While the COVID pandemic has acted as a booster in online banking’s growth story, the risks surrounding the financial services’ cybersecurity front are rising as well. As a result, institutions must be proactive to avoid coming under the regulatory hammer, while dancing to the hackers’ tunes.
While additional rules are appreciated, frequent operational modifications as per these regulations only increase the load on institutions. For example, in response to the increasingly unstable security environment financial institutions are currently confronting, the New York State Department of Financial Services (NYDFS) recently recommended significant revisions to the Part 500 Cybersecurity Regulation. By the proposed changes, anticipated to take effect in 2023, there will be much higher expectations for cyber expertise from businesses. There will also be earlier notifications of cybersecurity events and ransom payments, apart from stricter auditing for large organizations.
As we saw with the initial 23 NYCRR 500, the NYDFS is not afraid to enforce laws harshly, and several fines totalling millions of dollars have already increased the stakes for compliance. However, the advice offered to banks to accomplish this compliance still needs to be clarified. All too frequently, after enforcement measures have been taken, banks and covered entities, such as health insurers and credit unions, are left to rely on hindsight, only considering the lessons learned and fines paid after the fact. Security decision-makers urgently need to rethink their approach to data protection as pressure on banks to comply with regulations grows.
Being pursued by everyone
Since they hold on millions of consumers’ wallet data, banks and credit unions are top targets for cybercriminals. Although this has always been the case, UK-based IT firm Sophos’ yearly analysis of financial services security shows how threats have increased in size, intelligence, and ruthlessness. For instance, ransomware increased by 62% in 2021. Although more than half (52%) of the targeted firms paid the ransom, only 10% had their data returned. These alarming statistics demonstrate how vulnerable banks are becoming in front of these data theft attempts. With the significant increase in double-extortion ransomware tactics, risks abound when hackers first steal copious amounts of confidential data before encrypting the target’s files. Criminals can threaten to publish the stolen data on the dark web after this encryption.
Additionally, zealous regulators can cause severe reputational and financial harm to organizations. The NYDFS collected USD 6.3 million in fines for cybersecurity non-compliance from four separate companies in the state in just three months in 2021. Despite having protections in place, one of these companies, Residential Mortgage Services, Inc. (RMS), paid USD 1.5 million for neglecting to notify about a 2019 data breach. In addition, a USD 3 million punishment was levied against National Securities for several security violations, including the absence of multifactor authentication (MFA) or “equivalent” cybersecurity measures. These businesses not only paid hefty fines but also incurred expenses for forensic investigations and cleanup, in addition to reputational damage.
No time for security checkboxes
The increased accountability in the financial services sector can only be good. However, banks are mainly left to their own devices to navigate the path to successful and compliant cybersecurity, as “constructive ambiguity” shapes the original NYDFS rule. This indicates that many still rely on cursory checkbox methods for automatic measures like encryption.
Organizations must alter their trajectory in the face of increasing pressure from regulators and threat actors. Because of today’s enlarged data thefts, banks’ accelerated digital transformation, and growing cloud use, centralized approaches to data security need to be revised. Any bank that forgoes using specialized and efficient encryption exposes itself to even the simplest ransomware and data exfiltration assaults.
This is because centralized identity and downstream access control invariably open the door to illicit activity. From the moment they obtain legitimate credentials, attackers, both internal and external, are granted complete, continuous access to all systems, databases, and files. The organization could then lose millions of dollars due to the exfiltration of sensitive information files.
In recent years, industry giants like Equifax, Yahoo, and the Office of Personnel Management, have had significant data breaches caused by stolen credentials. The use of compromised credentials is once again the most frequent cause of a data breach, costing an average of USD 4.5 million per event, according to the most recent IBM report.
Data encryption is irrelevant when centralized controls and checkbox identities are used. Furthermore, conventional encryption lacks protection against data exfiltration because it relies on centralized keys connected to the same user credentials that the attacker has stolen or copied.
An additional layer of protection: Multifactor encryption
Banks must abandon antiquated defence methods and alter their mitigation strategies as the security and regulatory environments change. To protect sensitive data, even when nefarious actors are present inside the perimeter, they require layered solutions that function when everything else fails.
It is crucial to have a sophisticated, decentralized data protection plan. Financial businesses can stop relying on identification as the cornerstone of all data security through the deployment of multifactor encryption and distributed key management (DKM), guaranteeing that sensitive data is protected during an exfiltration event. Criminals rapidly realize that there is no one point of weakness, making all their efforts futile.
What is the operation of multifactor encryption? AES-256 is used for data encryption at rest. To eliminate central points of attack, main points of failure, and risky reliance on identity and access management controls, a multifactor solution generates a unique key for each object before automatically fragmenting and distributing the critical shards across physical devices, such as laptops, mobile devices, tablets, or servers.
Due to multifactor encryption with DKM in place, hackers cannot decrypt files even after gaining access to a system. This is also true when banks move data to the cloud because unstructured data is still encrypted with several factors, making it impossible for anyone to access it, not even the cloud provider. As a result, only a small group of individuals have access to the critical shards on the approved physical devices.
The examination of data consumption and encryption status for compliance and business reporting requirements is also made possible by multifactor encryption. For example, banks can demonstrate their active compliance with authorities during audits and inspections, thanks to an irrefutable audit trail, assisting firms in meeting escalating standards. Administrators can also design unique notifications and warnings with detailed user activity logging, enabling data insights to be fed into current security monitoring programs.
Overcoming the regulatory obstacle
Account numbers must be unreadable when stored electronically by large non-financial institution originators, third-party service providers, and senders, according to the US-based National Clearing House Association (NACHA). This organization oversees electronic payment systems between nearly every bank and credit union account within the American jurisdiction. This represents a significant departure from obsolete identity and access management security methods. Financial companies would benefit significantly from technology like multifactor encryption, which eliminates the risk of file exfiltration while skillfully balancing user accessibility and data protection.
Banks must rely on something other than checkbox solutions and traditional centralized encryption when regulatory scrutiny and ransomware concerns are at an all-time high. Firms across the industry may secure themselves and demonstrate best-in-class regulatory compliance using distributed vital management and multifactor encryption, avoiding the shame of excessive fines and reputational embarrassment.
New regulatory trends in data privacy
Uncertainty is a result of fragmented regulations
Similar to the EU’s GDPR, China’s centralized Personal Information Privacy Law offers a comprehensive set of regulations regarding data protection. The US still has a uniform privacy framework, but as more states embrace laws like Virginia’s Consumer Data Protection Act, which will go into effect in 2023, calls for federal data protection legislation will grow.
Businesses may experience uncertainties due to the fragmented compliance requirements imposed by the US and international data privacy laws. In addition, the lack of a data transfer agreement between the EU and the US will increase doubts about the legitimacy of transatlantic data transfers.
Compliance is only one aspect of privacy
Privacy is undoubtedly a compliance component, but the organization’s culture must be changed for it to matter genuinely. Poorly controlled access within an organization frequently results in data privacy violations. Humans are the weakest link in the chain of privacy and security. Thus people and processes are just as important as technology. However, as remote working becomes more prevalent, controlling user access and protecting your essential data becomes more challenging.
Organizations seeking ISO 27001 certifications
Obtaining independent external certifications for their privacy program and practices is crucial for new entrants to confirm they are handling personal data correctly. These include ISO 27701, the EU’s binding corporate rules, and APEC’s cross-border privacy rules. In addition, these designations can benefit newcomers working on delicate, mission-critical operations, such as core-system modernization, as they can save time and effort during contract negotiations.
Thought Machine has applied for and been granted ISO 27001 certification and SOC 2 Type 2 accreditation, which outline requirements for putting in place information security management systems and show that internal controls and procedures are reliable and safe. Along with adhering to GDPR, the vendor complies with all pertinent data privacy legislation in other significant countries where it conducts business, including Singapore, Australia, and the US.
Web cookies and Apple’s Identifier for Advertisers are two tracking techniques that have enabled personalization and targeting of advertisements at a level of complexity never before achieved. However, they have also raised the possibility of privacy abuses. Providers may no longer be able to rely on cookies to increase the effectiveness of customer outreach in various jurisdictions. Institutions that need to develop a plan to protect and expand their access to first-party data may need to increase their sales and marketing expenditures by 10 to 20% to achieve the same results.
In the meantime, the UK’s Department for Digital, Culture, Media, and SPORT is considering using cookies in local circumstances without user consent or where it would benefit the user.
Financial institutions are finding it more difficult to transfer data among entities and across borders, to create target state data flow, and to build an insightful analysis for credit scoring due to global bank rules around data security, customer privacy, and ethical use of data, such as GDPR. Additionally, the use of data produced by various activities is governed by multiple legal restrictions. For instance, personal information from a profile on a social networking platform cannot be utilized for the same purposes as information from a financial transaction.