Financial services institutions are beholden to a wide array of regulatory rules. But in recent months, with an unprecedented number of customers embracing digital access in the face of closed limited-access branches, there are new threats and risks to consider for customer and the FSI itself.
Financial organizations are well acquainted with Sarbanes-Oxley and Payment Card Industry Data Security Standards, but a patchwork of cybersecurity regulations that often differ by state and even country has grown all the more complicated by the surge of online transactions. A panel discussion at the SC Finance eConference last week shed some much-needed light on this fast-evolving topic.
The current environment implies that “you have to have a pulse on the regulatory perspective,” says panelist Erica Wilson, vice president of global security and risk management for RGA Reinsurance Company. “You have to make sure you know who your regulators are, and the FDIC guidelines for establishing information security within your [institution].”
And as fast as the standards are evolving, “regulatory guidance is lagging behind many [financial] platforms out there,” Wilson says, adding that she expects to see update in the new year.
Simply tracking the on-going changes in regulatory guidance can prove a full-time job, let alone following one’s fellow FSIs who may be sanctioned, noted Tom Kartanowicz, regional chief information security officer for Commerzbank North America. In particular, the landscape for rules tied to decentralized financial platforms and cryptocurrency have taken off more quickly than regulators have been able to monitor.
“It’s often a case of centralized versus decentralized with the classic centralized banking [areas] having an anti-money laundering teams to fight fraud,” he says. Meanwhile the decentralized players are often “rushing to market and getting vulnerabilities in their code.”
“The rules have to catch up and companies need to implement these rules and good practices just to give that confidence to the consumer,” Kartanowicz says.
That said, Wilson argues that when it comes to compliance “there’s never a done, it’s never complete.” Like most organizations, FSIs are desperate for employees with the appropriate skillset, to aid in their cyber-compliance efforts. “That’s just a challenge every institution is facing, regardless of their industry,” Wilson adds. “You can only do so much at a time to achieve compliance.”
Establishing a “cyber-roadmap doesn’t happen overnight,” says Kartanowicz, who points to the value of the NIST framework and top CIS controls as great guidelines.
Wilson stressed the importance of knowing where data lies and how accessible it may be – knowing "the assets that are connecting to the people, that are connecting to how you’re being targeted."
“There are so many entry points that you have to protect... and you have to know what you’re protecting,” Wilson said. “And if you don’t get it right, there could be that one endpoint, that one thing you didn’t protect or have control over that creates the breach or concern."