The Complete Guide to Financial Services Cybersecurity Requirements (2024)

- Pick a Chapter -

  • Introduction
  • The Financial Services Sector Cybersecurity Profile
  • Assessing Against the FSSCC Profile
  • NYDFS Cybersecurity Regulations
  • FFIEC Cybersecurity Compliance Explained
  • SOX Cybersecurity Compliance

Introduction

In Pursuit of Harmonization

Historically and to this day, the financial services sector has been a leader in cybersecurity. As the adage goes: why do people rob banks? That's where the money is. As a result, the financial services sector pioneered the idea of a Chief Information Security Officer and to this day is a leader in cybersecurity as well as one of the most heavily regulated industries as it relates to cybersecurity and risk management.

Over the years, as countries and regions began to increase regulation to ensure that their economy was protected, financial services organizations were barraged with a slew of regulations that they had and still have to meet to ensure they can operate in the markets they serve.

The result is time spent (arguably wasted) on meeting compliance with frameworks that are all relatively similar in nature. This redoubling of efforts has seen financial service risk and compliance teams overburdened working to meet compliance rather than focusing on mitigating the risks unique to their organization.

We will be diving into the most common frameworks and how financial services organizations can work to harmonize these frameworks, increase efficiency, and focus on the risks that matter.

Dive deeper into an overview of financial services' cybersecurity.

The Financial Services Sector Cybersecurity Profile

The Financial Services Sector (FSSCC) Cyber Security Profile is one of the critical pieces of information used for proving compliance across a host of standards necessary of financial institutions of all types, financial services companies, financial firms, and their third-party providers. In 2018, a survey showed that CISOs in the financial services sector spent 40% of their time, and their teams’ time reconciling various cybersecurity and regulatory frameworks instead of focusing on cybersecurity needs. This time spent was because each regulation has its own standards for institutions to follow for their cybersecurity initiatives resulting in a segmented approach to compliance with various regulatory standards. As such, the Financial Services Sector Coordinating Council developed the Financial Services Sector Cybersecurity Profile to unify CISOs and practitioners’ efforts to maintain and improve their compliance activity.

Read more about the Financial Services Sector Cybersecurity Profile.

Learn more about the FSSCC Profile with our expert webinar.

Assessing Against the FSSCC Profile

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize the plethora of cybersecurity regulations and standards that members of the financial sector must comply with. According to the FSSCC, over 80% of the supervisory instructions in finserv regulations had a similar focus, but used different language, or had marginally different compliance requirements. The Profile was developed as a means to streamline compliance with those various regulatory requirements, much like theNIST Cybersecurity Frameworkhas emerged as a means for organizations to build their cybersecurity programs on regardless of industry.NIST has hailed the Profileas a perfect extension of the CSF, tailored specifically for financial institutions - going so far as to add two new functions to NIST’s five: Governance and Supply/Dependency Management.

Institutions of all types can use it for internal and external use with vendors as a means to benchmark cybersecurity posture. As you and your organization consider whether to adopt the Profile to increase efficiency at your organization, we’ve assembled three Do’s and Dont’s when adopting the Profile.

Read the Do's and Don't's of conducting an FSSCC Profile assessment.

NYDFS Cybersecurity Regulations

New York 23 NYCRR part 500 compliance can be a daunting lift, especially for those who haven't started to remediate, and even for those who have secured compliance but aren't sure how to continuously prove compliance easily without taking time, effort, and resources away from existing projects.

Governor Cuomoannouncedthat their cyber reg was the "first in the nation" to protect both consumers and financial institutions. "The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services" to put into place a continuously maintained cybersecurity program. The program is supposed to be designed to protect consumers that each financial institution serves, and to secure the New York State’s financial services industry this year and beyond as cyber vulnerabilities evolve. This regulation includes everything from appointing a Chief Information Security Officer to implementing two or multi-factor authentication (2FA or MFA). In short, the reg is quite extensive.

According to the New York DFS, "This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."

Read more about 23 NYCRR 500.

FFIEC Cybersecurity Compliance Explained

The Federal Financial Institutions Examination Council (FFIEC) is the federal agency responsible for enforcing and regulating financial institutions’ standards and protections. Developed in 1979 and composed of five separate FFIEC member agencies, it acts today as the framework for banking institutions and financial services. Proving compliance with the FFIEC is determined based on an organization’s cybersecurity maturity levels and posture. In 2005 during the introduction of online banking, the FFIEC developed a cybersecurity framework for banking institutions to abide by when handling sensitive banking information online and an FFIEC Cybersecurity Assessment Tool (CAT) for use to standardize compliance efforts and for institutions to identify their risks.

Read more about the FFIEC Cybersecurity regulation.

SOX Cybersecurity Compliance

In 2002, massive developments in regulation among the financial industry were developed to set a standard for financial practices and corporate governance. This legislation was developed by Senator Paul Sarbanes and Representative Michael Oxley and was respectively named Sarbanes Oxley after the two creators and shortened to SOX. This compliance regulation seeks to protect business stakeholders by improving the accuracy of corporate disclosures as well as prevent fraud. As a regulation based in cybersecurity, SOX shares many common traits with the NIST Cybersecurity Framework and using NIST controls can satisfy the compliance requirements in SOX.

SOX is applicable to all public companies in the United States, including subsidiaries and foreign companies that are publicly traded in the United States. SOX is very specific to the scope and functions of an organization and focuses on internal controls. As it relates to cyber, using the NIST CSF can meet SOX cybersecurity compliance by keeping track of certain key attributes.

Read more about how to use the NIST CSF to achieve SOX Cybersecurity compliance.

As a seasoned cybersecurity expert with extensive experience in the financial services sector, I've been at the forefront of navigating the complex landscape of regulations and frameworks that govern the industry. My expertise lies not only in understanding the theoretical aspects of cybersecurity but also in practical implementation and compliance management.

Let's delve into the key concepts mentioned in the provided article:

1. Financial Services Sector Cybersecurity Profile (FSSCC Profile)

The Financial Services Sector Cybersecurity Profile is a pivotal component used for demonstrating compliance across various standards within the financial services industry. Introduced by the Financial Services Sector Coordinating Council (FSSCC), it aims to harmonize cybersecurity regulations and standards that financial institutions must adhere to. The Profile streamlines compliance efforts, allowing organizations to focus on cybersecurity needs rather than navigating disparate regulatory frameworks.

2. Assessing Against the FSSCC Profile

Assessing against the FSSCC Profile involves evaluating an organization's cybersecurity measures against the standards set by the Financial Sector Cybersecurity Framework Profile. This framework was developed to unify and streamline compliance with diverse regulatory requirements within the financial sector. The FSSCC Profile is considered an extension of the NIST Cybersecurity Framework, tailored specifically for financial institutions. It provides a benchmark for cybersecurity posture, enhancing efficiency in compliance activities.

3. NYDFS Cybersecurity Regulations

New York Department of Financial Services (NYDFS) introduced cybersecurity regulations under 23 NYCRR part 500. These regulations are designed to ensure that banks, insurance companies, and other financial institutions regulated by NYDFS maintain a continuously updated and robust cybersecurity program. Compliance with these regulations involves various measures, including appointing a Chief Information Security Officer and implementing multi-factor authentication. The regulations aim to protect consumers and secure the financial services industry in New York State from evolving cyber vulnerabilities.

4. FFIEC Cybersecurity Compliance

The Federal Financial Institutions Examination Council (FFIEC) serves as the regulatory body responsible for enforcing standards and protections in financial institutions. The FFIEC Cybersecurity Assessment Tool (CAT) was introduced to standardize compliance efforts and help institutions identify their cybersecurity risks. Compliance with FFIEC is determined based on an organization's cybersecurity maturity levels and posture.

5. SOX Cybersecurity Compliance

The Sarbanes-Oxley Act of 2002 (SOX) sets standards for financial practices and corporate governance to enhance the accuracy of corporate disclosures and prevent fraud. SOX cybersecurity compliance focuses on internal controls within organizations. The NIST Cybersecurity Framework aligns well with SOX requirements, and using NIST controls can contribute to satisfying the compliance requirements outlined in SOX.

In conclusion, the financial services sector faces a complex regulatory landscape, and understanding and effectively implementing these frameworks is crucial for ensuring robust cybersecurity practices and compliance.

The Complete Guide to Financial Services Cybersecurity Requirements (2024)

References

Top Articles
Latest Posts
Article information

Author: Horacio Brakus JD

Last Updated:

Views: 5912

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Horacio Brakus JD

Birthday: 1999-08-21

Address: Apt. 524 43384 Minnie Prairie, South Edda, MA 62804

Phone: +5931039998219

Job: Sales Strategist

Hobby: Sculling, Kitesurfing, Orienteering, Painting, Computer programming, Creative writing, Scuba diving

Introduction: My name is Horacio Brakus JD, I am a lively, splendid, jolly, vivacious, vast, cheerful, agreeable person who loves writing and wants to share my knowledge and understanding with you.