There is perhaps nowhere in the private sector with stricter regulations than the financial services industry. So, let’s talk about banking regulation cybersecurity.
Money makes our world go ‘round. Some corporations and individuals have a whole lot of it, and they’d be rather upset if any of it went missing.
These days, our money is all driven by computer technology. My bank account and yours are simply numbers on a computer. So, banking regulation cybersecurity is all about protecting the digital systems which manage our money.
All cyber threats pertain to one or more parts of the CIA triad of cybersecurity.
- Confidentiality is all about making sure that only authorized parties have access to specific data or computer systems.
- Integrity is all about making sure that data and computers aren’t tampered with by malicious parties, or even by accident.
- Availability is about making sure that data and computer systems are there when needed.
The last part often gets overlooked, but if your organization’s networks had a long period of downtime, it could be disastrous to your business!
To protect these principles in the financial services industry, we have banking regulations. Many of those laws also apply to facets outside of computer technology. But in this piece, I will summarize some of the regulations pertinent to banking cybersecurity in the United States. This isn’t a full explanation or legal advice, rather it can be used as a staring point for you to learn more about banking regulations as they apply to cybersecurity.
The Gramm–Leach–Bliley Act went into effect on November 12th, 1999, and it’s still law in the United States as of this writing. It was designed partly to replace a section of the Glass-Steagall Act of 1933, in order to permit financial institutions to become investment banks, commercial banks, and insurance companies simultaneously. There are some cybersecurity implications to the Gramm–Leach–Bliley Act.
The Safeguards Rule
The Safeguards Rule of the Gramm–Leach–Bliley Act requires companies to have a plan in place to protect the information security of their customer data. When you hear about data breaches affecting American banks, those banks had better be compliant with the Safeguards Rule! According to the Rule, companies must design and implement a safeguards plan to be ready for threats to customer data. They’re required to actively monitor and test their plan. They must designate one or more employees to coordinate its information security program. In each relevant area of the company’s operation, they must identify and assess any pertinent information security risks. They must also evaluate the effectiveness of their safeguards for mitigating those risks. When major changes occur to how the bank operates, they must also adjust their safeguards plan accordingly.
Some parts of the Rule that very specifically applies to cybersecurity includes having to have strong passwords protecting access to sensitive financial data, developing policies about the appropriate use of computing devices within banking networks such as laptops and smartphones, and deactivating user credentials to banking network applications upon employee termination. Most of this stuff is very basic Corporate Cybersecurity 101.
When customer information must be disposed of, banks must comply with the FTC’s Disposal rule:
“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with the rule in this part.
Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.”
There are also other parts of the Safeguards Rule which pertains to cybersecurity. Financial organizations must have appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. Logging will be needed even if it’s not explicitly stated in the Act!
When a data breach occurs, and they will inevitably occur, any consumers, law enforcement, or businesses affected must be notified. Law enforcement must be notified if the breach may involve criminal activity. Consumers must be notified if the breach involves personal information that poses a significant risk of identity theft or related harm.
Data Privacy Regulations
And that segues nicely into this. Many of the other regulations that pertain to cybersecurity in the banking sector aren’t really banking regulations per se, they’re data privacy regulations. The Gramm–Leach–Bliley Act has some parts that pertain to data privacy, but different data privacy regulations may also apply. Unlike the European Union and its GDPR or Canada and its PIPEDA, data privacy law in the United States is usually enacted state-by-state. So, these additional regulations will vary according to which state your bank is in, and which states your customers are in. For example, your bank may be based in Nevada. But if you have data on customers from California, both Nevada and California law may apply.
The most important parts of the data privacy law in your state apply to how your organization handles data and what you do in incident response to a data breach. Sometimes you’re required to report a data breach to the affected parties in a timely manner.
So that’s your introduction to banking regulation cybersecurity! It’s a quite complex topic, but hopefully I’ve offered you a good starting point so you can better understand your legal obligations for securing information in the financial services sector.
On February 5th, CIT’s own Lawrence Cruciana participated in the Delaware Bankers Association’s Cybersecurity Forum. Check it out here!