Executive Insights: Changing Cybersecurity Regulations that Global Financial Services Firms Need to Know About
Cyberattacks have become a global epidemic. Cybercriminals are now targeting organizations, critical infrastructure, and governments across the world with timely, sophisticated attacks.
Ransomware attacks such as Petya and WannaCry put critical functions across the world on hold earlier this summer, while the recent Equifax data breach has affected as many as 143 million Americans. With such attacks persisting, it is predicted that cybercrime damages will cost the world $6 trillion annually by 2021.
Cybercriminals are typically motivated by monetary rewards. In the case of ransomware attacks, cybercriminals target things like critical infrastructure and healthcare organizations and hold their data captive until paid. Other cyberattacks aim to steal personally identifiable information (PII) of consumers, such as financial records. This information can be sold on the dark web for a profit, then used in instances of identity theft, tax fraud, etc. Theft of this type of information has long-term effects, as personal information is not easy to change, nor is it easy to even track its misuse following a breach.
As these attacks and breaches continue to take place, government regulators around the world are realizing that while no one is immune to modern cyberattacks, there is still a lot that can be done to protect critical resources and market sectors. With this in mind, new regulations across Europe, Asia, the UK, and the US are being implemented to ensure proper security measures are in place to protect valuable data.
Recent Cybersecurity Regulations
Globally operating financial services firms have to be aware of new cybersecurity regulations and how they affect their business in order to navigate data rules and remain compliant, especially as they conduct business across borders. Compliance is especially crucial as the punishments for noncompliance typically include large fines.
Below are some of the most recent implemented or proposed cybersecurity regulations that will affect financial services firms.
China’s Cybersecurity Law was put into effect on June 1, 2017. The Chinese government aims to use this law to better align with industry and global cybersecurity standards by placing additional requirements on network and system security. This law will directly impact the financial services sector as it is considered to be a critical information infrastructure (CII).
CII refers to sectors in which a data breach would compromise national security or public welfare. Under the Cybersecurity Law, CII entities must allow authorities access to data upon request. Financial services firms will also have to demonstrate that their IT infrastructure meets certain specifications and can pass standard cybersecurity tests and certifications. Additionally, data collected in China about its citizens has to be stored on servers within the country’s borders and cannot be moved abroad without permission. Lack of compliance can result in criminal charges and fines of up to 1 million yuan, or just over $150,000 USD.
Financial services institutions that do business in China need to understand and implement necessary cybersecurity measures, as well as the control and restrictions the government places on Chinese data.
The Cyber Security Agency in Singapore proposed a draft of a new Cybersecurity Bill in July 2017. Although it still has to go through parliament, it is worth noting the potential regulations that will specifically affect banking institutions.
Similar to the Cybersecurity Law in China, the Cyber Security Agency in Singapore would have greater visibility and authority into how data is used, processed, and stored. The bill would require CII such as financial services to report any cyber incidents to the Commissioner of Cybersecurity, as well as any modifications of system design or security. Notably, privacy laws that keep banks from sharing confidential personal information are overruled by the Cybersecurity Bill, allowing the Cyber Security Agency to access any computer system relevant to an investigation. Lack of compliance can result in fines of up to $100,000 or in extreme cases, up to 10 years imprisonment.
The EU’s General Data Protection Regulations (GDPR) will take effect on May 25, 2018. GDPR aims to put European citizens back in charge of their data. Consumers must now actively give consent to organizations that wish to process their data and can withdraw consent at any time. Consumers can also request their data be transferred to other organizations. Under GDPR, EU citizens also have the “Right to be Forgotten,” in which they can ask that data be completely erased, or not be processed. Additionally, GDPR requires organizations to implement data protection by design and default, making security a core focus at the outset of data monitoring programs.
Notably, GDPR applies not only to organizations in Europe, but also to all organizations that process and store data on European citizens, regardless of physical location. Due to the high volume of personal information stored and processed by financial institutions, regulating bodies will likely be keeping a close eye on their compliance efforts. Noncompliance can result in fines of €10 million, or 2 percent of worldwide annual turnover for lesser infringements. Severe infringements can result in fines of €20 million, or 4 percent of global turnover, whichever is higher.
The United Kingdom government has confirmed that its decision to leave the European Union will not stop its participation in GDPR. The UK is aligning itself with the measures put forth in GDPR through the Data Protection Bill, which updates the UK’s 1998 Data Protection Act. As such, the regulations listed in the Data Protection Bill are largely the same as those in GDPR, with some minor changes addressing journalists and scientific researchers.
The US is seeing an increased focus on cybersecurity at both the national and state level. Notably for financial services firms, the New York Department of Financial Services’ (DFS) 23 NYCRR 500 cybersecurity regulation had its first compliance deadline on August 28th. Banks in New York now have to report any cyber incidents that could compromise data to the DFS within 72 hours. This includes disruptions by ransomware or DDoS attacks. Banks must also have a robust cybersecurity plan and employ a CISO to oversee security processes and maintenance. There are a series of compliance deadlines that financial services firms must meet over the next two years, with the full transition deadline set for March 2019.
Maintaining Compliance Around the World
Lack of compliance with these new regulations can result in heavy financial and business consequences. To ensure compliance, financial services firms should review each of these new regulations to understand exactly how their organization will be affected. While each law will require different cybersecurity measures be taken, improving visibility into data movement and use across your organization will be valuable universally.
Conducting a cyber threat assessment (CTA) can give financial services firms an in-depth look at their current security protocol, and areas in which they might be at risk. Conducting a CTA and making adjustments to security accordingly demonstrates to regulating bodies that financial services organizations have actively prioritized security and compliance.
For greater data visibility across distributed environments, financial services firms need to take an architectural approach to security. The Fortinet Security Fabric provides visibility, segmentation, and security automation across networks from endpoints to the core and into the cloud. As regulations increasingly require data to be made available to consumers and regulating bodies in a timely manner, such visibility into data movement and storage will be integral to compliance.
As cyberattacks continue to evolve as a global phenomenon and governments respond with individual regulations to protect their citizens, financial services, often seen as critical infrastructure, will need to adapt their IT and security infrastructure based on geography. As financial institutions transition to meet these new requirements, data visibility will continue to be key.
Read more on how to best prepare your organization for the General Data Protection Regulation (GDPR).
This byline first appeared in CSO.