For banks and financial institutions, failure to satisfy compliance regulations can cause business delays, lawsuits, fines, and tarnished reputations. An up-to-date source for real-life compliance risk examples in finance is available from the Carnegie Endowment for International Peace. It publishes a rolling timeline of financial cyberattacks and the means by which the intruders gained access to the systems. Read on for a primer on that report and a discussion of other dangers that may arise when financial organizations fail to comply with regulations.
Compliance Risks in Banking and Financial Services
Banking and financial service firms are prime targets for malicious attacks. Perpetrators can engage in direct data theft and sabotage, and they potentially have direct access to customer accounts. Compromising data security, privacy, or integrity means risking non-compliance.
In particular, five categories of regulatory risk examples are most pressing in finance:
- Data security risks
- Network security risks
- Access restriction risks
- Malware and virus risks
- Cybersecurity policy risks
Failure to comply with cybersecurity regulations could destroy a company’s reputation and wipe out its profits. Effective management, documentation, and training will help mitigate these risks.
Data Security Compliance Risks
Data breaches are often attributable to human error. Cyber risks don’t necessarily require a scenario in which hostile agents penetrate a network’s defenses. Sometimes the information is there for the taking. Take, for example, the September 2017 attack on Equifax, which impacted about 150 million customers through compromised information such as credit card numbers.
As a result, Equifax was fined $700 million for its astounding lack of compliance.
Investigators established that the company:
- Failed to install a critical patch on a known vulnerability
- Failed to segment network access, allowing intruders to travel anywhere on the network
- Failed to encrypt usernames and passwords
These data security compliance risks can lead to an attack like Equifax’s at any company.
Similarly, in March 2019, Capital One had 100 million records stolen. The data included account numbers, social security numbers, names, addresses, phone numbers and birthdates, and the investigators found that a misconfigured firewall on an Amazon cloud server enabled the theft.
And in May 2019, First American Financial Corporation discovered that a web design flaw left 885 million customer records exposed. Anyone who encountered the URL from 2003-2019 could have retrieved the data. The link failed to restrict access to authorized users.
If your organization doesn’t have the means to evaluate your system for vulnerabilities like these, risk assessments by top security specialists are a great first step to staying compliant.
Network Security Compliance Risks
Each access point in a network is a potential target for a hacker. These access points became more prevalent when the COVID-19 pandemic forced many employees to work from home, and cyber risk increased exponentially. Companies had to react quickly to the changing landscape and may have neglected aspects of security as they struggled to keep their workers engaged.
For example, many at-home workers were not supplied with secure company laptops and used their own devices to connect to networks. On-site IT staffing shortages led some companies to move their applications and data to a cloud-based server. These organizations likely survived, but they also likely paid a steep price for failing to secure new work-from-home access points.
A recent survey conducted by CyberRisk Alliance of 1,102 IT and security specialists in 11 countries found that, since 2020, most have experienced one to five cyber incidents resulting in at least one breach—typically grounds for a non-compliance violation. Investigations discovered that the attacks originated from WiFi access points, employees’ personal devices, and the cloud. Forty-three percent of the organizations surveyed incurred at least $1 million in losses.
Cybersecurity measures are improving, but remote workers are expected to pose a threat of direct network attacks for the foreseeable future. Network attacks can also occur indirectly.
Third-Party Network Security Risks
Regulatory risk in banking examples also include those originating with outside vendors. Trusted third-party partners may be laxer in their compliance efforts than the financial organizations they serve. Unfortunately, each individual supplier’s access point is one more network vulnerability.
One example is the recent SUNBURST attack. SolarWinds by Orion is a cloud-based IT monitoring and administration software package used by thousands of global companies. During a routine update in 2020, a hacker gained access to the code and injected malware.
After the package was delivered to clients, the installation process activated the malware and allowed hackers to gather sensitive information. The extent of the damage is still unknown.
However, the entities thought to be impacted by the attack include but are not limited to:
- Credit Suisse
- The Federal Bureau of Investigations
- The Department of Homeland Security
- The Department of Defense
- The US State Department
- The Federal Reserve
It’s not known if all these organizations were affected, nor is it clear who perpetrated the attack, though some suspect it was Russian state-sponsored hackers. Orion has since changed its process for rebuilding updates, but organizations in every industry (but especially banks and financial organizations) need to account for Third Party Risk Management (TPRM).
Access Restriction Compliance Risks
Data must be protected from both external intruders and resentful current or former employees. This includes your digital and physical storage areas; access to both environments should be restricted on a need-to-know basis. Restricting access is a core component of most regulatory compliance frameworks. It’s accomplished on networks by segmenting access so that intruders are not able to traverse the entire system from a single point of entry. Likewise, in a data center, someone may be able to access centrally-located monitors but not the locked server room.
Failing to implement protections like these can lead to massive compliance and security risks.
In June 2019, a Desjardins credit union employee stole 4.2 million records, resulting in $108 million in damages and an additional $201 million to settle a class-action lawsuit. The theft occurred over a two-year period before it was detected. A Canadian privacy commission reported that the data had been stored in warehouses that had restricted access. However, employees routinely copied the data onto an unrestricted shared drive for work purposes.
And in March 2022, TransUnion SA had about 3 million records stolen due to a malware attack. The criminals demanded a $15 million ransom, which the company refused to pay. It’s been reported that the hackers accessed an account by using “Password” as the password. Unfortunately, experts say that this is one of the most common passwords in use today.
To prevent these kinds of risks, strong passwords and Multi-Factor Authentication (MFA) should be prominently featured as an enterprise-wide requirement for access to any confidential data.
Malware Prevention Compliance Risks
Malware is a general term for malicious software that is designed to infiltrate, damage, or control computers and networks. They are used to steal login credentials, freeze data access, steal stored information or currency, and shut down operations. Compliance frameworks typically require the use of anti-malware protections, and malware attacks can lead to non-compliance.
One particularly dangerous kind of malware for the financial industry is the “trojan” variety, which disguises itself as a legitimate program. In late 2021, a banking trojan called SharkBot appeared on the scene. It targets international banks and can transfer funds and cryptocurrency from one account to another, infecting phones when an infected app is downloaded. Any users’ funds (or information) being transferred inappropriately is a potential instance of non-compliance.
To prevent these kinds of threats to your security—and compliance—consider:
- Installing anti-virus software
- Installing anti-ransomware software
- Encrypting all sensitive data
- Backing up data in a secured location
Because malware is such a danger and evolves so quickly, bank regulators and the Secret Service have worked together to develop a 16-question ransomware self-assessment. The IT staff at financial institutions are asked to complete this confidential document and share it with senior executives and the board of directors. The answers describe a company’s current ability to identify, repel, or recover from a malware attack, along with gaps that need to be remediated.
Cybersecurity Policy and Compliance Risk
Finally, there is the general category of cybersecurity policy. These risks to compliance for banks and other financial institutions involve inadequate or out-of-date policies, along with failure to implement and enforce policies effectively. In particular, policy-level compliance risks revolve around implementation of regulatory frameworks, such as the Payment Card Industry (PCI) Data Security Standard (DSS), overseen by the Security Standards Council (SSC).
PCI compliance involves abiding by all 12 DSS Requirements, the last of which specifically defines how cybersecurity policies should be designed and deployed. In particular, the biggest considerations fall under the categories of management, documentation, and employee training.
Cybersecurity Policy and Management
Someone who has the authority to enforce policies must be in charge. This individual should either be a Chief Information Security Officer (CISO) or report directly to a senior executive.
Typical responsibilities for a CISO include:
- Overseeing the drafting and updating of cybersecurity policy documents
- Building a cybersecurity team
- Maintaining an Incident Response system
- Raising cybersecurity awareness within the company
While larger banks and financial institutions will often already have an individual in this role, smaller credit unions and local banks may not. And in these cases, a virtual CISO (vCISO) may step in to ensure the same level of security and compliance—often for a fraction of the cost.
Failing to fill the CISO role, traditionally or virtually, will lead to a lack of accountability. That in turn can cause chaos, fines, reputation damage, and even criminal charges in the worst cases.
Cybersecurity Policy and Documentation
A cybersecurity policy document should present a detailed accounting of a company’s hardware, software, and managerial oversight for each component. The flow of clients’ data through their system, as well as third-party systems, should be clearly identified. Network access points are potential cyberattack targets that need to be identified and monitored.
Contingency plans for system disruptions should also be documented and updated as your technology evolves. Management for passwords, access levels, email policies, data encryption, and incident reporting should be clearly laid out and managers assigned. All of these factors need to match applicable regulatory requirements both in implementation and documentation.
Effective, compliant policy depends upon effective reporting and recordkeeping at all levels.
Cybersecurity Policy and Employee Training
Compliance risk in business examples often share a common component: attacks are usually initiated when an employee violates standard security protocols, accidentally or otherwise.
So, to prevent compliance incidents, employees should be instructed on how exactly to:
- Protect the confidentiality of company data
- Protect their personal and company devices from theft and viruses
- Notify management if alert messages or other abnormalities occur while computing
- Create strong, unique passwords (and update them frequently)
- Not install unauthorized software on company computing devices
- Avoid clicking on unknown browser links
- Recognize scams and not use company email addresses for personal business
Not all threats originate with external malicious actors. Employees should be encouraged to report any suspicions that a fellow employee or contractor has gained unauthorized access to a physical or digital site. Effective cybersecurity awareness training should include activities like incident response tabletop exercises to assess employees’ responses in real time.
Mitigate Compliance Risks for Your Organization
The compliance risk examples detailed above are threats every organization in the banking and financial services industry needs to be aware of and prepare for. Any lapse in security strategy, implementation, or management could result in sensitive data being compromised—along with your compliance, reputation, and potentially your saliency. Companies are improving their cyber defenses, but this is not the time for complacency. Sophisticated state-sponsored attacks may increase in the near future as foreign relations grow increasingly strained. Canada is funding efforts to develop protection against attacks from quantum computers, and It’s believed that these futuristic computers may be able to pass through even thoroughly encrypted data.
One way to safeguard against these and all compliance risks is assessment.
And one compliance risk assessment example RSI Security can perform is a gap assessment, which identifies and addresses your current or potential weaknesses, preventing a risk from becoming a full-blown attack or incident. Contact us today to start rethinking your security!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.