Industry Blogs

The State of Cybersecurity Laws in the Financial Services Industry

 The past year provided many lessons about how risky the digital world continues to be. The 2016 Data Breach QuickView report stated that there were 4,149 publicly disclosed data breaches worldwide last year, exposing 4.2 billion records. That’s just the breaches that were made public; the total figure could be much higher.



The financial industry’s SWIFT transaction system became infamous after hackers stole a Bangladeshi bank’s SWIFT code and used it to make a series of transaction requests, stealing $81 million. This was the most egregious example in the industry, but there are many more that point to the need for stronger cybersecurity measures.


Another big player last year in the cybercrime world was ransomware. In the first quarter of 2016 alone there was an average of over 4,000 attacks per day, according to Deloitte. That was a 300 percent increase from the 1,000 ransomware attacks per day the prior year. In fact, ransomware is now considered the top cybersecurity threat to the financial industry.


In a recent SANS survey, 54 percent of responding financial services firms said they consider ransomware the biggest threat to their business. And more than 32 percent of financial firms said ransomware attacks have resulted in losses of between $100,000 and $500,000.


Cybersecurity, or the lack thereof, has become a headline issue, threatening financial institutions’ reputations and bottom lines. It is such a high stakes game, in fact, that regulators are expected to take on a growing role going forward.


A New Push for Cybersecurity Laws and Regulations 

There has already been significant action on the cybersecurity legislative front recently. In October of last year, the Group of Seven industrial powers agreed on guidelines to protect the global financial sector from cyberattacks. That followed various cross-border bank thefts at the hands of hackers.


The European Union has approved cybersecurity rules that force businesses to strengthen their defenses. They require banking, energy and major tech companies to report attacks, and they require EU nations to cooperate on network security matters.


The EU’s General Data Protection Regulation (GDPR) has serious implications for any organization that processes the personal data of people residing in the EU, regardless of the company’s location. The financial sector must pay particular attention to this regulation because it processes a huge amount of personal data on a daily basis. Those that do not comply or that try but fall short of the GDPR’s stringent privacy rules face fines of up to €20m or four percent of the company’s global annual turnover. 


Australia has a thriving IT industry, and the country has developed a national strategy through which government and the private sector are working together to address cybersecurity. Last year, it issued a white paper describing major risks and initiatives on this front.  


U.S. states aren’t waiting for the federal government to act. At least 28 states last year considered or introduced cybersecurity legislation, according to The National Conference of State Legislatures. Most of these laws and bills address national infrastructure and governmental agencies. But some of them specifically target the interests of organizations, including financial service organizations.


For example, a new law in Colorado calls for the creation of a state cybersecurity council to provide policy guidance to the governor. One of the three cybersecurity bills signed into law in California last year makes it a crime for a person to knowingly introduce ransomware into any computer, computer system or computer network. Utah has enacted civil penalties for hackers. And Washington State has established the State Cybercrime Act.


Diligence and Perseverance 

Like these other proactive entities, the financial services industry can take part in the conversation with legislators and regulators who are forming new laws and regulations. Banks that may have historically only concentrated on compliance and aren’t involved in new cybersecurity discussions may want to start voicing their opinions and lending a hand in these efforts now, before cybersecurity regulatory decisions are cemented. 


By the same token, regulators can get consultation from cybersecurity experts to ensure that they fully understand cybersecurity risks and the real capabilities of corresponding technical controls, as well as any possible unintended consequences of regulations written with too broad, or too narrow, a scope.


Both regulators addressing new cybersecurity risks and financial institutions participating in these conversations should make sure that they have at the table individuals who are well-trained and certified in all relevant cybersecurity topics. This will ground the conversation around the technical realities of the risks they are addressing, as well as the technical controls currently available to mitigate those risks.


In addition, financial service providers would do well to keep in mind that there is a lag time for legislation of three to four years due to the drawn-out lawmaking process. However, cybercriminals don’t experience this lag time, which means providers need to take a proactive approach, and surpass mere compliance of cybersecurity regulations. To make their organizations as secure as possible from the myriad cyber threats, they must become as innovative and fast-paced in their efforts to safeguard their networks as the cybercriminals attacking them.



About Tom Gilheany 

Tom Gilheany is the product manager of security learning products within Cisco Services. His background is diverse; he’s worked in small startups and multinational Fortune 100 companies in product management and technical marketing positions. Prior to his transition to marketing, he spent more than a decade working in Information Technology and Operations. Tom holds a CISSP, an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.

Search Perspectives

View All