The financial services industry has historically been one of the most targeted industries for cyberattacks, and it’s not difficult to imagine why. Roughly 95% of attacks are financially motivated, and hackers are going directly to the source by targeting the financial services sector. Not only do these financial institutions have direct access to cash, they also tend to be high-revenue businesses that can’t afford to be disrupted or take a reputational hit, so they’re more likely to pay a ransom.
Because financial institutions tend to be the target of aggressive cyberattacks, they are also among the most highly regulated industries both in the U.S. and abroad. Many government agencies have influence over the finance industry and have recently begun including more robust cybersecurity requirements in their regulations.
With so many directives coming from so many sources, it can be difficult to know where to begin. So we’ve compiled a list of all the major requirements U.S. financial institutions must comply with in 2024, as well as an overview of what each entails.
Mandatory: Yes
To whom it applies: All public companies
In July of 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules related to the disclosure of security incidents. The covered entities currently include all public companies conducting business in the United States, but the Commission has a history of investigating data breaches at privately held companies as well. So all financial institutions should be prepared to comply.
The rules essentially cover two main areas: 1] The rapid disclosures of material breaches. 2] The annual disclosures of a company’s cybersecurity risk management, strategy, and governance.
As for the disclosure of breaches, the rule essentially states that public companies must disclose material cybersecurity incidents (on Form 8-K) four business days after it determines the incident is material. (Note: that doesn’t necessarily mean they need to disclose the incident within four days of it occurring. The need to report it within four days of determining that the incident was material.) In the disclosures, financial institutions need to describe the nature, scope, and timing of the incident as well as the material (or reasonably likely material) impact of the incident on the company.
The rules also call for the annual reporting, on Form 10-K, of a company’s cybersecurity risk management, strategy, and governance (if they exist), management’s role in assessing and managing cybersecurity risks, and the board of directors’ oversight of cybersecurity risks. The rules don’t dictate what a security program should look like or which security tools and processes a company needs to follow. They simply relate to disclosing whatever security practices are in place.
Mandatory: Yes
To whom it applies: All U.S organizations selling financial products or services, including those that offer financial loans, financial or investment advice, or sell insurance.
The Gramm–Leach–Bliley Act (GLBA) is a U.S. federal law requiring financial institutions to establish security controls to protect customer data and explain how they collect, secure, store, and share customer’s nonpublic personal information (NPI). NPI can include anything from customer names, phone numbers, addresses to Social Security numbers, credit or bank account numbers, income, and more.
GLBA is comprised of three rules: Financial Privacy, Safeguards, and Pretexting Provisions.
Mandatory: Yes and no. This standard is not federally mandated, but it is mandated by a council comprised of major credit card companies. Non-compliance could result in the inability to use or accept major credit card brands. Also, many states have individually mandated compliance with PCI DSS.
To whom it applies: All organizations that receive or process customer credit card information.
The Payment Card Industry (PCI) Data Security Standards (DSS), or PCI DSS, is a set of standards aimed at reducing credit card fraud and securing sensitive cardholder data as it’s being processed, stored, and transferred. There are several requirements financial services (and other) companies must meet, including, but not limited to:
This requirement is updated semi-regularly and its most current version is version 4.0.1, which was released this year but contains no additional or deleted requirements from its 4.0 version released in 2022.
Mandatory: Yes
To whom it applies: All federally supervised financial institutions, their holding companies, and their subsidiaries.
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body composed of regulators from the FDIC, CFPB, MCUA, Federal Reserve, and OCC. Together, they have assembled guidelines on risk management, information security, effective authentication, threat intelligence, cybersecurity controls, and more.
The guidance is broken down into 10 booklets which address:
Mandatory: Yes
To whom it applies: EU companies and any U.S. company that offers financial services in the EU or provides third-party services to EU financial services companies.
Digital Operational Resilience Act (DORA) is an EU regulation that provides oversight of information and communications technology (ICT), and all companies must be compliant before January 17, 2025. The requirements are meant to enhance the security and operational resilience of financial institutions and ICT providers. DORA includes rules for:
Even companies that do not conduct business within the EU or provide services to EU financial services companies should take notice. EU regulations often influence laws and regulations in the U.S., so conventions like those laid out in DORA may soon appear in the States. This may also be wide-sweeping enough that, as was the case with GDPR, it makes sense to adhere to this standard across the entire organization rather than just for EU-facing departments.
Mandatory: Yes
To whom it applies: All public companies and U.S. accounting firms
The Sarbanes-Oxley (SOX) Act was established in 2002 to create more transparency in financial reporting. It mandates certain practices in financial record keeping and reporting for all publicly held U.S. companies. The act has been expanded to include cybersecurity controls to limit the chance of a breach that could disrupt financial transactions.
SOX requirements related to cybersecurity include, but are not limited to:
Mandatory: Yes
To whom it applies: GDPR applies to all EU businesses or any global business with customers in the EU. CCPA applies to any for-profit businesses that conduct business in California.
Much like SOX, the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are not specific to the finance industry, but they do apply to financial institutions. Both regulations address protecting consumer data and ensuring consumers have control over their personal data.
The two sets of requirements are very similar and essentially state that consumers have the right to know what personal information a business has collected about them and how that information is protected, used, and shared. Businesses also need to make it easy for customers to request that their personal information be deleted. CCPA was recently updated to include language around customers’ rights to correct inaccurate personal information a business has on them and limit the use and disclosure of sensitive personal information collected about them.
When it comes to ensuring that businesses have properly protected consumer data, the guidelines state that encryption should be used whenever possible. Businesses also need to create an internal security policy and designate someone who is responsible for compliance.
Mandatory: Yes
To whom it applies: Any firm out of New York that operates under the banking, insurance, or financial services laws.
New York Department of Financial Services (NYDFS) cybersecurity bill mandates that insurance companies, banks, and other financial institutions operating in the state of New York establish a robust cybersecurity plan, maintain a risk management strategy, and continuously assess their cyber risk profile. Given that New York is a major hub of financial activity, this regulation is likely to apply to many financial services organizations.
Requirements include, but are not limited to:
The requirements also state that the security program must be adequately funded, overseen by a Chief Information Security Officer (CISO) or third-party service provider, and implemented by qualified cybersecurity personnel. Businesses must file for certification of compliance annually.
The fact that financial institutions need to comply with so many cybersecurity regulations, and that each one of those regulations has its own set of requirements, can feel overwhelming. But rather than looking at each regulation on its own, companies should look at things more holistically.
Most financial institutions need a comprehensive cybersecurity program focused on protecting customer data from a breach with proactive prevention, monitoring, detection, and response strategies. From there, they can report on data protection initiatives to customers and security events to regulating bodies.
If your company doesn’t have a large in-house security team that can manage all these security controls, a managed services partner can go a long way toward ensuring it remains compliant with all the local, national, and global requirements while also providing a comprehensive cyber resiliency strategy that seamlessly maintains your compliance adherence.
SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, businesses in the financial services sector can become compliant in weeks with every regulation listed above.
We conduct an in-depth risk assessment to identify gaps in your security posture and any roadblocks on the way to compliance. We then work with your team to implement a cybersecurity strategy that includes detection and response capabilities, incident response plans, and ongoing program maintenance.
If you need help implementing a compliant cybersecurity strategy, contact the experts at SolCyber today.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
