What’s my exposure?

What’s My Exposure? Cybersecurity and Regulatory Requirements for Financial Institutions

Introduction

Financial institutions and businesses have been making risk-based decisions in order to protect what’s most important since their inception. The addition of information-systems and applications only serves to extend many of the concepts they are already familiar with, including regulations, risk, assets, intellectual property, vulnerabilities, threats, and threat multipliers. It’s important to understand how cybersecurity requirements for these systems add to what is already a long list of statutory and regulatory requirements. However, what’s more important is not to lose sight of the fact that those information-systems and security controls exist to support the business, not the other way around. They should be increasing productivity, driving revenue, generating profits and reducing risk, not dragging them in the opposite direction. Financial institutions understand how to analyse risk in order to better protect their investments; cybersecurity should be no different. Regulatory requirements and compliance will start an organization down the right path. However, an honest and thorough approach to securing critical information-systems and the data they contain will simultaneously hit those “check boxes” and smartly align those resources with business objectives.

Overview

Financial institutions in the U.S. have almost always been subject to a myriad of statutory and regulatory requirements

[1]. In some cases these regulations help protect the marketplace from instabilities introduced by unscrupulous lending practices[2]. For others, they are an attempt to address accounting fraud through accurate and reliable reporting[3]. Still others seek to protect the information provided by consumers when purchasing products and services[4]. Regardless of the specific law or regulation, there are information-systems and applications that facilitate and support the business functions that simultaneously make money for the institution and satisfy regulatory requirements. This post will attempt to dissect and understand how statutory and regulatory requirements impact cybersecurity requirements for U.S financial institutions. With regard to information-systems and cybersecurity requirements, the most significant pieces of legislation passed to date include:

Gramm-Leach-Bliley Act (GLBA) of 1999 , Pub.L.106-102 Sarbanes-Oxley Act (SOX) of 2002, Pub.L.107-204 Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub.L.111-203 Although there are other laws that directly and/or indirectly impact cybersecurity requirements, one could argue that any regulations that proceed from these laws are subsumed by the requirements for the 3 pieces of legislation above. For example, the disposal of consumer data specified in the “Fair and Accurate Credit Transactions Act”[5] is already covered by regulatory guidance for GLBA[6].

Gramm-Leach-Bliley Act (GLBA)

Summary

Out of the 3 pieces of legislation above, it could be argued that GLBA most directly impacts cybersecurity requirements for financial institutions through the privacy and safeguards rules. The privacy rule is intended to protect consumer financial privacy by placing limits on the release of non-public personal information (NPI) to unaffiliated third parties. NPI[7] includes income, social security numbers, payment history, and loan and deposit balances. The safeguards rule[8] requires the financial institution to implement a security program to protect this NPI. The centrepiece of this implementation is the risk analysis and overall risk management process. The high level objectives for the security program are to:

  • Inventory and classify information-systems hardware and software;
  • Assess vulnerabilities in information-systems and business processes;
  • Review threats to critical resources and NPI;
  • Quantify the risks to critical resources, NPI, and business processes;
  • Develop and implement a mitigation strategy, which includes implementation and updates for critical security controls;
  • Monitor and manage organizational risk; and
  • Modify security controls and update the security program as needed.

Impacted Financial Institutions

Organizations that are “significantly engaged” in “financial activities” are subject to the regulatory requirements that proceed from the privacy and safeguards rules of GLBA. According to Bank Holding Company Act of 1956[9], financial activities include, but are not limited to:

  • lending, exchanging, transferring, investing for others, or safeguarding money or securities
  • brokering loans
  • servicing loans
  • debt collecting
  • real estate settlement services
  • insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State

Enforcement

GLBA regulations are enforced by a number of organizations. The enforcement body depends on the nature of the financial institution being considered. Enforcement organizations currently include[10]:

  • Consumer Financial Protection Bureau (CFPB)
  • Federal Trade Commission (FTC)
  • Securities and Exchange Commission (SEC)
  • Federal Financial Institutions Examination Council (FFIEC)
  • Federal Reserve Board (FRB)
  • Federal Deposit Insurance Corporation (FDIC)
  • National Credit Union Administration (NCUA)
  • Office of the Comptroller of the Currency (OCC)
  • Office of Thrift Supervision (OTS)

The FFIEC was established in 1979 and includes principals from the FRB, FDIC, NCUA, OCC, and CFPB. The FFIEC published an information security handbook which “addresses regulatory expectations regarding the security of all information-systems and information maintained by or on behalf of a financial institution, including a financial institution’s own information and that of all of its customers.”[11] The FFIEC handbook and several additional resources for guiding organizations through GLBA regulatory requirements are included in section 4 below.

Resources

The resources below provide prescriptive steps for addressing regulatory requirements. These resources are intended for organizations that are ready to ask, “what do I do now?”

  • FFIEC Information Security Handbook http://ithandbook.ffiec.gov/media/resources/3354/con-15usc_6801_6805-gramm_leach_bliley_act.pdf

  • FFIEC Cybersecurity Assessment Tool https://www.ffiec.gov/cyberassessmenttool.htm

  • Critical Security Controls https://www.cisecurity.org/

  • Critical Security Controls Master Mapping http://www.auditscripts.com/download/2742/

Dodd-Frank Wall Street Reform and Consumer Protection Act

Summary

Although Dodd-Frank enacted far-reaching reforms, it only appears to indirectly impact the cybersecurity requirements for financial institutions. Title X of Dodd-Frank, known as the Consumer Financial Protection Act of 2010, established the Consumer Financial Protection Bureau (CFPB) and empowered it with the authority to issue regulations and take enforcement actions under Title V of GLBA[12]. “Title V” refers to the GLBA privacy rule detailed in section 3 above. In short, it transfers a significant amount of enforcement authority to the CFPB with regard to enforcing the GLBA privacy rule to protect consumer financial privacy and NPI. The safeguards rule and the regulations that prescribe administrative, technical, and physical security controls to protect that NPI appear unchanged.

Impacted Financial Institutions[13]

  • lending, exchanging, transferring, investing for others, or safeguarding money or securities
  • brokering loans
  • servicing loans
  • debt collecting
  • real estate settlement services
  • insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State

Enforcement

The Security and Exchange Commission (SEC) is responsible for the enforcement of the provisions of Dodd-Frank.

Resources

  • Privacy Protection for Customer Financial Information https://fas.org/sgp/crs/misc/RS20185.pdf

  • The Dodd-Frank Wall Street Reform and Consumer Protection Act: Title X, The Consumer Financial Protection Bureau http://www.llsdc.org/assets/DoddFrankdocs/crs-r41338.pdf

Sarbanes-Oxley Act (SOX)

Summary

Sarbanes Oxley (SOX) was enacted as part of the US government’s response to the financial and accounting scandals tied to Worldcom, Enron, and Arthur Anderson Accounting in the early 2000s. One of the main provisions in SOX requires corporations to implement internal controls to ensure accurate and reliable corporate disclosures. Corporations must also annually assess the effectiveness of its internal controls and report findings to the SEC. Since many of the internal controls as well as the reporting mechanisms themselves are dependent on information-systems and applications, the impact on the organization’s cybersecurity requirements is significant. In this case the regulatory requirements that proceed from SOX dovetail almost perfectly with the goal of information security, which is to protect the confidentiality, integrity, and availability (CIA) of information-systems and the financial data they contain.

Impacted Financial Institutions[14]

  • Publically Traded Companies in the US
  • Publically Traded Non-US Companies doing business in the US
  • Private companies preparing for an Initial Public Offering (IPO)

Enforcement

SOX does not provide prescriptive actions for securing Information-systems and assessing specific security controls. As part of SOX, the Public Company Accounting Oversight Board (PCAOB) was formed to create, provide, and enforce audit guidelines for internal controls. Unfortunately, the PCAOB includes very little practical guidance for addressing IT security controls[15]. The PCAOB subsequently selected a framework for creating and implementing internal controls created by the Committee of Sponsoring Organizations (COSO). However, COSO is also not specific enough for information security professionals15. There are several frameworks that provide specific prescriptive guidance for implementing and assessing security controls for information-systems and applications. These include COBIT[16] and the CIS Critical Security Controls[17].

Resources

It’s important to note that the frameworks below are fundamentally no different than some of the resources listed in section 3.4 for GLBA compliance. In fact, the “Critical Security Controls Master Mapping” document below explicitly maps each of the critical security controls to an equivalent activity/domain in the FFEIC CAT. There are lots of resources available for organizations looking to start down the path of regulatory compliance. However, one could easily argue that they all boil down to the same set of basic security principles.

  • Critical Security Controls https://www.cisecurity.org/

  • Critical Security Controls Master Mapping http://www.auditscripts.com/download/2742/

Black Lantern Security (BLS) Services and Subscriptions

BLS provides a suite of security services and subscriptions to help organizations develop, implement, and mature their information security program. BLS services and subscriptions have been designed according security best practices and are ideal for any organization looking to build a solid security program that supports GLBA and SOX compliance. Our methodologies and approach have been developed over the last decade as the founding partners secured some of the Nations most sensitive systems. Services and subscriptions include:

  • Risk Analysis
  • Vulnerability Assessment
  • Penetration Testing
  • Wireless Assessment
  • Web Application Assessment
  • Secure Code Review
  • Centralized Logging and Alerting
  • Offensive Security Tools and Utilities

Conclusion

Regardless of where the regulations proceed from, engineering your information-systems and associated security controls will always come down to the same basic set of security principles. If things are implemented correctly then satisfying the regulatory requirements almost becomes an after thought. If you set out to secure what’s most important to the business and decisions are based on what’s critical to the near- and long-term success of the business, then compliance comes naturally. Compliance is not the challenge, the challenge lies in understanding where your crown jewels reside, the types of attacks your most likely to see, and how best to tune your people, process, and tools to defend and evolve.

References

[1] Federal Reserve Act, https://en.wikipedia.org/wiki/Federal_Reserve_Act

[2] Dodd-Frank Wall Street Reform Act, https://www.gpo.gov/fdsys/pkg/PLAW-111publ203/html/PLAW-111publ203.htm

[3] Sarbanes-Oxley Act, https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW-107publ204.htm

[4] Gramm-Leach-Bliley Act, https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/html/PLAW-106publ102.htm

[5] Fair and Accurate Credit Transactions Act, https://www.gpo.gov/fdsys/pkg/PLAW-108publ159/html/PLAW-108publ159.htm

[6] FFEIC CyberSecurity Assessment Tool (CAT), https://www.ffiec.gov/cyberassessmenttool.htm

[7] https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm

[8] https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying

[9] https://fraser.stlouisfed.org/scribd/?title_id=984&filepath=/files/docs/historical/congressional/1956_bankholdact_publiclaw511.pdf

[10] http://ithandbook.ffiec.gov/media/resources/3354/con-15usc_6801_6805-gramm_leach_bliley_act.pdf

[11] http://ithandbook.ffiec.gov/it-booklets/information-security/introduction.aspx

[12] https://fas.org/sgp/crs/misc/RS20185.pdf

[13] https://fraser.stlouisfed.org/scribd/?title_id=984&filepath=/files/docs/historical/congressional/1956_bankholdact_publiclaw511.pdf

[14] http://www.sarbanes-oxley-101.com/sarbanes-oxley-faq.htm

[15] https://www.sans.org/reading-room/whitepapers/legal/overview-sarbanes-oxley-information-security-professional-1426

[16] http://www.isaca.org/cobit/pages/default.aspx

[17] https://www.cisecurity.org/critical-controls.cfm


© 2018 | All rights reserved | 1 Cool Blow Suite 322 Charleston, SC 29403 | 843.991.4612