Stay ahead of the curve with the latest news, ideas and resources on all things Identity Assurance and Passwordless.
Cybersecurity Regulations for Financial Services in 2024 and Beyond
Highlights:
- A roundup of cybersecurity challenges and regulations impacting financial services, including PCI DSS, NYDFS Part 500, GDPR, and PSD2.
- Upcoming compliance requirements for financial institutions, including new amendments for reporting and access control - The consequences of non-compliance, such as fines and reputational damage.
- How to achieve regulatory compliance with Identity Assurance
Michael Soohoo, Compliance Analyst, HYPR
13 Min. Read | October 14, 2024
Financial services are one of the most targeted industries in the world for cyberattacks, suffering nearly 20% of all attacks in 2023. This is understandable considering the high-value outcomes of successful attacks and the fact that, despite supposed security improvements, attacks are still relatively successful, with 84% of finance organizations hit by a cyberattack going on to experience at least one breach.
Data breaches don't just affect the institution that's compromised but also affect confidence in the sector as a whole. The International Monetary Fund has highlighted the significant threat that weak financial services cybersecurity poses to the industry and the world. Potential outcomes range from a loss of confidence in financial services to widespread economic instability.
That's why global cybersecurity regulations have been ramped up over recent years, as they strengthen the security posture of individual firms and the industry overall. Here we'll look at the most important financial services cybersecurity regulations for 2024 and beyond.
New York — NYDFS Part 500
One of the US's most important pieces of cybersecurity legislation is the New York Department of Financial Services cybersecurity bill, technically known as 23 NYCRR Part 500. Enacted in 2017, the bill affects any firm that operates under the banking, insurance or financial services laws out of New York, which are most financial services firms in the US.
It requires firms to implement a cybersecurity policy over data governance, access controls and consumer privacy. It also obligates the introduction of more robust security methods, such as the deployment of multi-factor authentication for protecting non-public information, according to the NYDFS MFA requirements.
In November 2023, it added amendments, requiring firms to:
- implement access and privilege management
- institute quarterly reporting to the board by the CISO
- increase the scope of incident reporting to include cybersecurity events such as ransomware
- administer annual risk assessments
- conduct annual cybersecurity awareness training that focuses on ransomware and social engineering
- conduct vulnerability management that includes annual penetration testing
In addition, the new amendment mandates that firms implement multi-factor authentication (MFA) for remote access and privileged accounts by November 2024.
Upcoming Compliance Requirements
By May 1, 2025, financial institutions must review access privileges for all users with access to sensitive information. This includes automated scans of information systems to identify vulnerabilities and manual review of systems that are not covered by automated scans.
By November 1, 2025, organizations must develop and maintain a comprehensive asset inventory of their information systems that includes key information tracking (e.g, owner, location, etc), policies for updating the asset inventory, and the procedure for disposing of information.
Pro tip: Consider implementing passwordless, phishing-resistant MFA, based on FIDO standards, to ensure that only cryptographically verified identities can access sensitive financial systems and prevent phishing attacks. These technologies can help companies improve compliance with stringent and evolving regulatory requirements such as NYDFS Part 500.
US — Gramm-Leach-Bliley Act (GLBA)
The GLBA has a specific Privacy of Consumer Financial Information Rule that directly affects financial services cybersecurity. This concerns non-public personal information (NPI) that a company will collect when informing about or providing a financial product or service. Fines for non-compliance can be up to $100,000 per violation and five years in prison for complicit directors.
US — Sarbanes-Oxley (SOX)
The original Sarbanes-Oxley Act was instrumental in codifying the disclosures companies must make to current or potential investors, as well as the penalties that are due for breaches (with executives being directly on the line for up to $1 million and ten years in prison).
It has since been updated to include cybersecurity considerations. It now obligates all publicly traded companies in the US and their wholly-owned subsidiaries to declare adherence to cybersecurity best practices in areas such as authentication and data safety. They are also required to report any data breaches publicly.
Pro tip: Ensure secure employee identity proofing during onboarding by using a combination of background checks, strong authentication that includes secure cryptographic protocols and biometric validation to comply with Know Your Employee (KYE) regulations.
US — FFIEC Standards
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that sets standards for all federally supervised financial institutions, including their subsidiaries. The FFIEC cybersecurity best practices includes guidance on effective authentication and access risk management practices. The FFIEC authentication standards emphasize multi-factor authentication (MFA) as a critical security control against financial loss and data compromise, similar to the PSD2 Strong Customer Authentication mandate.
It includes references to NIST standards SP 1800-17 and SP 800-63B, which provide implementation guidelines for passwordless MFA based on FIDO specifications. In August 2024, the FFIEC announced that it will sunset its Cybersecurity Assessment Tool on August 31, 2025, and asks financial insitutions to refer directly to relevant government resources, including the NIST Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals.
US — FTC Safeguards Rule
The FTC Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, auto dealers, and payday lenders, to implement a comprehensive security program to keep their customers’ information safe. The FTC Safeguards Rule had several new provisions that went into effect in 2023. Among the new statutes is a mandate for multi-factor authentication for anyone accessing customer information. It should be noted that this includes MFA for desktop and server access, not just applications.
US — NIST Cybersecurity Framework 2.0
The NIST Cybersecurity Framework (NIST CSF) was originally designed as a guide for businesses of all industries and sizes to manage cybersecurity risk. The newest version, the CSF 2.0, addresses the evolution of technology towards cloud migration and SaaS by adding the function of governance and a set of searchable resources for security leaders to use to make the best decisions regarding their cybersecurity
This framework is particularly relevant for financial organizations who rely heavily on SaaS technology and cloud solutions and accounts and have a vast amount of sensitive data and information that they must protect from data breaches, cyberattacks and operational failures.
Pro tip: Implement continuous authentication to validate user identity in real-time, ensuring security throughout the entire session. This type of adaptive authentication defends against risks related to stolen credentials and unauthorized access.
US — Executive Order on Critical Infrastructure Cybersecurity
Enacted in 2013, the Executive Order on Critical Infrastructure Cybersecurity 13636 requires federal agencies to work together with the private sector to strengthen security in critical sectors such as water, electricity and healthcare. During the global coronavirus the financial services sector was officially classified as a critical sector as it was considered essential to maintaining the nation’s economic stability.
Organizations are encouraged to use the NIST CSF framework to align their cybersecurity risk with a strategic plan of defense. This includes information sharing, developing incident response and recovery plans, and strengthening cybersecurity resilience through measures such as MFA and threat detection.
The mandates for 2024 and 2025 include requiring each sector to have a specific cybersecurity plan tailored to their risk and improved intelligence and threat sharing. In addition, it tasks different federal agencies with being responsible for different critical infrastructure (e.g. the Department of Energy is responsible for the security of the U.S’s energy sector). It also requires the federal government to adopt minimum security requirements and a risk-based approach to critical infrastructure.
California — California Consumer Privacy Act (CCPA)
Introduced to help protect the privacy rights and consumer protections of Californians, the CCPA affects any company which does business with Californians and meets one of the following:
- Has a gross revenue of over $25 million
- Buys, sells or receives personal data on 50,000 consumers
- Makes over half its revenue from selling consumers' personal information
The fines can be up to $2,500 for unintentional violations and $7,500 for intentional violations, which will be multiplied per record stolen in the case of a data breach.
EU — Payment Services Directive 2 (PSD2)
The PSD2 requirement was introduced to make it easier for financial services companies to integrate and securely share data while making payment systems safer. In addition, the law set specific technical standards for strong customer authentication and improving security measures.
The measures affect all companies catering to consumers in the EU and any payments that start, travel through or end in the EU. This puts clear obligations on financial services cybersecurity, even for firms outside the EU.
An updated version of the framework, PSD3, is currently in review. PSD3 will introduce significant changes for banks and non-bank payment service providers (PSPs), as well as consumers. The changes include new Strong Customer Authentication (SCA) regulations, with stricter rules around data access, payment protection, and authentication of users. The final version is expected to be published late 2024 and be enforceable in 2026.
EU — NIS2 Directive
NIS2, or the Network and Information Security Directive 2, is an updated regulation from the European Union designed to strengthen cybersecurity across multiple industries. It will become law on October 17, 2024. NIS2 expands on the original NIS Directive by widening its scope and imposing stricter rules on security practices and incident reporting, with stiffer penalties for non-compliance.
Under NIS2, entities in sectors like energy, finance, transport, healthcare and manufacturing must implement strong cybersecurity protocols. These include effective risk management, strong authentication and access protocols, real-time threat monitoring, and rigorous incident reporting standards.
Importantly, the directive specifies the use of multi-factor authentication (MFA) and continuous authentication to protect network and information systems (Article 21 2(j)). NIS2 impacts not only major financial institutions, but also smaller financial entities, payment services, and digital wallets.
HYPR saves customers millions of dollars, with a 324% ROI. Read the Forrester report.
EU — Digital Operational Resilience Act (DORA)
In response to increasing numbers of cybersecurity attacks and operational disruption after the financial crisis of 2018, the Digital Operational Resilience Act (DORA) is targeted towards increasing the resilience of the financial sector for businesses in the European Union and those dealing with EU-based customers.
It includes authentication and access control requirements for Information and Communication Technology (ICT) systems, which the financial industry in particular is increasingly relying on for the outsourcing of services that deal with sensitive data. DORA is aimed at helping to defend against the unauthorized access of malicious actors to this sensitive data that could lead to data breaches, security incidents, and operational disruptions.
EU — General Data Protection Regulation (GDPR)
All companies processing the data of European Union citizens are affected by the GDPR. The law determines how data is used and protected and governs how consent must be used for collecting it. Along with data usage, timely reporting of breaches is also obliged if it affects EU citizens.
For financial services cybersecurity, adhering to GDPR is essential. Failure to do so can lead to fines of $20 million or 4% of global revenue, with Amazon receiving the biggest fine so far of $888 million.
UK — Data Protection Act
After the UK left the EU, it kept the GDPR which it passed into law as the Data Protection Act (2018). It is roughly the same as the EU-GDPR (just amended for UK citizens) but still carries the same requirements around data safety, consent and reporting, and fines for non-compliance.
Global - Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS covers the processors of payments from major credit and debit card companies. To achieve compliance, financial services cybersecurity programs must meet several obligations, such as protecting cardholder data, encrypting data in storage and transmission, and authenticating access to all system components. Breaches of the PCI DSS may result in fines and restrictions in using major credit cards.
The latest version of PCI DSS 4.0 requires strong authentication requirements specifically related to passwords and MFA. Passwords now have stricter specifications(e.g., resetting them every 90 days) and MFA requirements have extended beyond administrators accessing the cardholder data environment (CDE) to all types of system components, including cloud, hosted systems, on-premises applications, network security devices, workstations, servers and endpoints.
Pro tip: Ensure compliance with standard 8.3.3 by using automated, high-assurance identity verification methods when resetting user credentials / authentication factors. This standard requires user identity verification before modifying authentication to prevent attacks that target this reset process.
Singapore — Monetary Authority of Singapore Notices on Cyber Hygiene
The Monetary Authority of Singapore (MAS) regulates financial institutions in the banking, capital markets, insurance and payments sectors. The MAS has issued a collection of notices on cyber hygiene, which are a set of legally binding requirements that financial institutions must take to mitigate the growing risk of cyberthreats.
The cyber hygiene notices cover six key areas, which include securing administrative account access, regular vulnerability patching and mitigation controls for systems that cannot be patched, written and regularly tested security standards, perimeter defense systems, malware protection and multi-factor authentication for any system used to access critical information.
Other — Various U.S. State Biometric Laws
Multiple U.S. states have biometric privacy laws — such as the Illinois Biometric Information Privacy Act (BIPA) — that affect any company doing business with a resident of that state. These laws regulate collection and storage of biometric information, such as face scans, fingerprints, or voiceprints. The statutes point out that biometric identifiers are different from other types of sensitive information as they are biologically unique to the individual, and cannot be changed once compromised.
Consequences of Non-Compliance with Financial Cybersecurity Regulations
When businesses fail to comply with these financial cybersecurity regulations, they are subject to monetary penalties, increased regulatory scrutiny, and a higher risk of cybersecurity incidents. For example, the fines for NYDFS non-compliance can be $250,000 a day for ongoing non-compliance. These penalties and security incidents due to non-compliance also affect customer trust and the value of the brand. In 2022, Uber’s stock went down by 5% after its third data breach in three months.
Along with operational disruption and a loss in revenue, cybersecurity incidents may result in legal action months or even years after the incident, as in the case with the class action suit against CDK consumers from the MOVEit data breach.
Achieve Regulatory Compliance with Identity Assurance
The financial services sector is at high risk of cyberattacks due to the value of successful data breaches or account takeover attacks. To combat this, state, national and supranational governments and industry groups have introduced several financial services cybersecurity regulations to ensure best practice is deployed throughout the industry.
A common thread throughout much of the financial services cybersecurity regulations worldwide is the protection of data and stronger identity security systems. Financial services organizations globally, including two of the top four banks, rely on HYPR to secure their systems and achieve regulatory compliance.
HYPR combines FIDO2 passwordless MFA, continuous adaptive risk response and automated identity verification to secure finance organizations while improving user experience. Learn more about HYPR’s security certifications and how our identity assurance platform helps you comply with financial cybersecurity regulations worldwide.
Key Takeaways:
- Updates To Cybersecurity Regulations: Regulations are becoming more stringent across various frameworks, requiring frequent audits, vulnerability scans, and comprehensive asset inventories to improve cybersecurity and compliance.
- A Global Focus on Financial Cybersecurity: Regulations like GDPR, PSD2, PCI DSS 4.0, and the new EU DORA focus on data protection, strong authentication and cyber resilience.
- Consequences of Non-Compliance: Non-compliance with financial cybersecurity regulations can result in severe monetary penalties, reputational damage and legal action.
Related Content