Over the last decade, cybersecurity has emerged as a critical concern for financial institutions. With cyberattacks increasing in frequency and sophistication, it has become imperative for institutions in the financial sector to safeguard sensitive data and implement robust data protection measures. The Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly known as the Dodd-Frank Act, plays a crucial role in regulating the American financial services industry. The Act includes establishing enterprise risk committees, which provide organizations with an avenue for reporting cybersecurity risks to executive teams and the board.
This article explores the importance of establishing board oversight of cybersecurity risks, how the Dodd-Frank Act’s mandatory committees laid the groundwork for this strategy, and additional cybersecurity regulations and processes financial institutions should be aware of.
Secure your third-party attack surface with UpGuard >
What is the Dodd-Frank Act?
President Barack Obama enacted the Dodd-Frank Act into final rule in 2010. The law was created in response to the 2008 financial crisis, aiming to prevent future crises by improving transparency between lenders, Washington, D.C., and consumers and limiting risk-taking in the financial industry. The act is most well-known for protecting American families from unfair financial practices and clauses, such as the Volcker Rule, which limits how mortgage companies and payday lenders can conduct business. However, the Dodd-Frank Act also requires large financial institutions (institutions with more than $50 billion in total consolidated assets) to establish independent risk committees to communicate enterprise-level risks to the board.
Other regulations under the Dodd-Frank Act
- Financial Stability Oversight Council (FSOC): Established the FSOC to monitor systemic risk and identify threats to the financial stability of the United States
- Orderly Liquidation Authority (OLA): Provided an aggregate mechanism for the orderly liquidation of failing financial institutions that pose a significant risk to the economic stability of the United States
- Volcker Rule: Prohibits banks and issuers from engaging in proprietary trading and limits their investments in hedge funds and private equity funds
- Consumer Financial Protection Bureau (CFPB): Created the CFPB to oversee consumer protection within the financial sector, including regulating mortgages, credit cards, and other consumer financial products and services.
- Office of Credit Ratings: Established the Office of Credit Ratings within the SEC to oversee and regulate credit rating agencies
How does Dodd-Frank’s committee rule relate to cybersecurity?
The average cost of a data breach in the financial sector is $5.9 million, enough to overwhelm many small businesses and local law firms and significantly disrupt the operations of even the most prominent institutions and public companies. Given these exuberant consequences, cybersecurity should be considered a significant enterprise-level risk and should garner the attention of every institution’s executive team and board.
In today’s modern business landscape, cybersecurity resilience is paramount. Financial institutions must develop a comprehensive risk management program, especially those partnering with third-party vendors and service providers. This program should include strategies to manage third-party risks, safeguard sensitive data, and achieve compliance with regulatory frameworks.
What regulations manage cybersecurity in the financial sector?
Compliance management is one of the primary challenges of cybersecurity in the American financial services sector. Several regulatory bodies and government agencies possess rulemaking and law enforcement authority and oversee the financial industry. Multiple regulations also specifically regulate the cyber resilience and data security of financial institutions and protect the data privacy of American consumers.
The primary regulatory bodies in the financial industry are:
- Federal Trade Commission (FTC): The FTC protects consumers and ensures a robust competitive market by enforcing antitrust and consumer protection laws over covered entities. The FTC also commonly publishes best data privacy practices for institutions, such as implementing multi-factor authentication (MFA).
- Securities and Exchange Commission (SEC): The SEC oversees securities markets to protect investors, maintain fair and efficient markets, establish market thresholds, and facilitate capital formation.
- Consumer Financial Protection Bureau (CFPB): The CFPB focuses on ensuring consumers receive clear information about financial products and protecting them from abusive financial practices. The CFPB imposes enforcement actions on negligent institutions.
- National Institute of Standards and Technology (NIST): NIST develops and promotes cybersecurity standards and guidelines to help protect the nation's information and communication infrastructure.
The primary cybersecurity regulations in the American financial industry are:
- Sarbanes-Oxley Act (SOX): SOX mandates strict reforms to improve corporate financial disclosures and prevent accounting fraud.
- Gramm-Leach-Bliley Act (GLBA): GLBA requires financial institutions to explain their information-sharing practices to customers and safeguard sensitive data under the safeguards rule.
- Payment Card Industry Data Security Standards (PCI DSS): PCI DSS is an internationally recognized set of security standards designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment.
- Bank Secrecy Act (BSA): The BSA requires financial institutions to prevent money laundering by keeping certain records and reporting suspicious activity.
In addition to these regulations, American financial institutions must follow several additional data privacy laws depending on where they conduct business. The California Consumer Privacy Act and the Colorado Privacy Act are examples of state privacy laws.
Related reading: Top 9 Cybersecurity Regulations for Financial Services
What are the primary cybersecurity incidents institutions should be aware of?
Financial institutions are prime targets for various cybersecurity threats due to the sensitive and valuable nature of the data they handle. Understanding the main types of cyber incidents can help these institutions implement more effective security measures and response strategies. Below are some of the most critical cybersecurity incidents that financial institutions must be aware of and prepare for.
- Data breaches: Data breaches involve unauthorized access to confidential information, often resulting in the theft of sensitive data such as personal or financial information.
- Ransomware attacks: Ransomware attacks are malware that encrypts a victim's files, with the attacker demanding payment to restore access.
- Phishing: Phishing is a fraudulent attempt to obtain sensitive information by disguising it as a trustworthy entity in electronic communications, typically through email.
- Business email compromise (BEC): BEC is a sophisticated scam targeting businesses, where attackers impersonate company executives or employees to trick recipients into transferring money or divulging confidential information.
- Insider threats: Insider threats involve malicious or negligent actions by employees, contractors, or business partners that compromise an organization's security or data.
How can financial institutions improve their cyber resilience?
Improving cyber resilience in financial institutions is crucial since nearly all cyber attacks stem from vulnerabilities within third-party vendors. To mitigate these risks, institutions must focus on fortifying their information security and establishing comprehensive oversight of their third-party relationships. By proactively managing these external partnerships, financial institutions can better safeguard their financial data and information systems from potential threats.
An overview of an effective TPRM program
A robust third-party risk management (TPRM) program is essential for financial institutions to enhance their cyber resilience. Here are some critical components of an effective TPRM program:
- Vendor due diligence: Thorough due diligence is critical before engaging with a third-party vendor. This process involves evaluating the vendor's security posture, financial stability, critical infrastructure, compliance with regulations, and overall risk profile to ensure they meet the institution's accepted level of data protection and operational standards.
- Cybersecurity risk assessments: Conducting regular risk assessments helps identify and address new third-party vulnerabilities that may arise over time. These assessments should be comprehensive, considering changes in the vendor's operations, the threat landscape, and the financial institution's risk tolerance.
- Security questionnaires: Detailed security questionnaires allow financial institutions to gather essential information about vendors' security controls and practices. This process ensures that vendors adhere to the required data security standards and provides a basis for continuous risk evaluation.
- Incident response: An effective TPRM program must include a well-defined incident response plan. This plan should outline the steps to respond to a cybersecurity incident involving a third-party vendor, ensuring a swift and coordinated response to minimize damage and restore operations.
- Compliance management: Effective compliance management ensures that financial institutions and their third-party vendors adhere to all relevant regulatory frameworks and reporting requirements. This management involves regularly reviewing and updating policies to align with new rules and regulations, such as those published in the Federal Register.
- Continuous security monitoring: Continuous monitoring of third-party vendors is vital for maintaining a secure environment. By leveraging automated tools and regular audits, financial institutions can stay informed about their vendors' security practices and quickly address any emerging risks.
By implementing these key components, financial institutions can significantly enhance their cyber resilience and better protect themselves against threats from third-party vendors. Ensuring robust protection of customer information and personal data is crucial for compliance with regulatory frameworks and maintaining trust and national security.
How UpGuard can help?
UpGuard Vendor Risk is a comprehensive vendor and third-party risk management solution featuring powerful risk assessments, security questionnaires, reporting, and compliance management workflows that harness artificial intelligence to eliminate manual work.
Vendor Risk empowers financial services institutions to protect their supplier ecosystem and improve risk identification, mitigation, and remediation with the following tools and strategies:
- Vendor Security Ratings: UpGuard’s industry-leading ratings are updated daily and provide an accurate snapshot of a vendor’s current security posture.
- Vendor Risk Assessments: UpGuard’s automated risk assessments speed up the vendor assessment process and eliminate time-consuming, manual tasks.
- Security Questionnaires: UpGuard’s questionnaire library and automated workflows enable security teams to get vendor responses with 90% less manual labor.
- Automatic reporting: UpGuard provides instant and scheduled reporting options to help security teams improve collaboration and communication with senior stakeholders.