The data security standards and regulations for the financial sector are many and can be overwhelming for banking and financial service firms. In this blog we will cover some details of those standards and regulations and address how they can help your business thrive.
Financial regulations apply to who?
Banking and financial firms that transmit, process or store critical financial data such as credit card information, tax documents, and financial statements need to safeguard them to protect their reputation and relationship with their valuable consumers and customers. With firms in the financial services industry owning and storing sensitive information on their laptops, servers, mobile devices, networking, storage and other information technology solutions they are a landmine of risks and vulnerabilities waiting for a breach to happen. These firms typically include Independent Financial Advisors commonly referred to as Registered Investment Advisors (RIAs), Fee-only advisors, Broker Dealer Reps or Independent Financial Advisor contractors that have a independent contractor relationship with a Broker Dealer or Chartered Public Accountant (CPA) firms. Given the real threat of breaches and hacks, regulatory organizations such as the Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA) and state securities boards have issued compliance standards for these financial entities.
PCI – Payment Card Industry
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process or transmit this data, and include specific requirements for software developers and manufacturers of applications and devices used in the transaction process.
PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, store, process, and/or transmit cardholder data. Standard PCI DSS presents common sense steps that mirror best security practices you can follow toward minimizing the threat of data compromise and maintaining customer trust.
Many organizations treat compliance as a one-time, annual event. However only focusing on an annual compliance assessment can create a false sense of security. Its only by achieving and maintaining compliance that your cyber defenses will be adequately primed against attacks aimed at stealing cardholder data.
PCI Compliance is a continuous process as show in the image below.
- Assess. Process of taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate. Process of fixing the vulnerabilities.
- Report. Compiling and submitting records required for compliance validation to the appropriate acquiring bank and card brands.
If PCI compliance is applicable to your business, becoming PCI compliant is extremely helpful to reduce potential cybersecurity risk, boost customer confidence, protect your clients and to increase organizations security program maturity.
NY DFS – New York Department of Financial Services
New York State’s Department of Financial Services (DFS) has placed a rigorous, first-in-the-nation cybersecurity regulation for financial institutions, and others that do business in the state. The rules, called 23 NYCRR 500, were released on February 16th, 2017 after two rounds of feedback from the service industry and public. Covered institutions must adhere to many of the new requirements as of August 28, 2017. The requirements from DFS go beyond what weve historically seen from regulators and apply to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third party service providers to regulated entities. Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
Banks, insurance companies, and companies that do business in New York must now assess their cyber risks, implement a comprehensive, written cybersecurity program, as well as manage the cyber risks of their third-party vendors. The groundbreaking regulation holds company board members personally liable for annual compliance certification.
At a high level, the regulation requires that all covered entities:
- Conduct a documented risk assessment
- Establish a risk-based cybersecurity program
- Adopt a written cybersecurity policy
- Designate a qualified CISO
- Implement written third-party cyber risk policies
- Establish a written incident response plan
- Notify the superintendent of DFS of any cybersecurity events
- Submit an annual certification of compliance
At minimum, covered entities need to implement the following controls and stay compliant to ensure compliance:
- Information Security
- Data Governance and Classification
- Asset Inventory and Device Management
- Physical Security and Environmental Controls
- Disaster Recovery planning
- Systems and network security
- Regular risk assessment
- Third-Party Vendor Management
- Board Education
SEC – U.S. Securities and Exchange Commission
In February 2018, the U.S. Securities and Exchange Commission (SEC) unanimously approved the issuance of guidance on cybersecurity disclosure requirements under federal securities laws for public operating companies. The guidance addresses the requirements to ensure that companies provide more complete information to investors about cyber risks and incidents. It requires companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.
The main focus of the updated SEC guidance is the need for board of directors and executive officers of a financial institution review their cybersecurity controls and procedures to ensure that theyre making any required disclosure of cybersecurity risks and incidents in the appropriate time frame. Given the recent magnitude and cost of cyber incidents, public companies should take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyberattack.
In addition, the SEC guidance emphasized that if investors are not informed about security incidents, not only should companies expect class action suits, but the SEC is going to track and monitor its disclosure obligations.
The SEC guidance noted that the responsibility for clear and expedient disclosure falls under the purview of board directors. The board is responsible for ensuring that the organization has appropriate disclosure controls and procedures to make accurate and timely disclosures of material events. This helps investors grasp the impact of a cyber incident on the organization and its business, finances, operations and, of course, liability.
The guidance represents a meaningful progression in the SECs approach to cybersecurity disclosures and related corporate governance, risk management and compliance. Even though the guidance did not make significant changes to the existing SEC disclosure guidance on cybersecurity, it places the following more technical requirements on financial companies regulated by SEC.
- Proactive Assessment of vulnerabilities and management
- Defensive measures to reduce cybersecurity risk
- Detection of cybersecurity incident
- Recovery and continuity plan
- Incident response and handling of disclosure
CFTC – CommodityFutures Trading Commission
The Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) define rigorous and explicit requirements for organizations that elect to retain books and records on electronic storage media. Given the prevalence of electronic retention of books and records, these requirements apply to most broker dealer and commodity future trading firms and other support organizations with regulated functions or operations.
In 17 CFR 240.17a-3 and 240.17a-4, the SEC stipulates recordkeeping requirements, including retention periods, for the securities broker-dealer industry. Under the Rule 17a-4, electronic records must be preserved exclusively in a non-rewriteable and non-erasable format. This interpretation further clarifies that broker-dealers employ a storage system that prevents alteration or erasure of the records for the required retention period. Broker-dealers are allowed to preserve records on electronic storage media. Rule 17a-4 defines the term electronic storage media as any digital storage medium or system. The rule requires the preservation of electronic storage media be exclusively in a non-rewriteable and non-erasable format. WORM (write once read many) media is used for compliance with the rule. Records must be retained and indexed on the indelible media for a period of six years and with immediate accessibility for the first two years. Duplicate records must be kept within the same time frame at an off-site location.
- Requires written, enforceable retention policies
- Insists on searchable index of all data stored
- Necessitates data be viewable and readily retrievable
- Offsite storage of data
- Storage of data on WORM (write once read many) electronic media
- Designation of a third party consultant (D3P) and filing of required letters of notification and representation
FINRA – Financial Industry RegulatoryAuthority
The Financial Industry Regulatory Authority (FINRA) is also ramping up on their commitment to assist the industry in its cybersecurity compliance efforts. Recent guidance to the industry from FINRA includes:
- An Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (The FINRA rule included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets); and
- The 2018 Regulatory and Examination Priorities, in which, notably, FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report.
FINRA called out cybersecurity, in its Examination Findings Report, as one of the principal operational risks facing broker-dealers. While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing cutting-edge cybersecurity programs.
FINRA detailed areas in which they observed in the examinations that firms cybersecurity programs were either effective or deficient. Reviewing the positives and negatives provides valuable information for firms looking to bolster their cybersecurity programs.
Examples of Effective Practices Include:
- Escalation Protocols: Have an escalation process that ensures appropriate level at the firm is apprised of issues to ensure attention and resolution.
- Plans to Resolve Issues: Implement detailed resolution steps and timeframes for completion.
- Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests.
- Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training.
- Branch Office Reviews: Include cybersecurity focused branch exams to assess risks and identify issues.
- Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools.
GLBA – Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999. It is a United States federal law that requires financial institutions to explain how they share and protect their customers private information. To be GLBA compliant, financial institutions must communicate to their customers how they share the customers sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers private data in accordance with a written information security plan created by the institution.
The primary data protection implications of the GLBA are outlined its Safeguards Rule, with additional privacy and security requirements issued by the FTCs Privacy of Consumer Financial Information Rule (Privacy Rule), created under the GLBA to drive implementation of GLBA requirements. The GLBA is enforced by the FTC, the federal banking agencies, and other federal regulatory authorities, as well as state insurance oversight agencies.
SOX – Sarbanes-Oxley Act
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public of consumers from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. The act sets deadlines for compliance and publishes rules on requirements. Congressman Paul Sarbanes and Michael Oxley drafted the act with the goal of improving corporate governance and accountability, in light of the financial scandals that occurred at Enron, WorldCom, and Tyco, among others. It has been more than 16 years since the initial passage of the Sarbanes-Oxley Act (SOX) of 2002 and, even today, many organizations still struggle to fulfill their auditing and compliance requirements. The stated goal of SOX is to protect investors by improving the accuracy and reliability of corporate disclosures. Given that an organizations IT infrastructure is the backbone of how it communicates, it makes sense that compliance with SOX should require introducing broad information accountability measures.
A full SOX Audit of the IT controls needs to be done to give assurance to the shareholders that no fraudulent practices are taking place. Hence, it is vital that the SOX activity is completed with due diligence and professionally in line with the quality standards.
Generally, there are three parties involved in SOX testing
NCUA – National Credit Union Administration
This year, the NCUA will begin using a new tool to help our examiners assess a credit unions level of cybersecurity preparedness. Called the Automated Cybersecurity Examination Tool, it provides the NCUA with a repeatable, measurable and transparent process that improves and standardizes its supervision related to cybersecurity in all federally insured credit unions.
Developed in 2017, the Automated Cybersecurity Examination Tool mirrors the FFIECs Cybersecurity Assessment Tool developed for voluntary use by banks and credit unions. Just like the FFIECs Tool, the Automated Cybersecurity Examination Tool consists of two parts: the Inherent Risk Profile and the Cybersecurity Maturity level.
The Inherent Risk Profile in the tool helps determine a credit unions exposure to risk by identifying the type, volume, and complexity of the institutions operations. The Cybersecurity Maturity portion of the tool is designed to help measure a credit unions level of risk and corresponding controls. The levels range from baseline to innovative.
The Cybersecurity Maturity assessment includes statements to determine whether an institutions behaviors, practices, and processes can support cybersecurity preparedness within the following five domains:
- Cyber-risk management and oversight
- Threat intelligence and collaboration
- Cybersecurity controls
- External dependency management
- Cyber-incident management and resilience
There are many cybersecurity regulations applicable to the financial sector to help protect sensitive customer information. It is the responsibility of business owners to carefully review and implement these regulations as to avoid the consequences of a breach. Don’t feel like you have to do it all on your own. By selecting a qualified and reputable cybersecurity service provider to help you become compliant, you can have the assurance that you are properly implementing regulations and cybersecurity best practices — keeping your clients data secure and at the forefront of how you do business.