What's My Exposure?
Cybersecurity and Regulatory Requirements for Financial Institutions
Introduction
Financial institutions and businesses have been making risk-based decisions in order to protect what is most important since their inception. The addition of information-systems and applications only serves to extend many of the concepts they are already familiar with, including regulations, risk, assets, intellectual property, vulnerabilities, threats, and threat multipliers. It is important to understand how cybersecurity requirements for these systems add to what is already a long list of statutory and regulatory requirements. However, what is more important is not to lose sight of the fact that those information-systems and security controls exist to support the business, not the other way around. They should be increasing productivity, driving revenue, generating profits and reducing risk, not dragging them in the opposite direction. Financial institutions understand how to analyze risk in order to better protect their investments; cybersecurity should be no different. Regulatory requirements and compliance will start an organization down the right path. However, an honest and thorough approach to securing critical information-systems and the data they contain will simultaneously hit those “check boxes” and smartly align those resources with business objectives.
Overview
Financial institutions in the U.S. have almost always been subject to a myriad of statutory and regulatory requirements.1 In some cases these regulations help protect the marketplace from instabilities introduced by unscrupulous lending practices.2 For others, they are an attempt to address accounting fraud through accurate and reliable reporting.3 Still others seeks to protect the information provided by consumers when purchasing products and services.4 Regardless of the specific law or regulation, there are information-systems and applications that facilitate and support the business functions that simultaneously make money for the institution and satisfy regulatory requirements. This post will attempt to dissect and understand how statutory and regulatory requirements impact cybersecurity requirements for U.S financial institutions. With regard to information-systems and cybersecurity requirements, the most significant pieces of legislation passed to date include:
Gramm-Leach-Bliley Act (GLBA) of 1999 , Pub.L.106-102
Sarbanes-Oxley Act (SOX) of 2002, Pub.L.107-204
Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub.L.111-203
Although there are other laws that directly and/or indirectly impact cybersecurity requirements, one could argue that any regulations that proceed from these laws are subsumed by the requirements for the three pieces of legislation above. For example, the disposal of consumer data specified in the “Fair and Accurate Credit Transactions Act”5 is already covered by regulatory guidance for GLBA.6
Gramm-Leach-Bliley Act (GLBA)
Summary
Out of the three pieces of legislation listed above, it could be argued that Gramm-Leach-Bliley Act (GLBA) most directly impacts cybersecurity requirements for financial institutions through the privacy and safeguards rules. The privacy rule is intended to protect consumer financial privacy by placing limits on the release of non-public personal information (NPI) to unaffiliated third parties. NPI includes income, social security numbers, payment history, and loan and deposit balances.7 The safeguards rule requires the financial institution to implement a security program to protect this NPI.8 The centrepiece of this implementation is the risk analysis and overall risk management process. The high level objectives for the security program are to:
Inventory and classify information-systems hardware and software;
Assess vulnerabilities in information-systems and business processes;
Review threats to critical resources and NPI;
Quantify the risks to critical resources, NPI, and business processes;
Develop and implement a mitigation strategy, which includes implementation and updates for critical security controls;
Monitor and manage organizational risk; and
Modify security controls and update the security program as needed.
Impacted Financial Institutions
Organizations that are “significantly engaged” in “financial activities” are subject to the regulatory requirements that proceed from the privacy and safeguards rules of GLBA. According to Bank Holding Company Act of 1956,9 financial activities include, but are not limited to:
Lending, exchanging, transferring, investing for others, or safeguarding money or securities
Brokering loans
Servicing loans
Debt collecting
Real estate settlement services
Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any state
Enforcement
GLBA regulations are enforced by a number of organizations. The enforcement body depends on the nature of the financial institution being considered. Enforcement organizations currently include:10
Consumer Financial Protection Bureau (CFPB)
Federal Trade Commission (FTC)
Securities and Exchange Commission (SEC)
Federal Financial Institutions Examination Council (FFIEC)
Federal Reserve Board (FRB)
Federal Deposit Insurance Corporation (FDIC)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
The FFIEC was established in 1979 and includes principals from the FRB, FDIC, NCUA, OCC, and CFPB. The FFIEC published an information security handbook which “addresses regulatory expectations regarding the security of all information-systems and information maintained by or on behalf of a financial institution, including a financial institution’s own information and that of all of its customers.”11 The FFIEC handbook and several additional resources for guiding organizations through GLBA regulatory requirements are included in the “Resources” section below.
Resources
The resources below provide prescriptive steps for addressing regulatory requirements. These resources are intended for organizations that are ready to ask, “what do I do now?”
FFIEC Information Security Handbook http://ithandbook.ffiec.gov/media/resources/3354/con-15usc_6801_6805-gramm_leach_bliley_act.pdf
FFIEC Cybersecurity Assessment Tool https://www.ffiec.gov/cyberassessmenttool.htm
Critical Security Controls https://www.cisecurity.org/
Critical Security Controls Master Mapping http://www.auditscripts.com/download/2742/
Dodd-Frank Wall Street Reform and Consumer Protection Act
Summary
Although Dodd-Frank enacted far-reaching reforms, it only appears to indirectly impact the cybersecurity requirements for financial institutions. Title X of Dodd-Frank, known as the Consumer Financial Protection Act of 2010, established the Consumer Financial Protection Bureau (CFPB) and empowered it with the authority to issue regulations and take enforcement actions under Title V of GLBA.12 “Title V” refers to the GLBA privacy rule detailed in the “Gramm-Leach-Bliley Act (GLBA)” section above. In short, it transfers a significant amount of enforcement authority to the CFPB with regard to enforcing the GLBA privacy rule to protect consumer financial privacy and NPI. The safeguards rule and the regulations that prescribe administrative, technical, and physical security controls to protect that NPI appear unchanged.
Impacted Financial Institutions
The following list describes the impacted financial institutions: 13
Lending, exchanging, transferring, investing for others, or safeguarding money or securities
Brokering loans
Servicing loans
Debt collecting
Real estate settlement services
Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any state
Enforcement
The Security and Exchange Commission (SEC) is responsible for the enforcement of the provisions of Dodd-Frank.
Resources
Privacy Protection for Customer Financial Information https://fas.org/sgp/crs/misc/RS20185.pdf
The Dodd-Frank Wall Street Reform and Consumer Protection Act: Title X, The Consumer Financial Protection Bureau http://www.llsdc.org/assets/DoddFrankdocs/crs-r41338.pdf
Sarbanes-Oxley Act (SOX)
Summary
Sarbanes-Oxley Act (SOX) was enacted as part of the US government’s response to the financial and accounting scandals tied to WorldCom, Enron, and Arthur Anderson Accounting in the early 2000s. One of the main provisions in SOX requires corporations to implement internal controls to ensure accurate and reliable corporate disclosures. Corporations must also annually assess the effectiveness of its internal controls and report findings to the SEC. Since many of the internal controls as well as the reporting mechanisms themselves are dependent on information-systems and applications, the impact on the organization’s cybersecurity requirements is significant. In this case the regulatory requirements that proceed from SOX dovetail almost perfectly with the goal of information security, which is to protect the confidentiality, integrity, and availability (CIA) of information-systems and the financial data they contain.
Impacted Financial Institutions
The following list describes impacted financial institutions:14
Publicly Traded Companies in the US
Publicly Traded Non-US Companies doing business in the US
Private companies preparing for an Initial Public Offering (IPO)
Enforcement
SOX does not provide prescriptive actions for securing Information-systems and assessing specific security controls. As part of SOX, the Public Company Accounting Oversight Board (PCAOB) was formed to create, provide, and enforce audit guidelines for internal controls. Unfortunately, the PCAOB includes very little practical guidance for addressing IT security controls.15 The PCAOB subsequently selected a framework for creating and implementing internal controls created by the Committee of Sponsoring Organizations (COSO). However, COSO is also not specific enough for information security professionals. There are several frameworks that provide specific prescriptive guidance for implementing and assessing security controls for information-systems and applications. These include COBIT16 and the CIS Critical Security Controls.17
Resources
It’s important to note that the frameworks below are fundamentally no different than some of the resources listed in section 3.4 for GLBA compliance. In fact, the “Critical Security Controls Master Mapping” document below explicitly maps each of the critical security controls to an equivalent activity/domain in the FFEIC CAT. There are lots of resources available for organizations looking to start down the path of regulatory compliance. However, one could easily argue that they all boil down to the same set of basic security principles.
Critical Security Controls https://www.cisecurity.org/
Critical Security Controls Master Mapping http://www.auditscripts.com/download/2742/
Black Lantern Security (BLS) Services and Subscriptions
Black Lantern Security (BLS) provides a suite of security services and subscriptions to help organizations develop, implement, and mature their information security program. BLS services and subscriptions have been designed according to security best practices and are ideal for any organization looking to build a solid security program that supports GLBA and SOX compliance. Our methodologies and approach have been developed over the last decade as the founding partners secured some of the Nations most sensitive systems. Services and subscriptions include:
Risk Analysis
Vulnerability Assessment
Penetration Testing
Wireless Assessment
Web Application Assessment
Secure Code Review
Centralized Logging and Alerting
Offensive Security Tools and Utilities
Conclusion
Regardless of where the regulations proceed from, engineering your information-systems and associated security controls will always come down to the same basic set of security principles. If things are implemented correctly then satisfying the regulatory requirements almost becomes an after thought. If you set out to secure what’s most important to the business and decisions are based on what’s critical to the near- and long-term success of the business, then compliance comes naturally. Compliance is not the challenge, the challenge lies in understanding where your crown jewels reside, the types of attacks your most likely to see, and how best to tune your people, process, and tools to defend and evolve.
Related posts
Federal Reserve Act, https://en.wikipedia.org/wiki/Federal_Reserve_Act
Dodd-Frank Wall Street Reform Act, https://www.gpo.gov/fdsys/pkg/PLAW-111publ203/html/PLAW-111publ203.htm
Sarbanes-Oxley Act, https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-107publ204.htm
Gramm-Leach-Bliley Act, https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/html/PLAW-106publ102.htm
Fair and Accurate Credit Transactions Act, https://www.gpo.gov/fdsys/pkg/PLAW-108publ159/html/PLAW-108publ159.htm
FFEIC CyberSecurity Assessment Tool (CAT), https://www.ffiec.gov/cyberassessmenttool.htm