificate allows you to attract the necessary investors and potential partners, as well as demonstrate to customers that you value and protect their personal data. An added benefit is that ISO 27001 compliance goes a long way in helping your business comply with the GDPR.
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. It is used to reduce credit and debit card fraud, secure transactions, and protect the personal information of cardholders.
This standard must be followed by all businesses that process cards from companies that founded the PCI SSC, process transactions, and receive or process customer credit card information, including retailers and payment solution providers.
This is an extremely relevant financial standard for banks, payment systems, cryptocurrency exchanges and any other financial organizations. PCI DSS certification allows your business to achieve the best possible protection of customer personal data in this area.
The Bank Secrecy Act (BSA) is a US law that aims to prevent criminals from using financial institutions as tools to hide or launder their ill-gotten gains.
This law is one of the typical banking regulations, and requires banks and other financial institutions to provide documentation to regulators, such as reports on currency transactions (CTRs). In this way, the BSA allows the authorities to easily recover the nature of transactions and identify the most suspicious ones.
The Office of the Comptroller of the Currency (OCC) regularly reviews banks and other institutions for BSA compliance. Regulator expects banks to monitor the legality of all transactions, as well as report all large transactions in excess of $10,000.
The Gramm-Leach-Bliley Act (GLBA) is a US law the main purpose of which was to renew and modernize the financial industry by lifting the ban on the provision of financial services by banks in accordance with the Glass-Steagall Act. However, in the context of this article, this law is interesting in that it obliges financial institutions to protect consumer data and fully disclose to customers all methods of data exchange.
That is, financial institutions must take care of the security of customers’ personal information from any and all events that could adversely affect the integrity and security of this data. This includes strict rules on access to financial information. All businesses that provide financial services in the US must comply with the GLBA.
In accordance with the provisions of the law, its main principles can be distinguished:
- Financial privacy. Financial institutions are expected to notify their customers about how their personal data will be used and how it will be protected.
- Protective measures. Financial institutions should have a clearly structured plan in accordance with which information security is ensured.
The Sarbanes-Oxley Act (SOX) is another US law that is mandatory for all companies whose securities are registered with the US Securities and Exchange Commission (SEC), including US residents and non-residents whose shares are listed on US stock exchanges.
The essence of this law is that it protects investors from financial fraud by providing the necessary security procedures to prevent fraudulent financial transactions. The law also contains cybersecurity components that ensure that financial institutions deal with cybersecurity threats that could potentially adversely affect financial transactions.
The most important aspect of the law is the requirements for a company’s internal control system (Section 404). This Section requires the company’s management to evaluate the company’s internal control system and prepare a report on the status of this system. The report must show evidence that the company has adequate internal controls in place in relation to financial reporting.
If we touch on the issue of securities trading, we should mention such an American corporation as the Financial Industry Regulatory Authority (FINRA). This organization monitors compliance with the rules for trading in the OTC market, as well as the market for securities that are not listed on the US stock exchanges, and regulates the activities of brokers and financial portals (crowdfunding platforms, etc).
FINRA establishes a set of rules to protect customer personal data from compromise and promotes controls to detect and mitigate cyber threats.
Thus, if you plan to do business in this area in the United States, you also need to familiarize yourself with the requirements of FINRA, and make sure that your company complies with them.
Roughly speaking, NIST 800-53 is the American equivalent of the ISO 27000-series of standards. The full title of this impressive 250-page document is NIST Special Publication 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”. The essence of this standard lies in the description of security controls, as well as instructions on how to use them correctly.
NIST 800-53 contains a list of 110 requirements that relate to IT technologies, procedures, and enterprise policies. These requirements cover such things as: access control, system configuration, authentication methods, as well as cybersecurity protocols and incident response plans.
Each requirement contains a detailed explanation, which should help enterprises better understand the context, and, accordingly, better approach the implementation of the requirement in practice. Compliance with NIST 800-53 is mandatory for all US federal entities and their contractors. Private businesses can comply with NIST requirements on a voluntary basis.
The SWIFT Customer Security Program aims to detect and prevent fraudulent activity through a set of mandatory security measures, namely 22 controls that are aimed at securing your system, restricting access, detecting and responding to cyber threats.
In addition, the program contains cybersecurity regulations for banks, and includes a descriptive guide to identifying services and components within compliance, various types of component deployment architecture, a list of risks and their mapping to countermeasures, a list of example threat scenarios, a table of relationships between SWIFT CSP goals and requirements of NIST Cybersecurity Framework, ISO 27002 and PCI DSS, and other information.
The Consumer Privacy Protection Act (CPPA/Bill C-11) is a set of reforms based on the European Union’s experience with GDPR that will, in effect, provide greater transparency on how companies use customer personal data.
Among the main requirements of the CPPA:
- Appropriate data processing — pursuant to Section 12(2) of the CPPA, the collection, use and disclosure of personal data is limited to appropriate circumstances. This point is largely in line with the principles of the GDPR, so we will not detail it;
- Meaningful consent — as in the case of the GDPR, the collection of personal information must take place after the consent of the data subject.
The CPPA involves significant fines (25M CAD, or 4% of the organization’s gross global revenue in its financial year). So far, this law has not been approved, in addition, the Canadian government is considering the possibility of passing Bill C-27, a similar document, which, however, still has significant differences from Bill C-11.
Therefore, it is not yet possible to say exactly what requirements will be provided to companies. But enterprises have already received a general picture of what awaits them in the future, and can already begin preparations for reforms.
Because regulations contain so many complex details, regulatory compliance for financial institutions is not as easy as it might seem at first glance. Especially when it comes to cybersecurity and compliance in banking.
If you have any questions related to the subject matter of this article, banking compliance regulations or standardization, ESKA specialists are ready to assist you in solving your problems. Contact us right now to schedule a consultation or get more information about cybersecurity in the field of finance.