Financial Services Cybersecurity

In Pursuit of Harmonization

Historically and to this day, the financial services sector has been a leader in cybersecurity. As the adage goes: why do people rob banks? That's where the money is. As a result, the financial services sector pioneered the idea of a Chief Information Security Officer and to this day is a leader in cybersecurity as well as one of the most heavily regulated industries as it relates to cybersecurity and risk management. 

Over the years, as countries and regions began to increase regulation to ensure that their economy was protected, financial services organizations were barraged with a slew of regulations that they had and still have to meet to ensure they can operate in the markets they serve. 

The result is time spent (arguably wasted) on meeting compliance with frameworks that are all relatively similar in nature. This redoubling of efforts has seen financial service risk and compliance teams overburdened working to meet compliance rather than focusing on mitigating the risks unique to their organization. 

We will be diving into the most common frameworks and how financial services organizations can work to harmonize these frameworks, increase efficiency, and focus on the risks that matter. 

Dive deeper into an overview of financial services' cybersecurity.

The Financial Services Sector (FSSCC) Cyber Security Profile is one of the critical pieces of information used for proving compliance across a host of standards necessary of financial institutions of all types, financial services companies, financial firms, and their third-party providers. In 2018, a survey showed that CISOs in the financial services sector spent 40% of their time, and their teams’ time reconciling various cybersecurity and regulatory frameworks instead of focusing on cybersecurity needs. This time spent was because each regulation has its own standards for institutions to follow for their cybersecurity initiatives resulting in a segmented approach to compliance with various regulatory standards. As such, the Financial Services Sector Coordinating Council developed the Financial Services Sector Cybersecurity Profile to unify CISOs and practitioners’ efforts to maintain and improve their compliance activity.

Read more about the Financial Services Sector Cybersecurity Profile.

Learn more about the FSSCC Profile with our expert webinar. 

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize the plethora of cybersecurity regulations and standards that members of the financial sector must comply with. According to the FSSCC, over 80% of the supervisory instructions in finserv regulations had a similar focus, but used different language, or had marginally different compliance requirements. The Profile was developed as a means to streamline compliance with those various regulatory requirements, much like the NIST Cybersecurity Framework has emerged as a means for organizations to build their cybersecurity programs on regardless of industry. NIST has hailed the Profile as a perfect extension of the CSF, tailored specifically for financial institutions - going so far as to add two new functions to NIST’s five: Governance and Supply/Dependency Management.

Institutions of all types can use it for internal and external use with vendors as a means to benchmark cybersecurity posture. As you and your organization consider whether to adopt the Profile to increase efficiency at your organization, we’ve assembled three Do’s and Dont’s when adopting the Profile.

Read the Do's and Don't's of conducting an FSSCC Profile assessment. 

New York 23 NYCRR part 500 compliance can be a daunting lift, especially for those who haven't started to remediate, and even for those who have secured compliance but aren't sure how to continuously prove compliance easily without taking time, effort, and resources away from existing projects.

Governor Cuomo announced that their cyber reg was the "first in the nation" to protect both consumers and financial institutions. "The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services" to put into place a continuously maintained cybersecurity program. The program is supposed to be designed to protect consumers that each financial institution serves, and to secure the New York State’s financial services industry this year and beyond as cyber vulnerabilities evolve. This regulation includes everything from appointing a Chief Information Security Officer to implementing two or multi-factor authentication (2FA or MFA). In short, the reg is quite extensive.

According to the New York DFS, "This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."

Read more about 23 NYCRR 500. 

The Federal Financial Institutions Examination Council (FFIEC) is the federal agency responsible for enforcing and regulating financial institutions’ standards and protections. Developed in 1979 and composed of five separate FFIEC member agencies, it acts today as the framework for banking institutions and financial services. Proving compliance with the FFIEC is determined based on an organization’s cybersecurity maturity levels and posture. In 2005 during the introduction of online banking, the FFIEC developed a cybersecurity framework for banking institutions to abide by when handling sensitive banking information online and an FFIEC Cybersecurity Assessment Tool (CAT) for use to standardize compliance efforts and for institutions to identify their risks.

Read more about the FFIEC Cybersecurity regulation.

In 2002, massive developments in regulation among the financial industry were developed to set a standard for financial practices and corporate governance. This legislation was developed by Senator Paul Sarbanes and Representative Michael Oxley and was respectively named Sarbanes Oxley after the two creators and shortened to SOX. This compliance regulation seeks to protect business stakeholders by improving the accuracy of corporate disclosures as well as prevent fraud. As a regulation based in cybersecurity, SOX shares many common traits with the NIST Cybersecurity Framework and using NIST controls can satisfy the compliance requirements in SOX.

SOX is applicable to all public companies in the United States, including subsidiaries and foreign companies that are publicly traded in the United States. SOX is very specific to the scope and functions of an organization and focuses on internal controls. As it relates to cyber, using the NIST CSF can meet SOX cybersecurity compliance by keeping track of certain key attributes.

Read more about how to use the NIST CSF to achieve SOX Cybersecurity compliance.