By Grainne McKeever, Senior Security Product Marketing Manager at Imperva
The vast number of regulations introduced over the last few years have had a drastic effect on how and why organisations need to stay compliant across the financial services landscape. The surge of regulations has had positive benefits for organisations across the world and have guaranteed that security and accountability are at the forefront of business strategy.
Let’s start with the Sarbanes-Oxley Act (SOX) which was introduced in 2002. This was announced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting.
The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector. In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy.
The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialised, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.
Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organisations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry.
A common requirement of many regulations is to appoint a Chief Information Security Officer (CISO), Chief Technical Officer (CTO) or, in the case of GDPR, a Data Protection Officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organisations stay compliant.
Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organisations need to build privacy and protection into their products, services, and applications.
Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the non-public information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.
To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritise and assign a risk profile to datasets.
Who, What, When and How?
A recurring requirement of data regulation is that organisations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organisations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorised or malicious activities by internal and external parties.”
Avoiding Regulatory Penalties
Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organisation, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.
Using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface will make it easier to recognise a real breach in time to stop it from accessing internal networks.
Financial services must adhere to data protection, data discovery, data monitoring and incident reporting as it will allow them to continue to flourish whilst having security at heart.
Government regulation affects the financial services industries in a number of ways and each regulation has its own impact dependent on the organisation. Increased privacy and security regulations will ensure that security remains vital for businesses and that confidence is maintained throughout the sector, ultimately reducing possible security concerns.