How to properly implement cybersecurity standards in the financial sector
By Krzysztof Labuda Security Engineer at Solwit.
The author of this article is Krzysztof Labuda, a participant in the Certified Ethical Hacker CEH v11 program, a program that teaches the latest commercial-grade hacking tools, techniques, and methodologies hackers and information security professionals use. With over ten years’ experience, he is responsible for cybersecurity testing and securing systems at Solwit.
Financial services can’t be provided without trust, the core value they’re built on. However, as in life, trust does not spring up from nowhere; it must be earned – so, how can you ensure peace of mind and high-security standards for your customers? Answering this question is quite straightforward, but it can be complicated to implement – as it relies on specific policies, norms, standards, and documents. You don’t have to wade through them all – we’ve done it for you. Throughout this text, we’ll point out 8 policies and standards you need to know to ensure your system matches the cybersecurity standards of the financial industry.
First, testing the software
The importance of software testing cannot be overstated when discussing application security. During my 10-year career, I have encountered skipping the testing stage several times and never has the project been successful when that happens. Such an approach is, luckily, becoming increasingly rare, and even the opposite is happening. Clients have repeatedly told me they cannot afford to skip software testing. In terms of IT security, pen tests are the first thing that springs to mind. However, in practice, any type of testing benefits our applications. Keep in mind; this simple tool can save us both time and money.
Cybersecurity standards and trust
Despite the fact there are many legal norms relevant to cybersecurity and trust, they are rarely global – they tend to be country or region-specific (e.g., MiFID II – Markets in Financial Instruments Directive in the European Union or Dodd-Frank Act in the US) or a fragment of the financial market (e.g., banking, insurance, investment funds). In their multitude, it is also worth remembering the Network and Information Systems Directive (NIS), or more precisely, the NIS2 amendment, which requires operators of critical services (e.g., financial markets infrastructure and banks) to put in place appropriate measures to ensure a high level of security of networks and information systems, as well as to report cybersecurity incidents to the relevant regulatory authorities.
There are generally-recognized software security standards to keep in mind, though.
What steps will protect your financial information, which is sensitive data? What measures must you take to secure your online product and earn customers’, users’, and investors’ trust?
- Assess the risk regularly
Conducting regular risk assessments to identify vulnerabilities, gaps, and potential fraud-prone areas in an organization’s processes, systems, and infrastructure is crucial. A self-improvement circle, known in the industry as a process or Deming cycle (PlanDoCheckAct), certainly lends itself to security audits, allowing the introduction of a structured approach.
- Use strong encryption algorithms
Application data (to use industry-speak, those at rest and in transit) should be decently encrypted. Use robust encryption algorithms for this – symmetric and asymmetric. Not only the data stored in the application should be encrypted – it is also critical to ensure security in transit. For instance, standards like FIPS 140-2 may save the day.
- Implement identity and customer verification procedures and control them in the IAM system
Customer Due Diligence (CDD) and Know Your Customer (KYC) are procedures that govern account creation and subsequent interactions with our systems. Once the procedures are created, it’s a wise idea to control them, which an Identity and Access Management (IAM) system can help with. By using it, you can securely manage verified identities based on the Principle of Least Privilege. This means that each system component should only have access to the information and resources necessary to perform or fulfill its assigned purpose or task
- Ensure the security of personal data
One must be mindful of GDPR regulations (RODO in the European Union), which protect customers’ privacy and security. In the U.S., at the state level (California), analogous regulations are the CCPA (covering consumers’ rights to control their personal data) and the CPRA, which is one of the most significant U.S. privacy laws.
- Introduce the ISO 27001 standard
You should definitely consider ISO 27001, the international standard for information security management. It stipulates general requirements for information protection, risk management, access control, and business continuity.
- Implement CIS controls recommendations
CIS controls are security recommendations and best practices for small, medium, and large enterprises.
As part of your efforts, it’s helpful to establish policies and fraud prevention thresholds that automatically block or flag suspicious activities, i.e., high-value transactions, multiple failed login attempts, or suspicious IP addresses.
It is also beneficial to have elements supporting log auditing, threat awareness, management, and secure configuration of the IT infrastructure.
- Test your own safeguards, not just your apps
Testing security features is vital to rule out configuration errors and ultimately check their effectiveness. It is possible to accomplish this with traditional penetration tests, where the exact scope and timing of the attack are agreed upon beforehand. Another option is to implement a Red Team vs. Blue Team approach. The teams (red for offense and blue for defense) simulate the attack and security of our systems, giving us a chance to check for vulnerabilities and eliminate them as soon as possible.
- Remember PCI DSS
Whenever you develop a financial application, you will likely have to comply with specific regulations and industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS is a widely recognized and respected standard for securing payment data, established by the Payment Card Industry Security Standards Council (PCI SSC) to protect payment cardholder data and prevent fraud (including abuse). The standard includes many intricate requirements for organizations that process, store, or transmit payment card data. This is to ensure trust and transaction security. However, some commonalities with other standards or frameworks are addressed here: cryptographic security, identity management, control, monitoring mechanisms, and regular testing.
Secure your company’s cybersecurity standards
We must recognize that this is not art for the sake of art, and the financial market (especially the conventional one) is highly regulated. Whenever a lack of care is shown in meeting the above standards, norms, and practices, we jeopardize customers’ trust and the company’s credibility.
It doesn’t end there – the financial penalties and legal consequences for lack of security attention are very severe. If your company lacks cybersecurity specialists or needs a risk assessment, hiring an experienced technology partner will be worthwhile. They will also advise on how to secure the application more effectively and avoid detrimental consequences.
Our many years of experience in system design and testing are confirmed by successfully delivering applications for financial industry clients. As an ISO 27001 and ISO 22301 certified company with more than 350 engineers on board, we know the importance of information security and resilience against hacker attacks. Set up an appointment for a free consultation with our cybersecurity experts. We will advise you on the security features your application needs.
Why pay for news and opinions when you can get them for free?
Subscribe for free now!