Cybersecurity Expectations for Financial Institutions
Social Security numbers, credit information, account balances, PINs, cardholder data, mailing addresses, email addresses – it’s all available to financial institutions. Malicious attackers targeting financial institutions isn’t a new threat. In 1984, someone stole a credit file password from Sears for TRW Information Systems and posted it on an electronic bulletin board. This password gave access to a credit file containing names, addresses, birth dates, credit limits, and Social Security numbers of 90 million people, plus that information could be used to get credit card numbers.
As these types of organizations rely more and more on technology, they become bigger targets for malicious attackers. How can financial institutions protect themselves from cyber threats? What are the risk management and cybersecurity expectations for financial institutions?
Cybersecurity Expectations in the US
In March 2017, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, establishing new cybersecurity requirements for financial services companies. It states, “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.” NY CRR 500 requires that financial services companies (covered entities) develop a cybersecurity program that protects the confidentiality, integrity, and availability of sensitive customer information and information technology systems.
In February 2018, the US Securities and Exchange Commission (SEC) issued interpretive cybersecurity guidance, which builds upon the Division of Corporation Finance’s guidance from 2011, for public companies to follow when dealing with cybersecurity incidents and risks. The guidance says, “…the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks… Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”
In September 2018, the National Cybersecurity Center of Excellence (NCCoE) released the NIST Cybersecurity Practice Guides SP 1800-5, SP 1800-9, and SP 1800-18, with a specific use case for the financial services sector.
The cybersecurity expectations for financial institutions only continues to grow. In 2018, 24 states passed bills or resolutions related to cybersecurity. The legislative activity includes funding initiatives, public disclosure policies, promoting workforce training, and implementing improved cybersecurity practices. Outside of the US, we’ve seen the European Union implement GDPR, China implement The Cybersecurity Law, Singapore establish the Cyber Security Agency of Singapore, the Brazilian National Monetary Council issued Resolution No. 4,658, among other legislations impacting cybersecurity expectations for financial institutions.
Best Practices for Cybersecurity Strategies
In the US alone, the majority of the cybersecurity guidance that’s been issued have similar recommendations: implement a cybersecurity policy, a formal risk assessment, and a formal way to manage third-party risk.
- The need for financial institutions to create and maintain a cybersecurity policy based on the findings from a risk assessment is an integral part to cybersecurity. Among other elements like business continuity, asset inventory, and physical security, this cybersecurity policy must include information about relationships with vendor and third-party service providers.
- Through a formalized risk assessment, organizations can determine what types of cyber risks face them and how dangerous those risks are. This intel gives organizations the ability prioritize risk and create a more effect cybersecurity strategy.
- One way to manage third-party risk is to develop and implement a third-party service provider security policy, which should include identification of vendors, risk assessment of vendors, the minimum cybersecurity requirements to be met by vendors, the due diligence process used to evaluate the competency of cybersecurity practices of vendors, periodic assessment of vendors based on the risk they present, periodic assessment of vendors to ensure the continued competency of their cybersecurity practices, access control management, the use of encryption for information in transit and at rest, and incident response procedures.
Real Threats to Financial Institutions
When Equifax reported its data breach that compromised millions of US consumers, the breach immediately became a headline. Breaches like this, but not as massive or has high-profile, occur all the time among financial institutions.
- In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
- In 2017, Petya hit the property arm of France’s biggest bank, BNP Paribas.
- In 2018, the SEC charged Voya Financial Advisors (VFA) with failure in cybersecurity policies and procedures that led to a hack which compromised 5,600 customers’ personal data.
- In 2019, a third party exposed a Dow Jones database on a public server, with no password, that contained 2.4 million records of “risky businesses and individuals.”
When breaches occur at financial institutions, the average cost per capita is $207. Banking Trojan botnets, Denial of Service attacks, skimming campaigns, malicious insiders – the threats aren’t stopping. What is your organization doing to protect yourself and meet the cybersecurity expectations for financial institutions? Contact us today to learn more.
More Assurance Resources
Key Takeaways from the SEC’s Cybersecurity Guidance