Learning from the Financial Sector's Cybersecurity Regulations

Written by

Once upon a time, a bank was just a bank, a place where you kept your money until you needed it, and maybe went home with a toaster or a calendar once in a while. Not anymore; today, the bank is a unit in a carefully weaved financial infrastructure; if it falls, others may as well, compromising even business, government, and society as we know it.

That's the attitude of the US Department of Homeland Security, which is designing cyber-protection regulations for the financial industry. Are banks the only institutions that need such regulations? If a cyber-attack puts 100,000 people out of work for two weeks, is that not as serious a threat to the stability of society as a hacked bank?

That financial institutions have become critical to the functioning of society is clear with just a glance at the headlines. “Petya Ransomware Creates Global Chaos” is typical of the stories about the latest mega-cyber threat the world faces - as they were typical of May’s mega-threat, the WannaCry ransomware attack. Global chaos, it seems, is actually the result of many of the recent cyber-attacks that have plagued the business world.

As alarmist as these headlines may be, the DHS is not taking chances. The agency is developing a Financial Services Sector-Specific Plan, designed to ensure that a cyber-attack does not bring the financial sector to its knees. “The Financial Services Sector faces a complex and evolving risk environment,” says DHS in its report, and protecting the system is going to require great effort by financial regulators on all levels. The Group of Seven industrial nations has issued a similar plan - like the DHS plan, based on nonbinding guidelines.

Unlike the DHS and G7, European Union guidelines have legislative teeth. Its General Data Protection Regulations (GDPR) require institutions to ensure that data is protected (and that the financial system is secure), with sanctions built in for those who fail to provide accurate protection.

In all three systems, the recommendations include collaboration and information-sharing between relevant institutions (government, banks, regulators) on attacks and defense systems, education efforts to ensure that employees do not admit malware in-to the network, involving experts who can best recommend how an institution can defend itself, and adopting tough standards, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, in order to keep the system safe. In addition, firms have to appoint an expert who will be responsible for cybersecurity, meaning they will have to be familiar with the products and services available that can provide solutions for specific needs.

What about other areas, like government, communications, or healthcare? Regulations are starting to appear at the federal government level. In May, President Trump issued an executive order requiring agencies to submit their cyber-defense plans to the Office of Budget and Management. That is just for federal agencies; local and state governments are more or less on their own, and those organizations have suffered many breaches and ransomware attacks.

It’s the same for hospitals, which are prime targets for hackers and ransomware-mongers. What if a hacker managed to shut down a data center for even a day? Forget about a day; all it took was five hours of an AWS outage to bring business to a screeching halt for thousands of organizations.

All these institutions and organizations are at risk – great risk – despite the fact that they, too, are regulated to an extent, like financial institutions. What about businesses? What about the manufacturers, retail outlets, and supply chain members that are the fabric of society? What would happen if, for example, hackers were able to disable the system where meat and dairy is distributed to supermarkets from distribution centers for a week? That, too, is critical for the functioning of society – but unlike with banks, there is no one to tell them what to do to defend themselves, and how to do it.

For some, that will mean adopting the regulations and methods that banks themselves will be required to deploy – information sharing, compliance officers, thorough examination of solutions, etc. One idea that can help these organizations is network segregation, where internal corporate networks containing information on the organization’s business and budget are kept separate from the external network, used for internet, email, etc. Financial institutions are already required to do this, and other businesses and organizations would do well to adopt this practice.

Regardless of what system they adopt, these organizations need to step up their cyber-security game and stand to gain inspiration from their financial counterparts. While banks are part of everyone's critical infrastructure, the auto assembly plant, real estate office, hotel, or any other business where an individual earns an income to feed his or her family is part of their own ‘critical infrastructure’. Seen from that perspective, the people responsible for cybersecurity in those organizations have a great deal to think about.

What’s hot on Infosecurity Magazine?