Shifts toward digitization have been quite profound for numerous enterprises. Accompanying them have been increasingly stringent cyber security controls – along with policies and regulations. This is especially true within the financial sector.
Banking, financial services and insurance (BFSI) cyber security controls have blazed trails for the wider industry, while remaining firmly beneath the microscope of today’s practitioners. Seismic shifts within BFSI security have often reflected into the wider plain; and that’s not something the industry takes lightly.
The BFSI space is loaded with regulations and policies that govern it. Plus, it boasts useful platforms for information-sharing and threat intelligence. With additional frameworks (NIST, SWIFT, etc.) which outline the necessary security threshold, BFSI is highly visible. However, those within this financial space also deal with exceedingly motivated hackers – some of whom are ramping up their efforts to infiltrate networks, automate attacks and/or remain largely unseen.
Global Chief Privacy Officer for Marsh & McLennan Companies, Inc., Orrie Dinstein, told the Cyber Security Hub: “Many legislatures and regulators are awakening to the cyber-threat and issuing increasingly detailed and prescriptive rules for cyber security. While some are geared towards all companies, many are focused on critical infrastructure sectors. Others focus even more specifically on the financial services sector.”
Altogether, the rulebook for BFSI governance is arguably more compiled and accessible today than it has ever been. On top of patrolling expansive networks and their endpoints, CISOs and other security folks in the space are charged with streamlining business efficiency while ensuring data privacy.
See Related: Palo Alto Networks CSO Talks Risk Metrics, Algorithms & Automation
As this sort of Catch-22 forms around the BFSI space, the security spend in banks, financial entities, insurance companies and Fintech startups largely continues to climb, as noted in Computer World. So, these practitioners are charged with budgetary and infrastructure oversight. They must also be cognizant of ongoing compliance efforts.
Leading the Charge
Elucidating that point, Deloitte partners Stephen Bonner and Nick Seaver called the financial sector a sort of bellwether for industry activity. According to the partners, financial happenings and the patterns around them are relevant to everyone.
According to Computer Weekly, Bonner told delegates at the 2018 IISP Congress in London that, “We think financial services is the canary in the coalmine.”
He continued: “We see that whatever regulation starts in financial services ends up being copied in other industries. So what we see starting to be developed in financial services around the management of cyber risk, we expect to see implemented in other industries.”
Adding to this, Dinstein told the Cyber Security Hub: “Some of the innovation (in the space) stems from tools that are not specifically geared towards cyber security, but pay a security dividend.” One such example: the secure distributed ledger, Blockchain.
According to the C.W. piece, Seaver said that in the past two years, data integrity and data availability have gained paramount importance within the enterprise.
He said: “As a result, financial services firms have been struggling this past year with things like the encryption of sensitive data at rest due to regulatory pressure.”
Other challenges in the space – beyond but also encompassing regulation – include the business/cyber culture within an organization, as well as identifying “crown-jewel” data sets, breach reporting and incident response.
Seaver said breach notification has become “increasingly complex” due to the “fairly short timeframe” in which regulators expect to be made aware. He said one Singapore regulation requires notification within one hour of discovery.
See Related: How Does GDPR Impact Business Units? Hear From CSHub Dir. Dorene Rettas
GDPR Response
An additional (and fundamental) regulation cyber security teams must embrace is the General Data Protection Regulation (GDPR).
The Deloitte partners pointed out three areas of focus for GDPR rollout: crises, complaints and crusaders. Crises, they said, are often prompted by cyber security-related issues, and thus could likely be mitigated. Complaints, they added, will invoke regulator response when in “pockets” (numerous). They also pointed out that there will be “crusaders” whose aim will be to expose faulty data privacy controls at the organizational level. One surface to update and refresh, they noted, includes the company’s privacy policy (which is forward-facing).
‘Swift’ Action
Elsewhere, many financial institutions also adhere to the SWIFT platform’s Customer Security Controls Framework. The policy was rolled out earlier this year, and is described as a baseline of security. The controls framework came on the heels of a financial sector heist that saw the Bangladesh Bank hemorrhage $81 million.
As noted in a previous Cyber Security Hub article, the framework calls for incident response, security awareness training, multi-factor authentication (MFA) and anomalous behavior detection. It’s comprised of mandatory and advisory controls.
SWIFT’s inter-bank transfer system, however, has also been the target of cyber-attacks. According to Security Boulevard, an attack was recently cut off after Malaysia’s central bank spotted the attempted fraudulent transfer of funds.
According to the same piece, earlier this year, the Punjab National Bank may have suffered a $1.7 billion loss over fraudulent transactions (perhaps with the help of insiders, S.B. notes).
Small Sample
Elsewhere, legislation has been paving the way for financial services and financial technology (FinTech) companies. Just two examples include regulations imposed by the New York State Department of Financial Services (NYDFS), and a Regulatory Sandbox Program (RSP) implemented by Arizona.
According to Lexology, the NYDFS cyber regulations aim to protect customer information and require a cyber security program, policy, chief information security officer, annual pen-testing and vulnerability assessments, personnel training and the security of nonpublic information held by third parties.
On this, Dinstein said that due to the rule’s requirement to apply certain provisions to third-party contractors/partners, “the DFS rules will likely have an impact well beyond the financial services sector.”
The same Lexology report notes that the RSP, signed into law in Arizona on March 22, 2018, created a “sandbox” program for FinTech companies to test financial products and services without comprehensive regulatory requirements. Companies can apply to the state’s attorney general and earn 24 months to test products on a set number of consumers.
These advances, among countless others, are just two examples illustrating how profound the industry is – in steering the conversation around cyber security.
“There’s no doubt that the financial services sector is the leading sector when it comes to focus on cyber security,” Dinstein said.
Be Sure To Check Out: ESG Talks Legacy Systems, Hacker Sophistication With AccessIT [Video]