Cybersecurity for Financial Services: Best Practices
The financial services industry is highly regulated and highly susceptible to cyberattacks by threat actors. Data breaches have grown larger, more frequent, and more expensive over time and the financial services industry has struggled to keep up with attacks. Financial institutions can spend an enormous amount of their revenue on their IT infrastructure. According to Deloitte, in 2020 financial services organizations spent an average of 10% of their IT budget on security.
Financial institutions must protect their organizations and clients from cyber threats like ransomware, malware, social engineering attacks, and other common cyber threats. The average cost per breach is $3.92 million. Clients’ personal identifiable information (PII) can be leaked including:
- Home Address
- Social Security numbers
- Banking Information
- Phone Numbers
- Email Address
Cybersecurity weighs heavily on financial services executives as they are 300x more likely to be the target of a cyberattack according to Boston Consulting Group. Banks, credit unions, credit card companies, and investment firms are at an increased cyber risk and must take the following steps to protect their organizations.
Establish a Cybersecurity Policy.
The first step is to create a written cybersecurity policy. This must be authorized by the governing body of your firm and must clearly demonstrate how you secure personal identifiable information, personal health information, and secret business information. It is also necessary to create written guidelines that outline secure practices for the use of apps.
Your cybersecurity policy should fulfill six key objectives:
- Identify and analyze internal and external cybersecurity threats that might jeopardize the security or integrity of nonpublic data kept on your IT systems.
- To defend your information systems against unauthorized access, usage, or other harmful activities, employ defensive infrastructure and the execution of rules and procedures.
- Detect cyber-attacks quickly.
- Respond to cybersecurity incidents that have been recognized or detected in order to minimize any harmful consequences.
- Recover from cyber-attacks and go back to normal operations and services.
- Comply with all regulatory reporting requirements.
Financial systems should implement two-factor authentication, as a rule, to protect against the dangers of the digital world. Two-factor authentication requires devices and accounts to provide a second token before logging into secure platforms. This provides another layer of security for user accounts that may contain sensitive information.
Security Awareness Training
Your organization’s end users can be the weakest link in your security program. Financial Firm’s users should be trained and aware of how to respond to cyberattacks. Employees should receive training on phishing attacks, DDOS attacks, ransomware attacks, and other common attacks. Many common compliance requirements will enforce that employees receive end-user security training.
Perform Vulnerability Scanning
Vulnerability scans are performed by security experts to log into your network systems and create a map of your network. The vulnerability scan creates an inventory of any potential flaws and engineers summarize the findings after completion. Next, steps towards remediation are discussed with your c-suite and IT security team. Before performing a vulnerability scan your organization should ensure you have a strategy in place to mitigate performance and bandwidth difficulties. This is particularly true depending on the sort of vulnerability scan conducted, whether it be internal or external. In addition, vulnerability scans should be undertaken outside of regular business hours because of the possible impact on operations.
Perform Penetration Testing
Penetration testing can be useful when determining if your network has unknown vulnerabilities not found in a vulnerability scan. There are internal and external penetration tests and both serve to investigate potential flaws in your network security controls. Penetration testing can include a range of practices to simulate real-world attacks on a company’s IT and physical security controls. Penetration tests may also be expected by certain compliance requirements as they provide important threat intelligence for the financial services sector.
Financial Services Compliance Requirements
Financial services is one of the most heavily regulated industries in information security. At any given time, three or more regulations apply to financial organizations, and in some cases, it may be more. Below is a brief (but incomplete) overview of the topic regulations that your organization should be aware of. If you are concerned about cybersecurity compliance, contact us for a free consultation.
NYDFS Cybersecurity Regulation
The New York State Department of Financial Services propagated this regulation in 2017. The regulation is designed to ensure that financial institutions take cybersecurity seriously, and take basic steps to protect the financial data of consumers. NYDFS requires that organizations:
- Appoint a Chief Information Security Officer
- Maintain a Firewall Configuration
- Build a Competent Cybersecurity Program
- Perform an Annual Penetration Test
- Perform a Risk Assessment
The NYDFS Cybersecurity Regulation is broadly aligned with the NIST Cybersecurity Framework which can serve as the backbone for a competent cybersecurity program. NYDFS can apply to many financial institutions, including that outside of New York state.
GLBA (Graham-Leach Bliley)
GLBA is a federal law that broadly requires financial institutions to implement information security practices to protect consumer financial information. GLBA defines financial institutions very broadly and includes any organization that is “significantly engaged” in “financial activities”.
Depending on legal interpretations, GLBA may apply to many organizations that wouldn’t traditionally consider themselves a financial institution. The law mandates that the FTC and FCC establish information security standards for banking. These were published in 2002 and 2003 and are known as SEC Safeguard Rule, and FTC Safeguard Rule.
SOC2 is not required for financial services organizations. However, many third parties may require SOC2 compliance in order to create a contract. SOC2 compliance is meant to ensure the safety and security of your client’s data with five principles. SOC2 compliance certification is given from an outside agency through a technical audit of your organization’s systems.
Security: Protecting information and systems from unauthorized user access through firewalls, 2FA, physical security, and more.
Availability: This control ensures your company maintains a constant level of network performance and security while minimizing outside threats.
Processing Integrity: Processing integrity guarantees organization’s systems work as designed without errors, delays, or unauthorized access.
Confidentiality: Your information confidentiality ensures that data is protected by restricting its access to only authorized individuals.
Privacy: Personal information in the form of the name, social security number, address, as well as race, ethnicity, health information, and other sensitive information should be protected.
Many more compliance requirements apply to financial services firms than those listed. However, these should provide a good idea of just how much regulation applies to banking and other financial companies.
Final Thoughts on Cybersecurity for Banking Institutions
Financial firms are a popular target for cyberattacks and also fall under the most strict cybersecurity requirements and regulations. Because of this, financial institutions must be aware of the security risks they are vulnerable to and how to best protect themselves and their clients. If you are interested in learning more about how Touchstone Security can help you mitigate ransomware risk, become cybersecurity compliant, and build a robust cybersecurity program, request a free dark web san or contact us.