The proliferation of cyberattacks targeting the financial sector has forced the establishment of several mandatory cybersecurity regulations. Though often considered an unnecessary burden on security teams, regulatory compliance is one of the most effective strategies for keeping financial services accountable for their security posture.
Cybersecurity regulations must be malleable to remain relevant in a rapidly evolving threat landscape. This means the financial sector must constantly keep track of changes to existing regulations as well as the establishment of new information security standards.
The stress of such a burden is unnecessarily amplified by the lack of a reliable reference for all the regulations impacting financial institutions.
To address this silent frustration we've compiled a list of all the primary cybersecurity regulations impacting the financial services industry. Each item is also supported with compliance resources and details of penalties for non-compliance.
To learn which regulations impact you and how to maintain compliance in the financial sector, read on.
A Brief Overview of Cybersecurity Compliance in the Finance Sector
To iron out all of the wrinkles created by piecing together different online resources, it's helpful to take a step back to revise the details of financial compliance.
What is Financial Cybersecurity Compliance?
Financial cybersecurity compliance is the adherence to laws and security regulations setting the minimum standard for data security within the financial industry.
These regulations are either established by governments or authoritative security bodies and their application impacts the entire financial services industry, including:
- Commercial Banks
- Investment Banks
- Insurance Companies
- Brokerage Firms
- CPA Firms
- Wealth Management Services
- Mutual Funds
- Credit Unions
The Problem with Regulatory Compliance in Finance
One of the main problems disrupting cybersecurity compliance in the financial sector is the sheer volume of different security standards and the significant overlaps between them - an expected problem for the most heavily regulated of all industries.
This can be resolved by only focusing on regulations that are mandatory for financial organizations, and avoiding those that are optional.
The benefit of still implementing optional regulatory standards is that the addition of their security controls could further decrease cybersecurity risks.
However, this effort is usually counter-productive because of the overlap in security controls between mandatory and optional standards.
A much better alternative is to implement security solutions offering the desirable security benefits of optional standards, rather than overwhelming security teams with entire optional frameworks and their redundant security controls.
Understanding the difference between a regulation and a cyber framework is a critical prerequisite to achieving compliance with any financial regulation. This post explains the difference between the two.
Top 9 Cybersecurity Regulations in the Financial Sector
Each of the following cybersecurity regulations supports customer data security and data breach resilience. To aid in understanding this complex subject, the following useful information is also included alongside each listed regulation:
- List of impacted regions
- Whether or not the regulation is mandatory
- Fines for non-compliance
- Links to compliance resources
This list is not presented in any intentional order.
EU-GDPR
The European General Data Protection Regulation (EU-GDPR) is a security framework by the European Union designed to protect its citizens from personal data compromise.
All businesses processing data linked to EU citizens, either manually or through automated mechanisms, must comply with the GDPR.
Examples of data processing include:
- Website form submissions.
- Collecting cookie data from web visitors.
- Sending marketing emails.
- Storing IP addresses.
- Posting photos or personal details about an individual on a website.
- Shredding documents contained personal information.
The GDPR outlines separate security guidelines for both data controllers and data processors to secure the entire lifecycle of user data.
Is Complying with the GDPR Mandatory?
Yes. The EU mandates GDPR compliance for financial services collecting or processing personal data from EU residents, regardless of the physical location of the business.
For example, a business selling a SaaS solution to an international customer base - including Europe - would need to comply with the GDPR even if the business's headquarters are located in the United States.
According to a PwC survey, 92% of U.S. companies categorize GDPR compliance as a top priority.
GDPR compliance for third-party vendors is most efficiently tracked through GDPR-specific security questionnaires - this type of questionnaire is available on the UpGuard Platform.
What Countries are Covered by the GDPR?
Any organization must comply with the GDPR if it processes the data from EU citizens, meaning residents of the following countries:
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
If your business model is open to international customers, it's safest to comply with the GDPR to protect you in the event an EU resident interacts with your website.
What are the Penalties for GDPR Non-Compliance?
The maximum fine is €20 million (about 23 million USD), or 4% of annual turnover (whichever is larger).
GDPR Compliance Resources
The following list of free resources could help organizations achieve GDPR compliance:
- 10 Step Checklist: How to be GDPR Compliant in 2021 (UpGuard)
- Everything You Need to Know About GDPR Compliance (GDPR.EU)
UK-GDPR
Brexit has removed the United Kingdom from any affiliations with European policies, including the European GDPR.
This has prompted the UK to create its own version of the EU-GDPR known as the United Kingdom General Data Protection Regulation (UK-GDPR).
In saying that, the EU-GDPR still applies to the United Kingdom because it’s retained in domestic law as the UK-GDPR.
In other words, the UK-GDPR still retains EU-GDPR laws, they've just been slightly modified to accommodate certain areas of domestic law in the United Kingdom.
Another difference is that the UK-GDPR is solely focused on the protection of the personal data of UK residents.
Is Complying with the UK-GDPR Mandatory?
Yes. Any business collecting or processing private data from individuals located in the United Kingdom must comply with the UK-GDPR.
What Countries are Covered by the UK GDPR?
The UK GDPR covers every country in the United Kingdom.
What are the Penalties for UK-GDPR Non-Compliance?
The maximum fine for not complying with the UK GDPR is £17.5 million or 4% of annual global turnover (whichever is greater).
UK-GDPR Compliance Resources
The following list of free resources could support UK-GDPR compliance:
- The Data Protection Act 2018 (Gov.uk)
- Comparisons: DPA 1998 v UK GDPR and DPA 2018 (Thomas Reuters Practical Law)
- Guide to the UK General Data Protection Regulation (Information Commissioner's Office)
Learn how UpGuard helps Intercontinental Exchange with vulnerability management and compliance.
SOX
The Sarbanes-Oxley (SOX) act of 2002 is a law passed by U.S Congress to protect investors from financial scams.
The SOX framework outlines best security practices for avoiding fraudulent financial transactions through a system of internal checks.
Recently, SOX has evolved into more than just a framework for ensuring financial record accuracy. It now includes cybersecurity components to ensure financial institutions address common cybersecurity risks that could impact financial activity.
An example of such a cyber threat is phishing attacks. During these attacks, hackers commonly pose as CEOs and CFOs to convince staff to initiate fraudulent transactions. Ubiquiti suffered from such an event.
SOX compliance now also supports the implementation of security controls across resources and IT infrastructures housing financial data.
Is Complying with SOX Mandatory?
SOX compliance is mandatory for all public companies, including those in the financial sector.
Because SOX shares common security controls with the NIST, SOX compliance can be supported with the following controls from the NIST Cybersecurity Framework (CSF):
- Deploy risk assessments - Risk assessments are one of the best ways of discovering deficiencies in regulatory compliance, both internally and for each third-party vendor.
- Protect critical assets - Assets housing sensitive information critical to business continuity require significant protection against cybercriminals. This process begins by identifying all critical assets and quantifying the business impact if they're compromised.
- Establish a regular auditing schedule - To prove SOX compliance, two yearly audits are required - one by an external independent auditing body and another by the organization - to highlight internal controls and management's contributions to supporting continuous improvement in financial data protection.
- Harmonize cybersecurity initiatives - To support rapid security posture improvements, governance is required to harmonize security efforts throughout the organization. Deep attack surface visibility is key to achieving this.
- Ensure business continuity - Establish policies demonstrating business continuity in the event of a cyberattack. This can be achieved with an Incident Response Plan (IRP).
What Countries are Impacted by SOX?
Only public organizations in the United States are expected to comply with SOX.
What are the Penalties for Not Complying with SOX?
The penalties for not complying with SOX include:
- Public stock exchange delisting
- Loss of Officers Liability Insurance (D&O)
- Removal of directors
Management is also penalized, with the severity increasing when fraud is intentional.
If a CEO of CFO intentionally certifies a periodic report that doesn't comply with SOX:
- They could be imprisoned for up to 10 years.
- They could be fined up to $1 million.
If a CEO of CFO intentionally falsifies certification:
- They could be imprisoned for up to 20 years.
- They could be fined up to $5 million.
SOX Compliance Resources
The following list of free resources could help organizations achieve SOX compliance:
- What is SOX Compliance? 2021 Requirements, Controls, and More (UpGuard).
- Sarbanes-Oxley Section 404: A Guide for Small Business (SEC).
- Sarbanes-Oxley (SOX) Compliance Requirements (McAfee).
PCI DSS
Payment Card Industry (PCI) Data Security Standards (DSS) - PCI DSS for short - is a set of standards for reducing credit card fraud and protecting the personal details of credit cardholders.
The security controls of this regulation are designed to secure the three primary stages of the cardholder data lifecycle:
- Processing
- Storage
- Transfer
Is Complying with PCI DSS Mandatory?
Every organization that processes customer credit card information must comply with PCI DSS, including merchants and payment solution providers.
What Countries are Impacted by PCI DSS?
PCI DSS is an internationally recognized standard that applies to all entities globally that process credit card data.
Merchants are expected to complete Self Assessment Questionnaires (SAQs) to validate compliance. There are varying degrees of compliance processes depending on the size of the merchant.
For example, enterprise merchants processing millions of transactions require annual onsite audits conducted by a Qualified Security Assessor.
What are the Penalties for Not Complying with PCI DSS?
Failure to comply with PCI DSS could result in fines ranging from $5,000 to $100,000 per month until compliance is achieved.
PCI DSS Compliance Resources
The following list of free resources could help organizations achieve PCI DSS compliance:
- PCI Compliance Without the Headache (UpGuard).
- Best Practices for Cybersecurity Compliance Monitoring in 2021 (UpGuard).
- Payment Card Industry (PCI)Data Security Standard Self-Assessment Questionnaire (PCI Security Standards).
- How to prepare for a PCI DSS audit (UpGuard)
- Meeting the Third-Party Risk Requirements of PCI DSS (UpGuard)
BSA
The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, aims to prevent financial institutions from laundering money, either willfully or through force during a cyberattack.
The BSA forces financial institutions to work alongside the U.S Government in the fight against financial crime.
BSA compliance is regulated by the Office of the Comptroller of the Currency (OCC) through regular audits. Banks are expected to verify the legitimacy of all currency transactions.
Under the BSA, national banks are expected to institute controls that:
- Detect and deter money laundering activities
- Detect terrorist financing
- Facilitate the timely notification of money laundering activities to law enforcement
To mitigate the compromise of internal financial activities, banks are expected to outline clear data breach remediation workflows in their Incident Response Plan.
Is Complying with the Bank Secrecy Act (BSA) Mandatory?
Compliance with the BSA is mandatory for financial institutions accepting money from customers including:
- National Banks
- Federal Branches
- Agencies of Foreign Banks
- Federal Saving Associations
Under the BSA, all large transactions exceeding $10,000 need to be reported by submitting form 8300 by the 15th day after the event took place.
What Countries are Impacted by the Bank Secrecy Act (BSA)?
The BSA is the primary anti-money laundering law in the United States.
What are the Penalties for Not Complying with the Bank Secrecy Act (BSA)?
An individual or bank employee found guilty of willfully violating the BSA could be fined up to $250,000 and jailed for up to five years.
Bank Secrecy Act (BSA) Compliance Resources
The following list of free resources could help organizations achieve compliance with the Bank Secrecy Act (BSA):
- BSA/AML Manual (FFIEC).
- Bank Secrecy Act (OCC).
- Bank Secrecy Act / Anti-Money Laundering (FDIC).
GLBA
The Gramm–Leach–Bliley Act (GLBA) requires financial institutions to protect customer data and honestly disclose all data-sharing practices with customers.
Under this U.S law, financial entities must establish security controls to protect customer information from any events threatening data integrity and safety. This includes strict financial information access controls to mitigate the chances of unauthorized access and compromise.
Entities expected to comply with GLBA are also likley required to comply with the FTC Safeguards rule (a subset of the GLBA).
Learn how to comply with the FTC Safeguards rule >
Is GLBA Compliance Mandatory?
Yes. GLBA compliance is mandatory for all U.S organizations selling financial products or services.
The financial entities that must comply with GLBA include those that:
- Sell financial products.
- Sell or offer financial services.
- Offer financial loans.
- Offer any financial or investment advice.
- Sell insurance.
What are the Penalties for Not Complying with the Gramm–Leach–Bliley Act (GLBA)?
There are separate penalties for non-compliance, applicable tothe violating organization and its officers and directors.
The penalties for violating organizations are:
- A civil penalty of up to $100,000 per violation.
- Fines in accordance with Title 18 of the United States Code.
The penalties for violating officers and directors are:
- A civil penalty of up to $10,000 per violation.
- Imprisonment up to 5 years.
Gramm–Leach–Bliley Act (GLBA) Compliance Resources
The following list of free resources could help organizations achieve compliance with the Gramm–Leach–Bliley Act (GLBA):
- GLBA Compliance Requirements (McAfee).
- What is the Gramm-Leach-Bliley Act (UpGuard).
- Gramm-Leach-Bliley Act (Federal Trade Commission).
Learn how UpGuard helps XINJA continuosly monitor their third-party risks.
PSD 2
The Payment Services Directive (PSD 2) is a directive by the European Union supporting competition in the banking sector.
PSD-2 is part of the Payment Card Industry Data Security Standard (PCI DSS) for financial data security.
To ensure banking activities in the EU proliferate security, the PSD 2 also includes regulations for protecting online payments, enhancing customer data security, and strong customer authentication (eg, multi-factor authentication).
Is PSD 2 Compliance Mandatory?
Yes. All banks and financial institutions in the European Union must comply with the PSD 2 directives.
What is the Penalty for Not Complying with PSD 2?
The penalty for not complying with PSD 2 is a fine of up to EUR 20.000.000 (approx. 23 million USD) or 4% of annual revenue (whichever is greater).
Which Countries are Impacted by PSD 2?
All countries in the European Union are impacted by PSD 2.
PSD 2 Compliance Resources
The following list of free resources could help organizations achieve compliance with the Payment Services Directive (PSD 2).
- PSD2 Regulation - Get ready with Thales (Thales).
- PSD2 Regulation: How to Be PSD2 Compliant (Jotform).
- Payment Services Directive (Adobe).
FFIEC
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that aims to prescribe uniform principles of best practices for financial institutions.
The FFIEC is governed by the following five financial regulators:
- The Board of Governors of the Federal Reserve (FRB) - Regulates Domestic Banks
- The Federal Deposit Insurance Corporation (FDIC) - Regulates Federal Banks
- The Office of the Comptroller of the Currency (OCC) - Regulates Federal Banks
- The National Credit Union Administration (NCUA) - Regulates credit unions.
- Consumer Financial Protection Bureau (CFPB) - Regulates banks, thrifts, and credit unions.
The FFIEC outlines its cybersecurity guidelines in its Information technology examination handbook series consisting of the following 10 handbooks:
- Audit.
- Business Continuity.
- Development and Acquisition.
- Information Security.
- Management.
- Architecture, Infrastructure, and Operations.
- Outsourcing Technology Services.
- Retail Payment Systems.
- Supervision of Technology Service Providers.
- Wholesale Payment Systems.
All of these booklets can be accessed via the complete FFIEC IT Handbook.
Is Complying with FFIEC Mandatory?
Yes. All federally supervised financial institutions, including their subsidiaries, need to comply with FFIEC regulations.
Learn how to comply with the third-party risk requirements of the FFIEC >
What Countries are Covered by the FFIEC?
FFIEC regulations apply to financial entities in the United States.
What are the Penalties for FFIEC Non-Compliance?
Non-compliance with FFIEC regulations could result in fines of up to $2 million.
The maximum fine for not complying with the UK GDPR is £17.5 million or 4% of annual global turnover (whichever is greater).
FFIEC Compliance Resources
The following list of free resources could support FFIEC compliance:
- FFIEC IT Booklets (FFIEC).
Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is an EU regulation set by the European Council to enhance cybersecurity and operational resilience across financial institutions and ICT service providers through standardized technical requirements.
Developed as part of Europe’s Digital Finance Strategy, DORA aims to consolidate various national ICT risk management frameworks into a unified standard. It complements existing regulations like the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
Additionally, DORA mandates Critical ICT Third-Party service providers (CTPPs) to adhere to these standards, overseen by three European Supervisory Authorities (ESAs):
- The European Banking Authority (EBA)
- The European Insurance and Occupational Pensions Authority (EIOPA)
- The European Securities and Markets Authority (ESMA)
Compliance is monitored through off-site and on-site inspections, requiring detailed submissions like service information and incident reports.
Is compliance with DORA mandatory?
Compliance with DORA is mandatory for all financial entities regulated at the European Union level, including:
- The financial services industry
- Payment institutions
- Investment firms
- Insurance companies
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Data analytics and audit services
- Fintech
- Trading venues
- Financial system providers
- Credit institutions
Additionally, third-party ICT service providers for financial entities are within the scope of DORA requirements.
What countries are covered by DORA?
DORA applies to all member states of the European Union.
What are the penalties for DORA non-compliance?
Penalties for failing to comply with DORA are enforced by designated regulators in each EU member state, referred to as "competent authorities." Non-compliance can lead to many consequences, including administrative fines, corrective actions, public reprimands, withdrawal of authorization, and compensation for any damages caused.
Entities covered by DORA that fail to meet its standards may face fines of up to 1% of their average daily global turnover from the previous business year.
DORA compliance resources
- Digital Operational Resilience Act (European Insurance and Occupational Pensions Authority)
- DORA Compliance Checklist (UpGuard)
- DORA Gap Analysis Template Workbook (UpGuard)
- Free DORA risk assessment template (UpGuard)
How to Maintain Cybersecurity Compliance in the Financial Sector
Many of the overlapping security controls across these regulations can be addressed with the following best cybersecurity practices.
Implement a Zero-Trust Architecture (ZTA)
A zero trust architecture assumes all network activity is malicious until proven otherwise. This framework encourages more secure privileged access management, making it more difficult for cybercriminals to access sensitive resources.
Implement a Third-Party Risk Management Program
A TPRM solution will secure the entire third-party vendor network by testing compliance with security assessments and confirming cybersecurity improvements with security ratings.
Advanced TPRM solutions can also map security assessment responses to mandatory regulations associated with each vendor to uncover deficiencies preventing compliance.
Detect and Shut Down Data Leaks
Data leaks don't only make data breaches happen faster, they also expose sensitive information that could violate regulation guidelines.
A data leak detection solution capable of addressing these exposures both internally and throughout the vendor network could prevent overlooked regulatory violations and their associated penalties.
Use an Attack Surface Monitoring Solution
An attack surface monitoring solution will aid in the rapid detection and remediation of vulnerabilities that could facilitate data breaches. Such a solution helps financial services improve their security posture and meet the strict cyber resilience expectations of most regulations.
UpGuard has developed an attack surface management solutiion specifically designed to address the unique cybersecurity risks and regulatory compliance requirements of the finance industry.