Year after year, financial services organizations continue to be massive victims of data breaches—and at a huge cost.
According to a report from The Ponemon Institute, financial services faced the highest cost of insider threats over any other industry—an average of $12.07 million a year. In addition, an IBM report illustrates that FinServ breaches are becoming more and more frequent; in 2016, 200 million financial services records were breached, a 900 percent increase over 2015. With the stakes so high, preventing insider threat incidents becomes an even higher priority.
In preparation for the FS-ISAC Summit on May 20, we’re breaking down the “need-to-know” information about six of the top global FinServ regulatory bodies and regulations, so you can stay compliant in the event of an insider threat incident.
This post covers the basics of:
1. Federal Financial Institutions Examination Council (FFIEC)
The FFIEC is a US interagency regulatory body that holds financial services institutions accountable to certain standards, principles and reporting forms through audits and guidance. Regulators review the overall effectiveness of a financial services organization's project management standards, procedures and controls on a regular basis.
The FFIEC’s Cybersecurity and Critical Infrastructure Working Group is focused on the FinServ industry’s cybersecurity preparedness, as well as identifying (and providing training to prevent) gaps in the regulators' examination procedures. As a part of this effort, the agency has introduced a Cybersecurity Assessment Tool to measure risk and preparedness for both external and insider threats.
The individual agencies involved in FFIEC include the following:
- Federal Reserve System (FRB)
- Federal Deposit Insurance Corporation (FDIC)
- National Credit Union Administration (NCUA)
- Office of the Comptroller of the Currency (OCC)
- Consumer Financial Protection Bureau (CFPB)
- The State Liaison Committee (SLC), which includes representatives from:
2. The Gramm-Leach Bliley Act (GLBA)
GLBA—also known as the Financial Modernization Act of 1999—allows the US government to ask how financial institutions share and protect customers’ private information, and gives customers the right to opt out of certain information-sharing practices (requiring FinServs to provide regular disclosures of these practices).
The act consists of three key sections:
- Financial Privacy Rule: Regulates collection and disclosure of private information
- Safeguards Rule: Requires that financial services organizations create information security programs to protect customer data
- Pretexting Provisions: Prohibits the organization from accessing private information under false pretenses.
GLBA is enforced by eight separate federal agencies (including the FTC), as well as individual states. If there’s a possible violation, organizations can receive a Civil Investigative Demand (CID) for consumer protection matters in the enforcement process.
3. Payments Card Industry (PCI) Standards
PCI Data Security Standards (PCI DSS) are a set of security standards for the payment card industry meant to protect consumers’ private information. All companies that process, secure, store, accept or transmit card data must be in compliance with this standard.
PCI DSS is managed by the PCI Security Standards Council (PCI SCC), created by major card brands including AmEx, Visa, MasterCard, Discover and JCB. Both payments brands and merchant acquirers are responsible for enforcing PCI DSS standards.
This document library from PCI SCC is regularly updated, and includes a framework for specifications, tools, measurement and resources to safeguard customer card data.
4. Sarbanes-Oxley (SOX)
The SOX Act of 2002 allows the US government to audit publicly traded companies that are subject to securities laws, establish rules for audit reports, and examine the practices of CPAs and others involved in enforcing organizations’ compliance with this rule (to combat accounting fraud). The Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) are responsible for enforcing SOX.
In addition to the financial side of these regulations, IT teams need to take notice of how documents are stored and retained at an organization (for example, there is a seven-year retention period for audit work documents). There’s also strict guidance around record-keeping, including the destruction and falsification of records. Specific types of business records need to be stored, including electronic communications.
5. The Financial Conduct Authority (FCA)
With the goal of making financial markets more honest, fair and effective, the FCA is a UK entity that focuses on regulating the conduct of 58,000 financial services businesses, as defined by the Financial Services and Markets Act of 2000. The FCA also serves as a prudential regulator for more than 18,000 of these businesses (with the objective of promoting the safety and soundness of the firms it regulates).
According to the organization’s website, the overall operational objectives of the FCA are:
- Protecting consumers: The FCA acts to monitor and supervise FinServs, to ensure they’re in compliance with the organization’s standards for consumer protection.
- Protecting financial markets: The UK financial services sector employs over 2.2 million people and contributes £65.6bn in tax to the UK economy, so a goal is to keep these markets operating well.
- Promoting competition: The organization enforces both consumer protections and guards against breaches in competition law by financial services firms.
The FCA is an independent public body funded by fees charged to financial services firms, and is accountable to the UK Treasury and Parliament. Other key stakeholders include consumer groups, trade associations and professional bodies, domestic regulators and EU legislators.
6. The EU General Data Protection Regulation (GDPR)
EU GDPR rules go into effect on May 25, 2018, and have been the subject of much analysis within the last year. In brief, organizations need to be clearer about providing consumers with conditions to consent or opt out of sharing their personal data. These rights include (but aren’t limited to) notification within 72 hours of the organization becoming aware of a data breach, right to access personal data, and the right to be forgotten.
In addition, there are three key areas all organizations (including FinServs) need to consider for GDPR compliance:
Numerous new processes will be required, covering a wide range of areas. Examples include processes for collecting personal data, identifying sensitive data within databases, risk management assessments, monitoring data access, handling requests from individuals (data access, right to be forgotten, etc.), communicating with and responding to security incidents.
It goes without saying that people are at the center of implementing processes. Furthermore, extensive employee education will be required to comply with GDPR.
While the GDPR is much too broad to lend itself to compliance by just deploying some hardware and software, there are many technological solutions that will be critical to enabling the various processes, protection and people aspects.
The new rules are applicable to any organization that processes, stores or handles the data of EU residents (that means not just European companies!) It is a legislatively binding regulation that can carry fines for violations of up to 4 percent of annual global revenues or €20 Million (whichever is greater).
Insider Threat Compliance with Proofpoint
To comply with these regulations in the event of an insider threat incident, it’s critical that financial services organizations build a comprehensive insider threat program. Proofpoint can help -- visit our financial services resource page for more information.