Businesses in the finance industry process and store different forms of sensitive data, including customer information, payment details, and financial records, which make them a popular target for cybercriminals. This data enables cybercriminals to commit identity theft, fraud, and other malicious activities. For example, credit card details are so in-demand that they can fetch up to $240 each on the dark web, depending on a card's account balance.
A number of cybersecurity regulations have been enacted to ensure that financial firms are fully capable of protecting the various types of sensitive data they handle. A key requirement under these regulations is for businesses to adopt and implement an appropriate cybersecurity framework.
A cybersecurity framework is a set of guidelines and best practices that companies must follow to manage their cybersecurity risks. It covers various aspects of cybersecurity, including risk assessments, data security, incident response, and business continuity.
Several frameworks have been developed over the years, and which ones a company must adopt depends not just on the industry it belongs to, but also on the types of data the business handles. In fact, a single firm may be covered by more than one framework. A bank that partners with healthcare providers, for instance, may be subject to both HIPAA and finance-related frameworks.
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a widely adopted standard designed to help organizations manage cybersecurity risks and safeguard critical data and systems. Originally developed to improve the cybersecurity of critical infrastructure, NIST CSF has become a go-to framework for businesses across various sectors, including finance, thanks to its flexibility and adaptability to different risk profiles.
In 2024, NIST introduced significant updates with the release of NIST CSF 2.0. The new version adds a sixth core function, "Govern," to the existing functions: Identify, Protect, Detect, Respond, and Recover. The "Govern" function emphasizes the importance of aligning cybersecurity with organizational objectives, establishing clear policies, and defining roles and responsibilities within a company’s cybersecurity strategy. Additionally, the update provides expanded guidance on managing supply chain risks—a crucial factor for financial firms that rely on various third-party vendors.
For financial firms, the NIST CSF’s flexible, risk-based approach makes it especially valuable. The framework’s comprehensive nature and updated guidelines for governance and supply chain management offer financial organizations a structured way to strengthen their cybersecurity posture, meet regulatory requirements, and protect client data in a rapidly evolving threat landscape.
The Sarbanes-Oxley (SOX) act of 2002 was originally focused on developing internal checks to help businesses avoid fraudulent financial transactions. Over time, it has also grown to incorporate several components that address common cybersecurity risks, such as phishing attacks, and now includes guidelines on storing financial data as well.
SOX shares several security controls with NIST CSF, specifically in terms of deploying risk assessments, protecting critical assets, and ensuring business continuity. All public companies in the United States, including those in the finance sector, must comply with SOX. Noncompliance can result in severe consequences, including being delisted from the public stock exchange, forfeiture of directors and officers liability insurance, and the removal of the firm's directors.
The Gramm–Leach–Bliley Act (GLBA) requires financial institutions to develop and implement a cybersecurity program that can protect the confidentiality of customer data. If the firm engages in activities that involve the sharing of sensitive data, they must communicate to their customers the nature of these activities. The firm must also give clients the right to opt out if they don't want their data to be shared with third parties.
Compliance with GLBA is compulsory for all companies in the United States that sell or offer financial products and services, including loans, insurance, and financial advice. Noncompliance can result in penalties, fines, and imprisonment.
The Payment Card Industry Security Standards Council (PCI SSC) is an independent body created by credit card companies Visa, MasterCard, Discover, American Express, and JCB. It administers the PCI Data Security Standard (PCI DSS), a set of guidelines designed to maintain a secure environment for credit card transactions. Note that it is the payment brands, and not the PCI SSC, that enforce PCI DSS compliance.
All companies that process credit card information, regardless of whether they belong to the financial sector or not, are subject to PCI DSS. Companies that fail to comply will be fined up to $100,000 per month until they achieve full compliance.
The Financial Industry Regulatory Authority (FINRA) is an organization that regulates the activities of firms in the securities industry in the United States. It developed and established rules for protecting customer data, as well as detecting and preventing cyberthreats.
Compliance with FINRA's requirements is a must for all brokers in the US. FINRA is also responsible for regulating funding portals, such as crowdfunding platforms. Noncompliance can result in various penalties, such as suspensions, censures, fines, and orders of restitution.
Complying with the appropriate cybersecurity framework is essential if you want your business to operate smoothly, avoid costly penalties, and stay protected from various cyberthreats. However, meeting regulatory requirements isn't always easy. The compliance experts from Charles IT can help in choosing and implementing the appropriate cybersecurity framework for your company. Contact us today to get started!
Editors note: This blog was originally written in 2022 and updated in 2024 for accuracy.