The financial services sector is one of the most heavily regulated industries in the world, with controls imposed by government and industry bodies on many aspects of operating within the sector. That should come as no surprise, given the wealth of data held by banks and other institutions on organizations and individuals, not to mention the wealth itself. There are many regulations that include cybersecurity requirements too. Let’s look at some of those briefly.
Cybersecurity Regulations in the United States
Cybersecurity regulations in the United States for financial services organizations include requirements to capture and retain data, protect sensitive and confidential data held on organizations and individuals, and develop a set of effective protections against cybersecurity threats. Examples include:
- SEC (Securities and Exchange Commission)
The SEC requires business communications of certain groups to be captured, supervised, and archived. Electronic recordkeeping is permitted and there are strict requirements around immutability and accessibility. The SEC does not take kindly to firms deliberately circumventing data retention requirements—e.g., the recent $125 million fine against JP Morgan Chase for use of WhatsApp and personal email accounts to transact business.
- FINRA (Financial Industry Regulatory Authority)
FINRA requires that policies and controls are established over how data is captured, managed, and protected. Firms must conduct regular assessments of cybersecurity readiness, actively monitor for insider trading (use of unsanctioned communications apps can signal activities with nefarious intent), and strictly retain certain business records for up to seven years, among others.
- PCI-DSS (Payment Card Industry Data Security Standard)
Organizations that accept credit card and debit card transactions must comply with the PCI standard, which focuses on how card and transaction data is protected during transmission and storage.
- New York’s Cybersecurity Regulation
The Department of Financial Services in New York requires most financial institutions to enact a comprehensive cybersecurity policy, identify all internal and external cybersecurity threats, and have the right solutions in place to defend against identified threats. Detection and recovery capabilities are also required, along with regular reporting.
- NCUA (National Credit Union Administration)
Cooperative credit unions that are federally insured need to meet cybersecurity regulations from the NCUA. Regulations cover areas such as developing a comprehensive written security program (including confidentiality and integrity of member records), reporting major incidents and disasters (that are projected to disrupt member services for more than two consecutive business days), and notification of data breach incidents. Federally insured credit unions undergo a periodic review by the NCUA of their information security program; the review must take place at least every 20 months.
- FFIEC (Federal Financial Institutions Examination Council)
The FFIEC offers guidance to financial institutions on a range of cybersecurity topics in the spirit of raising awareness of cybersecurity risks and threats. While its statements do not generally impose regulatory expectations, its materials and approaches have become influential standards for financial institutions and align with the regulations issued by its member agencies in the federal government, including the Board of Governors of the Federal Reserve, NCUA, the Federal Deposit Insurance Corporation, and others.
- Reporting data breaches and cyber incidents within 36 hours
A new federal rule, effective from April 1, 2022, requires banks to disclose data breaches and cyber incidents within 36 hours if they will disrupt or degrade—or threaten to do so—the ability of the bank to perform banking operations or deliver its products and services. Service providers to banks are required to notify their bank customers of similar incidents as soon as possible.
- State-level data protection requirements, e.g., California, Virginia, Colorado
While not specific to the financial services sector, emerging state-level data protection regulations in California, Virginia, and Colorado impose heightened requirements on how the personal data of consumers is captured, stored, protected, and used. Organizations holding covered data must extend certain rights to data subjects.
Financial institutions are audited regularly, with cybersecurity readiness a key assessment criterion. You can read more in our blog: Federal Regulations All Banks and Financial Services Should Know.
The Push for Operational Resilience
Financial services industry regulators across the globe (e.g., United States, United Kingdom, Basel Committee on Banking Supervision) are driving an operational resilience agenda across the sector. The United States Federal Reserve defines operational resilience as “the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.”
The growth in cyberattacks—especially ransomware against critical infrastructure—has raised the risk of the financial system being rendered non-operational. If financial applications are rendered useless due to distributed denial-of-service attacks or unwanted encryption through ransomware, individual customers and the economy at large are hampered at best or prevented at worst from completing financial transactions. While financial resilience remains essential, which means banks and other financial organizations having sufficient reserves to function through lean times, the two types of resilience are increasingly intertwined. A country’s financial system can be more easily destabilized by disrupting the operational capability of its financial institutions and technology partners, either due to attacks by malicious external actors or irregular and devastating events. Such destabilization can be manipulated on a quicker and easier timeframe by threat actors than waiting for the next cycle of systemic financial weakness to hit.
MFA Supports Federal Financial Regulations
The financial services and banking industry can benefit from multi-factor authentication approaches. MFA supports federal financial regulations and when combined with Single Sign-On (SSO) and Identity-Bound Biometrics (IBB), financial institutions have a secure solution in place without adding user frustration.
To learn more about how organizations like yours are reacting to MFA, read our eBook about the State of MFA here.