The State of Cybersecurity Laws in the Financial Services Industry

by Tom Gilheany 0

Thepast year provided many lessons about how risky the digital world continues tobe. The 2016 DataBreach QuickView reportstated that there were 4,149publicly disclosed data breaches worldwide last year, exposing 4.2 billionrecords. That’s just the breaches that were made public; the total figure couldbe much higher.

Thefinancial industry’s SWIFT transaction system became infamous after hackersstole a Bangladeshibank’s SWIFT code and used it to make a series of transaction requests,stealing $81 million. This was the most egregious example in the industry, butthere are many more that point to the need for stronger cybersecurity measures.

Anotherbig player last year in the cybercrime world was ransomware. In the firstquarter of 2016 alone there was an average of over 4,000 attacks per day,according to Deloitte. That was a 300 percent increase from the 1,000ransomware attacks per day the prior year. In fact, ransomware is nowconsidered the top cybersecurity threat to the financial industry.

In arecent SANS survey, 54 percent of responding financial services firms said theyconsider ransomware the biggest threat to their business. And more than 32percent of financial firms said ransomware attacks have resulted in losses of between$100,000 and $500,000.

Cybersecurity,or the lack thereof, has become a headline issue, threatening financial institutions’reputations and bottom lines. It is such a high stakes game, in fact, that regulatorsare expected to take on a growing role going forward.

ANew Push for CybersecurityLaws and Regulations

There has already been significant action on the cybersecuritylegislative front recently.In October of last year, the Group of Seven industrial powers agreed on guidelines to protect the global financialsector from cyberattacks. That followed various cross-border bank thefts at thehands of hackers.

TheEuropean Union has approved cybersecurity rules that force businesses tostrengthen their defenses. They require banking, energy and major techcompanies to report attacks, and they require EU nations to cooperate onnetwork security matters.

The EU’s General Data Protection Regulation (GDPR) hasserious implications for any organization that processes the personaldata of people residing in the EU, regardless of the company’s location. Thefinancial sector must pay particular attention to this regulation because itprocesses a huge amount of personaldata on a daily basis. Those that do not comply or that try but fall short ofthe GDPR’s stringent privacy rules face fines of up to €20m or four percent ofthe company’s global annual turnover.

Australiahas a thriving IT industry, and the country has developed a national strategy through which government andthe private sector are working together to address cybersecurity. Lastyear, it issued awhite paper describing major risks and initiativeson this front.

U.S.states aren’t waiting for the federal government to act. At least 28 states lastyear considered or introduced cybersecurity legislation, according to The National Conference of StateLegislatures. Mostof these laws and bills address national infrastructure and governmentalagencies. But some of them specifically target the interests of organizations,including financial service organizations.

Forexample, a new law in Colorado calls for the creation of a state cybersecuritycouncil to provide policy guidance to the governor. One of the threecybersecurity bills signed into law in California last year makes it a crimefor a person to knowingly introduce ransomware into any computer, computersystem or computer network. Utah has enacted civil penalties for hackers. AndWashington State has established the State Cybercrime Act.

Diligence andPerseverance

Likethese other proactive entities, the financial services industry can take partin the conversation with legislators and regulators who are forming new lawsand regulations. Banks that may have historically only concentrated oncompliance and aren’t involved in new cybersecurity discussions may want tostart voicing their opinions and lending a hand in these efforts now, beforecybersecurity regulatory decisions are cemented.

Bythe same token, regulators can get consultation from cybersecurity experts toensure that they fully understand cybersecurity risks and the real capabilitiesof corresponding technical controls, as well as any possible unintendedconsequences of regulations written with too broad, or too narrow, a scope.

Bothregulators addressing new cybersecurity risks and financial institutionsparticipating in these conversations should make sure that they have at thetable individuals who are well-trained and certified in all relevant cybersecuritytopics. This will ground the conversation around the technical realities of therisks they are addressing, as well as the technical controls currentlyavailable to mitigate those risks.

Inaddition, financial service providers would do well to keep in mind that thereis a lag time for legislation of three to four years due to the drawn-out lawmakingprocess. However, cybercriminals don’t experience this lag time, which means providersneed to take a proactive approach, and surpass mere compliance of cybersecurityregulations. To make their organizations as secure as possible from the myriadcyber threats, they must become as innovative and fast-paced in their effortsto safeguard their networks as the cybercriminals attacking them.

About Tom Gilheany

TomGilheany is the product manager of security learning products within Cisco Services. Hisbackground is diverse; he’s worked in small startups and multinational Fortune100 companies in product management and technical marketing positions. Prior tohis transition to marketing, he spent more than a decade working in InformationTechnology and Operations. Tom holds a CISSP, an MBA, and is an active board memberof the Silicon Valley Product Management Association and Product Camp SiliconValley.