It’s no surprise that financial organizations are among the world’s most heavily regulated areas of business. The industry as a whole, whether a traditional bank or a modern fintech startup, are lucrative entities for cybercriminals who are after the sensitive information stored within these organizations.
In fact, the U.S. Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller (OCC) on January 16, 2020 issued a joint bulletin alerting the financial services (FS) sector of the heightened threats amid rising geopolitical tensions and advising them to mitigate risks to systems, networks, data, and critical business functions.
These warnings of rising threats are why financial organizations are subject to an ever-growing set of regulations and face immense pressure to comply with each requirement to ensure the protection of customer data. But before compliance can be achieved, financial entities must understand these legal and regulatory requirements–let’s explore.
Six global financial data security regulations to know
Whether you’re based in Singapore, London or New York, there are many regional and national compliance standards financial organizations are required to meet. A few of the most prominent ones include:
- 23 NYCRR 500 Cybersecurity: The 23 NYCRR 500 cybersecurity regulation is part of the regulatory body New York State Department of Financial Services (NYDFS). It was enacted to protect consumer data privacy used in financial services. This law includes 23 sections about the requirements for the implementation of an effective cybersecurity program. With this regulation, financial institutions must evaluate their risks in terms of cybersecurity to prevent data breaches. The regulation requires that organizations covered can demonstrate they have taken “reasonable care” to prevent data breaches.
- Payment Card Industry Data Security Standard (PCI DSS): To ensure credit card payment security, the Payment Card Industry Security Standards Council (PCI SSC) has defined a detailed set of compliance requirements to safeguard credit card transactions known as the Payment Card Industry Data Security Standard (PCI DSS). The regulation covers any company that has a financial transaction. The regulation was originally developed in 2006 by a consortium the major payment brands being Mastercard, Visa, Discover, American Express and JCB.
- Gramm-Leach-Bliley Act (GLBA): GLBA regulates the collection, safekeeping, and use of private financial information. For example, according to the Safeguards Rule, if an entity meets the definition of a financial institution, it must adopt measures to protect the customer data in its possession. Additionally, the Act requires covered entities to be transparent with respect to information-sharing practices, which includes granting customers the right to opt-out of the sharing of their data with third parties.
- Sarbanes-Oxley Act (SOX): The SOX law was implemented in 2002. SOX establishes requirements for the secure storage and management of corporate-facing electronic financial records, including the monitoring, logging, and auditing of certain activities.
- European Union Data Protection Directive (EUDPD): EU Data Protection Directive (also known as Directive 95/46/EC) is a regulation adopted by the European Union to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using or exchanging such data.
- Japan’s Personal Information Protection Act: The Japanese PIPA Act is overseen by the Personal Information Protection Commission (PIPC) which is a Japanese supervisory authority. The act took effect on 30 May 2017. PIPA applies to the use of personal information for business but has no express provision around jurisdiction. It does set out a comprehensive classification of personal data including the idea of “Personal Identifier Codes”.
Staying proactive on the path to financial compliance
Many, if not all, of these regulations, apply to financial institutions. The best thing your organization can do is hire a Chief Compliance Officer (CCO) who is willing to take a proactive, progressive approach to data management and cybersecurity. The core pillars of any good compliance and security program should include:
- Encrypting sensitive data
- Logging and data collection
- Having policies and procedures in place for data management and security
Additionally, financial organizations should conduct a regular data discovery audit by scanning across their entire network–including all endpoints and on the cloud–to ensure they know exactly where all sensitive, financial data is stored.
Today’s complex world of compliance and security can be overwhelming, especially for banks and other financial institutions that are heavily regulated. The most important thing these organizations can do is take a proactive approach to their overall security posture, working to close any vulnerable gaps found in data management procedures.
As data only increases in value, so will the activity of malicious cybercriminals looking to capitalize and profit from sensitive PII data. Achieving compliance for the above regulations may seem tedious but will put your organization in a position to defend against attackers, keep the trust of your customers and, most importantly, keep their data safe.
