Jun 24 2024

Navigating the Evolving World of Cybersecurity Regulations in Financial Services

Here’s how to stay compliant as more agencies impose overlapping security measures.

As laws and regulations constantly change, financial services organizations struggle with compliance.

In fact, last November, the New York Department of Financial Services introduced revised regulations calling for stricter cybersecurity controls for financial services companies, including banks, insurance companies, investment firms and others in the industry.

To avoid fines and penalties under the NYDFS rules, known as Part 500, organizations that are considered “covered entities” shall implement multifactor authentication or use reasonably equivalent or more secure access controls approved by the organization’s CISO, according to Larry Burke, a member of CDW’s Global Security Strategy Office.

LEARN MORE: Join Larry Burke for a live webinar about the new NYDFS regulations.

“As we go into 2025, covered entities will now need approved written cybersecurity policies and procedures, a designated CISO, a written incident response plan, encryption, periodic access reviews, and continuous monitoring or periodic penetration testing and vulnerability assessments,” Burke says.

The regulations call for specific security measures in response to the codified requirement to conduct periodic risk assessments of the information systems in place. Burke says: “While the risk assessment requirement highlights the need to update controls as changes occur in an evolving cybersecurity environment, other sections of the amendment establish explicit baseline cybersecurity controls to be implemented. 

This approach is intended to strike a balance between maintaining the risk-based approach NYDFS adopted when the initial cybersecurity regulations were issued while also raising the bar to address weaknesses observed in prior cyber incidents that were attributed to firms not maintaining a standard set of controls to protect against cyberthreats.”

Click the banner below to learn why cyber resilience improves threat defenses.


Involve Your Board in Cybersecurity Compliance

Accountability for cybersecurity measures is a key element of the NYDFS regulations. CISOs now must provide a report updating their governing body or board of directors on the company’s cybersecurity posture and plans to fix any security gaps, Burke says.

Maintaining accountability entails communicating with the board about cybersecurity risks, explains Kirk J. Nahra, partner and co-chair of the cybersecurity and privacy practice at law firm WilmerHale.

“The board needs to understand that its job is to evaluate major issues for a company, and a ransomware attack that shuts down the whole business is a major risk,” Nahra says. “The boards have to become more sophisticated about information security.”

Companies must also specify who oversees cybersecurity for their organization.

Nahra says cybersecurity regulations in finance started with the Gramm-Leach-Bliley Act. That regulation requires financial institutions to inform customers about their information-sharing practices and to safeguard sensitive data.

Larry Burke
As we go into 2025, covered entities will now need approved written cybersecurity policies and procedures, a designated CISO, an incident response plan and continuous monitoring.”

Larry Burke Member of Global Security Strategy Office, CDW


Multiple Regulators Make It Harder to Follow the Rules

The Securities and Exchange Commission recently updated its cybersecurity rules around broker-dealers and investment firms, saying that organizations must notify customers of a cybersecurity incident within 30 days. In summer 2023, the SEC also said that if a public company suffered a material cybersecurity incident, it must report it on a Form 8-K within four business days, Burke notes.

Meanwhile, the Department of Homeland Security issued a request for comment on the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which calls for regulations requiring covered entities to report cyber incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency.

“The increasing amount of overlapping controls and requirements that affect the same set of companies heightens the benefits for organizations of all sizes to implement strong, enterprise-wide governance, risk and compliance programs,” Burke says.

Click the banner to learn how to overcome budget hurdles to zero trust success.


How to Tackle Cybersecurity Regulations in Finance

Financial services organizations should ensure compliance by establishing incident response plans, which describe a company’s approach to handling a breach. Some regulations dictate what companies should include in an incident response plan, Nahra says.

The NYDFS calls for organizations to have cybersecurity policies that are reviewed and approved annually. Previously, regulations concentrated more on processes and best practices, Nahra says. Now, they are becoming more prescriptive, but multiple regulators are inconsistent, and their standards may conflict at times.

However, WilmerHale predicts that the Federal Trade Commission could adopt a portion of NYDFS Part 500 in the FTC’s Safeguards Rule. This rule took effect in 2003, but the FTC updated it in 2021 to incorporate new technology. It requires financial institutions to implement an information security program that includes “administrative, technical, and physical safeguards” to keep customer information secure. It also calls on organizations to conduct risk assessments.

Financial services companies benefit greatly from access management lifecycle policies and practices that leverage a zero-trust approach for privileged and nonprivileged users. One benefit of a mature zero-trust strategy is that it limits the damage if a breach occurs, Burke says.

DIG DEEPER: Why cybersecurity risks are more expensive for financial services. 

Meanwhile, Nahra recommends that companies avoid changing their cybersecurity programs blindly based on regulations.

“I would look at any of these new standards — whether it’s a law, a regulation, a National Institute of Standards and Technology standard, a contract requirement, whatever it is — and I would say, ‘Do we do this? Should we do something instead of this?’” Nahra says. “And I would factor into your thinking whether somebody else is telling you to do it differently.”

He notes that regulations get tested after a breach takes place. Organizations often shore up security programs when peers suffer an attack, given the industry spillover effect.

“If you happen to be the one that has the breach, you should figure out what caused it, why it happened and whether you could have done something to prevent it. Then try to move on and improve,” Nahra says. “Security needs to be a constant evolution.”

getty images/dusanpetkovic

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.