Cybersecurity Laws, Regulations, and Standards for the Financial Services Industry  

With the growing amount of personal and business data in the custody of financial institutions, they face unprecedented risks to data security and higher incidents of data privacy violations.

Many of these risks are due to cyberattacks and cybersecurity breaches, which continue to increase in the number of incidents reported and their sophistication levels.

“According to the VMWare Modern Bank Heists 5.0 report, 63% of financial institutions have encountered more destructive attacks, and 74% of banks have faced ransomware that gained illicit access to the banks’ systems.”

The overall cost of cybersecurity attacks and data breach incidents is significant across industries globally. The 2023 IBM Cost of Data Breach report estimates the global average cost as US$ 4.45 million. In 2022, the IBM Ponemon report indicated that financial services were the second-most affected industry due to data breaches (cyberattacks being a significant cause) and incurred an annual cost of US$ 5.9 million.

Regulating Cybersecurity in Banking and Financial Services: Key Regulations and Laws

Despite the growing media coverage around cybersecurity – threats, protective measures, challenges, etc. – a sizable scope exists for driving “ground-level” action to protect data privacy.

Several data privacy and data protection regulations and laws have been enacted to make sure that organizations, including financial institutions, comply with the requirements. Many of these laws explicitly lay down the guidelines concerning cybersecurity. The following is an outline:

1. General Data Protection Regulation (EU-GDPR) – 2016

Overview: According to GDPR.EU, GDPR is “the toughest privacy and security law in the world.” It obligates all organizations that collect and process the data of the people based in the European Union to follow the prescribed guidelines.

GDPR Cybersecurity Guidelines

1. Article 5 – Principles relating to the processing of personal data

Organizations must process data based on the seven principles for accountability and protection, which include:

1. Data must be processed lawfully, fairly, and with transparency
2. Data must be processed only for the specified and legitimate purpose
3. Data must be maintained accurately and up to date
4. Data must be stored only till the specified timeline and as necessary for its purpose
5. Data processing must maintain the security, integrity, and confidentiality
6. A dedicated Data Controller is accountable for all the facets of GDPR compliance

2. Article 25 – Data protection by design and by default

1. The data controller must implement the necessary and adequate “technical and organizational” measures, such as pseudonymization at the time of data processing. They must integrate the necessary safeguards into data processing to preserve the rights of data subjects.
2. These measures must ensure the processing of personal data – the amount of data, the extent of processing, and storage duration – that is necessary for the specific purpose.
3. The data controller and the organization must be able to demonstrate compliance with the requirements in accordance with Article 42 GDPR Certification.

3. Article 32 – Security of processing

The controller and processer must implement the necessary technical and organizational measures, including:

1. Pseudonymization and encryption of personal data
2. Confidentiality, integrity, availability, and resilience of data processing systems and services
3. Timely restoration of the availability and access to personal data
4. Regular assessment of the effectiveness of measures for data security

Administrative penalties for GDPR violation:

As per Art. 83 GDPR, failure to comply with GDPR can result in a fine of up to € 20 million or up to 4% of the total global annual revenue, whichever is higher.

2. H.R.5069 – Cybersecurity Systems and Risks Reporting Act of 2016

The H.R.5069 Act amends the Sarbanes-Oxley Act (SOX) of 2002 by extending the scope of SOX internal controls to cybersecurity systems and risks of publicly traded companies.

H.R.5069 Guidelines – Key Amendments to SOX

1. The bill applies the same requirements to cybersecurity systems and cybersecurity systems officers with concerning the responsibility for financial reports and evaluation of internal controls.
2. The Securities and Exchange Commission (SEC) shall issue rules to define cybersecurity expert
3. The bill requires each issuer of securities to disclose the availability status of cybersecurity expert(s) in the audit committee.
4. It requires the SEC to audit the issuer’s information systems and cybersecurity systems statements.

Pillars of data security as per SOX:

1. Financial institutions must ensure the security of financial data
2. They must make adequate provisions to check potential data breaches (including those due to cyberattacks) and financial data tampering and remediate the impact.
3. Financial institutes need to maintain event records for audit and demonstrate compliance in 90-day

Failure to comply with the SOX Act, including the amended guidelines, can lead to penalties of up to US$ 5 million and 20 years of imprisonment.

3. Payment Card Industry Data Security Standard (PCI DSS) – 2004

PCI DSS is a standard for information security, which mandates implementing and meeting specific measures to protect the personal data of cardholders from cybersecurity breaches. The standard is governed by the Payment Card Industry Security Standards Council and focuses on reducing data breaches, identity theft, and credit card fraud.

PCI DSS Requirements – Key Principles for Cybersecurity

1. Organizations including card service providers must maintain the security of systems and networks, including through the use of firewalls and encryption, to safeguard credit card transactions.
2. They must protect cardholder information such as date of birth, social security numbers, phone numbers, etc.
3. Institutions providing card services should set up a vulnerability management program to assess risks and manage vulnerabilities that can lead to cyberattacks and breach of confidential cardholder data.
4. They must maintain robust controls to govern the access to sensitive data across physical and electronic checkpoints and conduct regular network and system testing and monitoring to ensure ongoing data security

PCI DSS violation can result in penalties that can range from US$ 5000 to US$ 100, 000 per month, which is based on the company size and extent of violation.

4. Gramm-Leach-Bliley Act (GLBA) Safeguards Rule – 2023

GLBA is a federal law that obligates financial institutions to safeguard their customers’ sensitive data and apprise them of their information-sharing practices. The three main components of GLBA include:

1. The Financial Privacy Rule: mandates financial institutions to explain their data collection and data sharing practices to customers
2. The Safeguards Rule: obligates institutions to set up systems to protect sensitive data
3. The Pretexting Provisions: Forbids the practice of collecting data deceptively

The Safeguards Rule – officially called Part 314 Standards for Safeguarding Customer Information – essentially defines the requirements for data security and cybersecurity measures.

The Nine Elements of GLBA for Information Security

1. The financial institution must designate a competent individual to oversee and implement the information security program and they should also enforce it
2. The information security program should consider the findings of a risk assessment that includes parameters for categorizing risks and evaluating confidentiality, integrity, and availability of information systems and sensitive data.
3. The institution should design and implement the necessary measures to control the identified risks, conduct timely reviews, identify and manage the data and information systems, multi-factor authentication, encryption, etc.
4. They should routinely test and monitor key controls, systems, and procedures, including penetrating testing and vulnerability evaluation.
5. The financial institution must implement policies and procedures to drive the action per the information security program.
6. They must conduct the necessary due diligence with regard to selecting and managing the service providers, including through measures such as periodic assessments, safeguards, etc.
7. They should regularly update the information security program based on the findings.
8. The financial institution should have a documented incident response plan to guide and manage the necessary actions to mitigate the impact of a security event.
9. The qualified individual must report regularly to the board of directors.

5. Federal Financial Institutions Examination Council (FFIEC) Audit

According to ffiec.gov, “FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.”

The FFIEC Audit IT Examination Handbook outlines specific guidance for effective IT audits to evaluate risk management practices, internal controls, and policy compliance.

The following is a summary of the prescribed actions:

1. Management should implement a formal internal audit program
2. The board of directors should set up an effective risk-based audit function
3. Senior management should partner with the IT audit towards application development, testing, etc.
4. The board of directors should ensure that the outsourced IT audit functions undergo evaluation of internal controls