Top 12 Financial Services Cybersecurity Regulations to Know in 2023
6 Min. Read | April 4, 2023
Financial services are one of the most targeted industries in the world for cyberattacks, suffering nearly 20% of all attacks in 2022. This is understandable considering the high-value outcomes of successful attacks and the fact that, despite supposed security improvements, attacks are still relatively successful, with over eight million records breached in the field in Q3 of 2022.
Data breaches don't just affect the institution that's compromised but also affect confidence in the sector as a whole. The International Monetary Fund has highlighted the significant threat that weak financial services cybersecurity poses to the industry and the world. Potential outcomes range from a loss of confidence in financial services to widespread economic instability.
That's why global cybersecurity regulations have been ramped up over recent years, as they strengthen the security posture of individual firms and the industry overall. Here we'll look at the most important financial services cybersecurity regulations in 2023.
New York — NYDFS Part 500
One of the US's most important pieces of cybersecurity legislation is the New York Department of Financial Services cybersecurity bill, technically known as 23 NYCRR Part 500. The bill affects any firm that operates under the Banking, Insurance or Financial Services laws out of New York, which will be most financial services firms in the US.
It requires firms to implement a cybersecurity policy over data governance, access controls and consumer privacy. It also obligates the introduction of more robust security methods, such as the deployment of multi-factor authentication (MFA) for protecting non-public information.
US — Sarbanes-Oxley (SOX)
The original Sarbanes-Oxley Act was instrumental in codifying the disclosures companies must make to current or potential investors, as well as the penalties that are due for breaches (with executives being directly on the line for up to $1 million and ten years in prison).
It has since been updated to include cybersecurity considerations. It now obligates all publicly traded companies in the US and their wholly-owned subsidiaries to declare adherence to cybersecurity best practices in areas such as authentication and data safety. They are also required to report any data breaches publicly.
California — California Consumer Privacy Act (CCPA)
Introduced to help protect the privacy rights and consumer protections of Californians, the CCPA affects any company which does business with Californians and meets one of the following:
- Has a gross revenue of over $25 million
- Buys, sells or receives personal data on 50,000 consumers
- Makes over half its revenue from selling consumers' personal information
The fines can be up to $2,500 for unintentional violations and $7,500 for intentional violations, which will be multiplied per record stolen in the case of a data breach.
US — Gramm-Leach-Bliley Act (GLBA)
The GLBA has a specific Privacy of Consumer Financial Information Rule that directly affects financial services cybersecurity. This concerns non-public personal information (NPI) that a company will collect when informing about or providing a financial product or service. Fines for non-compliance can be up to $100,000 per violation and five years in prison for complicit directors.
EU — General Data Protection Regulation (GDPR)
All companies processing the data of European Union citizens are affected by the GDPR. The law determines how data is used and protected and governs how consent must be used for collecting it. Along with data usage, timely reporting of breaches is also obliged if it affects EU citizens.
For financial services cybersecurity, adhering to GDPR in 2023 is essential. Failure to do so can lead to fines of $20 million or 4% of global revenue, with Amazon receiving the biggest fine so far of $888 million.
UK — Data Protection Act
After the UK left the EU, it kept the GDPR which it passed into law as the Data Protection Act (2018). It is roughly the same as the EU-GDPR (just amended for UK citizens) but still carries the same requirements around data safety, consent and reporting, and fines for non-compliance.
EU — Payment Services Directive 2 (PSD2)
The PSD2 was introduced to make it easier for financial services companies to integrate and securely share data while making payment systems safer. In addition, the law set specific technical standards for strong customer authentication and improving security measures.
The measures affect all companies catering to consumers in the EU and any payments that start, travel through or end in the EU. This puts clear obligations on financial services cybersecurity, even for firms outside the EU.
Global — Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS covers the processors of payments from major credit and debit card companies. To achieve compliance, financial services cybersecurity programs must meet several obligations, such as protecting cardholder data, encrypting data in storage and transmission, and authenticating access to all system components. Breaches of the PCI DSS may result in fines and restrictions in using major credit cards.
Singapore — Monetary Authority of Singapore Notices on Cyber Hygiene
The Monetary Authority of Singapore (MAS) regulates financial institutions in the banking, capital markets, insurance and payments sectors. The MAS has issued a collection of notices on cyber hygiene, which are a set of legally binding requirements that financial institutions must take to mitigate the growing risk of cyberthreats. The cyber hygiene notices cover six key areas, which include securing administrative account access, regular vulnerability patching and mitigation controls for systems that cannot be patched, written and regularly tested security standards, perimeter defense systems, malware protection and multi-factor authentication for any system used to access critical information.
Canada - Bill C-11
Expected to be passed into law in Canada in early 2023, Part 1 of Bill C-11 will introduce the Consumer Privacy Protection Act (CPPA) into law. The regulations are heavily based on the NYDFS Part 500 and give recommendations on securing systems and data, as well as obligations on the collection, usage and storage of data.
US — FFIEC Standards
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that sets standards for all federally supervised financial institutions, including their subsidiaries. The FFIEC cybersecurity best practices includes guidance on effective authentication and access risk management practices. The FFIEC authentication standards emphasize multi-factor authentication (MFA) as a critical security control against financial loss and data compromise, similar to the PSD2 Strong Customer Authentication mandate. It includes references to NIST standards SP 1800-17 and SP 800-63B, which provide implementation guidelines for passwordless MFA based on FIDO specifications.
US — FTC Safeguards Rule
The FTC Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, auto dealers, and payday lenders, to implement a comprehensive security program to keep their customers’ information safe. The FTC Safeguards Rule was recently updated, with the compliance deadline set for June 9, 2023. Among the new provisions is a mandate for multi-factor authentication for anyone accessing customer information. It should be noted that this includes MFA for desktop and server access, not just applications.
Protect Data and Systems with Strong Authentication
The financial services sector is at high risk of cyberattacks due to the value of successful data breaches or account takeover attacks. To combat this, state, national and supranational governments and industry groups have introduced several financial services cybersecurity regulations to ensure best practice is deployed throughout the industry.
A common thread throughout much of the financial services cybersecurity regulations worldwide is the protection of data and stronger authentication systems. HYPR's True Passwordless MFA solution uses FIDO2, the "gold standard" of phishing-resistant MFA, to help companies secure their systems and achieve regulatory compliance. To learn more, read more here or schedule a custom demo.