As cybersecurity threats become more sophisticated and pervasive, financial services organizations face mounting pressure to comply with an ever-changing landscape of regulations. Ensuring compliance is no small feat, especially as agencies impose overlapping security measures. This article explores the complexities of staying compliant with cybersecurity regulations in the financial services industry, offering insights into best practices and strategies for navigating this challenging environment.
The Rising Tide of Cybersecurity Regulations
Financial services organizations must navigate a complex web of regulations designed to protect sensitive information and ensure the integrity of financial systems. In November 2022, the New York Department of Financial Services (NYDFS) introduced revised regulations that demand stricter cybersecurity controls for financial entities, including banks, insurance companies, and investment firms. These regulations, known as Part 500, require covered entities to implement multifactor authentication (MFA) or equivalent secure access controls approved by the organization’s Chief Information Security Officer (CISO).
NYDFS Part 500: Stricter Controls and Accountability
Larry Burke, a member of CDW’s Global Security Strategy Office, highlights the stringent requirements of the NYDFS regulations. “As we go into 2025, covered entities will now need approved written cybersecurity policies and procedures, a designated CISO, a written incident response plan, encryption, periodic access reviews, and continuous monitoring or periodic penetration testing and vulnerability assessments,” Burke explains.
These measures are part of a broader effort to ensure that financial services organizations conduct periodic risk assessments of their information systems. The goal is to maintain a risk-based approach while implementing explicit baseline cybersecurity controls to address weaknesses observed in prior cyber incidents. This balanced approach aims to elevate the overall security posture of the financial sector.
The Role of the Board in Cybersecurity Compliance
Accountability is a key element of the NYDFS regulations. CISOs must provide regular updates to their governing body or board of directors on the company’s cybersecurity posture and plans to address any security gaps. Kirk J. Nahra, partner and co-chair of the cybersecurity and privacy practice at law firm WilmerHale, emphasizes the importance of board involvement in cybersecurity. “The board needs to understand that its job is to evaluate major issues for a company, and a ransomware attack that shuts down the whole business is a major risk,” Nahra says.
Effective cybersecurity governance requires clear communication between IT leaders and the board. Boards must become more sophisticated about information security, ensuring that they can evaluate and oversee the company’s cybersecurity strategies effectively.
The Challenge of Multiple Regulators
The regulatory landscape for financial services is complicated by the presence of multiple regulators, each with its own set of requirements. For example, the Securities and Exchange Commission (SEC) recently updated its cybersecurity rules for broker-dealers and investment firms, mandating that organizations notify customers of a cybersecurity incident within 30 days. Additionally, public companies must report material cybersecurity incidents on a Form 8-K within four business days.
Meanwhile, the Department of Homeland Security (DHS) has called for comments on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This act requires covered entities to report cyber incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA).
Implementing Enterprise-Wide Governance
The increasing overlap of controls and requirements underscores the importance of strong, enterprise-wide governance, risk, and compliance programs. Burke notes, “The increasing amount of overlapping controls and requirements that affect the same set of companies heightens the benefits for organizations of all sizes to implement strong, enterprise-wide governance, risk, and compliance programs.”
By adopting a comprehensive governance framework, financial services organizations can better manage regulatory requirements, reduce duplication of efforts, and ensure consistent implementation of security measures across the enterprise.
Best Practices for Tackling Cybersecurity Regulations
To navigate the complexities of cybersecurity regulations, financial services organizations should adopt several best practices:
Establishing Incident Response Plans
Incident response plans are critical for managing and mitigating the impact of cybersecurity breaches. These plans should outline the organization’s approach to handling a breach, including specific actions to be taken, roles and responsibilities, and communication strategies. Nahra emphasizes that some regulations dictate the contents of an incident response plan, making it essential for organizations to align their plans with regulatory requirements.
Annual Review and Approval of Cybersecurity Policies
The NYDFS mandates that cybersecurity policies be reviewed and approved annually. Previously, regulations focused more on processes and best practices, but the trend is shifting towards more prescriptive standards. By conducting annual reviews, organizations can ensure that their policies remain current and effective in addressing evolving threats.
Leveraging Zero-Trust Security Models
A zero-trust security model can significantly enhance an organization’s security posture. This approach assumes that no user or device should be trusted by default, requiring continuous verification of access requests. Burke highlights the benefits of a mature zero-trust strategy, including limiting the damage if a breach occurs and providing granular control over access to sensitive information.
Conducting Regular Risk Assessments
Regular risk assessments are vital for identifying and addressing vulnerabilities in an organization’s security posture. The FTC’s Safeguards Rule, updated in 2021, requires financial institutions to implement an information security program that includes risk assessments. By conducting these assessments, organizations can proactively identify and mitigate risks, ensuring compliance with regulatory standards.
Adapting to New Regulatory Standards
As cybersecurity regulations continue to evolve, financial services organizations must remain agile and responsive. Nahra advises against blindly changing cybersecurity programs based on new regulations. Instead, organizations should evaluate whether they already meet the new standards or if adjustments are necessary. “I would look at any of these new standards — whether it’s a law, a regulation, a National Institute of Standards and Technology standard, a contract requirement, whatever it is — and I would say, ‘Do we do this? Should we do something instead of this?’” Nahra suggests.
Learning from Breaches
Cybersecurity regulations are often tested and refined in the wake of significant breaches. When a breach occurs, organizations should analyze the incident to understand its causes and determine what preventive measures could have been implemented. This learning process is crucial for continuous improvement and adaptation to new threats.
The Future of Cybersecurity Regulations in Financial Services
The future of cybersecurity regulations in financial services will likely involve increased coordination among regulators to harmonize standards and reduce inconsistencies. For example, the Federal Trade Commission (FTC) may adopt portions of NYDFS Part 500 in its Safeguards Rule, further aligning regulatory requirements across different agencies.
The Importance of Continuous Evolution
Cybersecurity is a constantly evolving field, requiring organizations to stay ahead of emerging threats and regulatory changes. Nahra emphasizes that security programs must continuously evolve to remain effective. “If you happen to be the one that has the breach, you should figure out what caused it, why it happened and whether you could have done something to prevent it. Then try to move on and improve,” Nahra says.
Conclusion
Navigating the evolving world of cybersecurity regulations in financial services is a complex but essential task. By adopting best practices such as establishing incident response plans, conducting regular risk assessments, leveraging zero-trust security models, and maintaining clear communication with the board, financial services organizations can ensure compliance and enhance their security posture. As regulations continue to evolve, organizations must remain agile and proactive, continuously improving their cybersecurity strategies to protect against emerging threats and ensure the integrity of the financial system.