Financial Cybersecurity Regulations are rules and laws that govern the operation, structure, and conduct of financial institutions and markets. These regulations are put in place by government agencies and international bodies to protect consumers. Ensure stability in the financial system, and prevent misconduct and fraud.
Due to the ever-growing number of cyberattacks and their increasing severity, financial industry regulators are increasingly interested in mitigating cyber risks. Consequently, stricter financial cybersecurity regulations are being established, with severe penalties for non-compliance. The new regulations will impact chief information security officers’ (CISOs’) asset risk management efforts and even their roles in their organizations.
New Financial Industry Regulations
Among the recent updates to financial cybersecurity regulations is the U.S. Security and Exchange Commission’s (SEC) proposed “rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (‘registrants’) that are subject to the reporting requirements of the Securities Exchange Act of 1934.”
These amendments will take effect this spring. They will require public companies to disclose to investors in a standardized manner their policies, procedures and competencies for cybersecurity. Any cybersecurity incidents that occur and updates regarding past cybersecurity incidents.
European regulators also are requiring organizations to strengthen their stances against cybercrime. The European Union’s NIS2 Directive (Network Information Security 2 Directive), which includes “measures for a high common level of cybersecurity across the Union,” takes effect on October 17, 2024 (NIS2 Release Date). According to its article 21, “essential and important entities must … manage the risks posed to the security of network and information systems… And prevent or minimize the impact of incidents… Strengthening EU’s cybersecurity posture by expanding scope of the directive and introducing more stringent rules. Especially those pertaining to cybersecurity risk management, including among the supply chain.”
The Challenge of Unmanaged Devices
With the implementation of new financial cybersecurity regulations, managing cybersecurity and asset risk has become a core business concern for financial organizations. It is no longer solely the responsibility of the security team. As noted by IT research firm Gartner, corporate boards are increasingly viewing cybersecurity as a significant business risk. Therefore, CISOs must present cybersecurity concerns to business stakeholders framed as business risks rather than just technological challenges.
To comply with new financial cybersecurity regulations and address concerns from corporate leaders, CISOs must gain comprehensive visibility over their entire asset environment and effectively manage associated risks.
A notable challenge is that over 60% of devices connected to a financial services organization’s network go unnoticed and unmanaged. This issue has become even more pronounced with the rise of hybrid working, IoT security, and personal device usage.
Enhancing Cybersecurity Compliance for CISOs
Although it is a daunting task for CISOs to know and understand their entire asset environment and manage the associated risks, there are several steps they can take to help make it possible. For example, CISOs could use IT asset management solutions. They account for any asset type (IT/OT/IoT), whether they’re managed or not and wherever they’re being used. CISOs also could implement solutions to document the presence of authorized and unauthorized devices. The exact device models, the identity of those using them and how they are using them. The risk level of the devices and of the users themselves and whether the devices have any known vulnerabilities.
CISOs should also consider deploying IT asset management solutions that automatically block unknown and unwanted devices breaching access control policies. Continuous monitoring of network-connected devices is essential for ensuring real-time visibility and control, a key component of complying with Financial Cybersecurity Regulations.
Financial Industry Regulations and Unmanaged Devices
Other U.S. financial industry regulations, such as the Securities Exchange Act of 1934, include strict provisions for capturing business communications. This is extremely difficult to enforce as employees can communicate about business on personal devices not connected to the network. Although capturing business communications is separate from cybersecurity, corporate boards and business leaders view it as a related business risk involving devices. While there is no solution for monitoring business communications on devices not connected to a company’s network, there are many devices connected to the network that are unmanaged. More than those that are managed. By managing all network-connected devices, organizations can better capture business communications and strengthen their compliance.
Compliance Challenges and Consequences
In light of financial cybersecurity regulations, capturing business communications remains a challenge. For example, in September 2022 the U.S. Securities and Exchange Commission announced charges against 15 broker-dealers and one affiliated investment adviser. For “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications,” in violation of “certain record keeping provisions of the Securities Exchange Act of 1934.” The firms agreed to pay combined penalties of more than $1.1 billion, and to improve their compliance policies and procedures. For European financial organizations that don’t comply with the NIS2 Directive, EU member states will be required “to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.”
CISOs in the financial sector face mounting challenges in adhering to financial cybersecurity regulations. Now, that the SEC ratchet up its enforcement against CISOs that fail to properly disclose their cybersecurity risks (e.g. naming SolarWinds CISO as a defender), a much better management of ALL devices accessing the networks and their associated risks is a must have component of the organization’s cybersecurity and compliance.