Financial Services Compliance Checklist: Cybersecurity in the Banking, Finance, Insurance and Retail Sectors

Praveen Yeleswarapu
August 16, 2021

The last decade witnessed several cyberattacks on the Banking, Financial Services, and Insurance (BFSI) sector as well as in the retail sector since banking went digital. Although digitalization has given us faster transaction time and undoubtedly transformed and enhanced the banking experience across the board, it has also increased the threat level for cyberattacks on the BFSI sector.

One specific, massive breach of a biometric database around 2015 resulted in the exposure of actual fingerprints plus facial recognition data of millions of people. In addition, log data and other personal information wound up on a so-called “publicly accessible database.” Biometrics, identity, and security solutions company Suprema was attacked, and therefore, its clients across 83 countries: governments, metropolitan police, banks, and defense contractors were vulnerable too.  Suprema’s Biostar 2 biometric identity SDK, integrated into an AEOS access control system used by 5700 organizations was heavily compromised.

The ramifications of this attack are far-reaching. Since banking went mobile and mostly digital, sometimes using biometric data for identification, it has been a prime target for cyberattacks, given the black-market demand for customer credentials and credit card information. Biometric data comes with the inherent problem that once it is compromised, there can be no reversal, unlike usernames and passwords which can be changed. Therefore, when banks use biometric access control systems, mobile authentication solutions, fingerprint live scanners, and other fingerprint modules, the risk is real.

Cyber risk factors can be unique to every industry, for instance, a manufacturing unit or supply chain faces different risks compared to a bank, financial institution, insurance company, or retail chain. The risk factor boils down to the kind of information they retain in their databases. The geographic location is also a factor in how legal compliance is shaped, how private information is collected, stored, applied, or archived.

Here’s what the cyber threat landscape for the BFSI sector looks like

  • The annual cost of cyberattacks across the banking industry touched a whopping $18.3 million per company.
  • According to the Federal Bureau of Investigation (FBI), ransomware scammers received almost  $1 billion per year in payouts
  • 92% of ATMs remain vulnerable to hackers.

On the ground, 8 out of 10 US citizens worry that their financial information is not secure.

Trojans, ransomware, mobile banking and ATM malware, institutional invasion, data breaches and thefts, fiscal breaches are all cyber criminals’ weapons of choice. Not only do they greatly weaken the health of a financial institution, but they also have the potential to bring operations to a grinding halt.

Some of the prime targets in BFSI are:

  • Customer banking credentials
  • Mobile banking vulnerabilities. Mobile-first customers are in fact more vulnerable to several malware variants designed to steal personal banking information
  • Banking apps that can be exploited from the bank server-side or the user side (via a customer device)
  • Third-party vendors such as banking equipment vendors, software vendors, or customer service partners. They have access to critical banking data but their security policies may not be up to scratch.

Preventing cyberattacks in BFSI

Banking, an extremely lucrative business model that assures phenomenal returns in conjunction with relatively less risk and detectability, is a prime target for cyber attackers. The good news is, due to the highly sensitive nature of information in the financial sector’s databases, the banking, financial services, and insurance sector is one of the most strictly regulated sectors in terms of cybersecurity.

It goes without saying that the BFSI sector must be among the first to deploy all the latest, most advanced threat-management mechanisms. It needs all the technological help it can get to prove equal to the rapidly evolving threats on the horizon. At the very least, a bank must have these protective mechanisms in place:

  • Firewalls
  • Antivirus software
  • Proxy servers
  • Two-factor authentication with tokens
  • User and entity behavior analytics solutions
  • Data encryption
  • Risk assessment
  • APT (Advanced Persistent Threats) surveillance
  • SIEM (Security Incident and Event Management)
  • WAF (Web Application Filtering)
  • Data security policies
  • Incident response plan

Cybersecurity Compliance in BFSI

The BFSI sector is held to a list of key regulatory standards and compliance systems that must be rigorously adhered to while conducting everyday operations. Some of these include:

The Bank Secrecy Act (BSA)

The Bank Secrecy Act (BSA) is an essential law that requires banks and other financial organizations to verify the legitimacy of all currency transactions. This prevents money laundering or concealment. BFSI Auditors also scrutinize cybersecurity set-ups and incident response plans to ensure that all bases are covered if a breach occurs.

Sarbanes-Oxley (SOX)

Sarbanes-Oxley is an American law that was passed with the aim to create a system of internal checks and balances, pertaining to the accuracy of financial records. Historically SOX was designed to track the legitimacy of financial records. However, given the cyber-threat scenario of today, a cybersecurity component was tacked on to the law. According to SOX, organizations must prove that they have security systems in place that monitor and protect sensitive banking information as per the standard requirement.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001

The ISO/IEC 27001 standard is a part of the extensive ISO/IEC 27000 family of cybersecurity standards. The 27001 standard outlines specific recommendations and the right protocols and procedures for managing security risks, including a component for managing sensitive financial information.

Cybersecurity Compliance in Retail

Payment Card Industry (PCI) Data Security Standards (DSS)

The term PCI DSS refers to a global set of standards that govern the manner in which organizations handle credit card information. These affect all retail units because they deal with payment information. In order to comply with PCI DSS, retail organizations should maintain a highly secure data network, plus continuously monitor data across various networks. The aim is to limit the theft or destruction of credit card data. It is sometimes challenging to integrate security controls into archaic set-ups or existing frameworks, which may require organizations to seek technical assistance from experts in complex security solutions.

What to do if an attack happens

Organizations across the BFSI and retail sector must have an incident response plan (IRP) preemptively in place.

An incident response plan is basically a document containing a well-thought-out, structured protocol for handling data breaches and mitigating the damage caused by cyber-attacks, or any other security incidents.

Suggested reading: Incident Response- What Will You Sacrifice?

Having such a plan puts you ahead of the game by:

  • Providing a clear vision of the assets that need to be protected.
  • Giving a roadmap to dealing with specific events effectively and decisively
  • Empowering you to address the underlying cause of a breach and
  • Preventing any future similar incidents.

Businesses of all sizes, in all locations, must have an IRP in place. When planning an incident response, it’s important to begin with a bird’s eye view and design a multi-level approach to network security and identifying valuable assets. Besides, all IRPs must be able to balance security protocols with the operations and productivity of deployed systems.

  • Conduct a security audit to identify weaknesses
  • Specify the primary incident response requirements both regulatory (NIST, PCI DSS, etc.) and business-related (rapid response times plus recovery strategies, etc.).
  • Define security incidents and levels of severity clearly
  • Designate a primary incident response team and backup teams
  • Delineate a chain of communication and command in case of an incident