In today’s world, cybercriminals have turned cyberattacks into a global epidemic.
With evermore sophisticated and timely attacks. They are not just targeting organisations but critical infrastructure and governments.
Earlier this year cyberattacks across the world targeted critical functions with ransomware attacks leading to many being put on hold. The Equifax data breach affected nearly 143 million Americans. It is said that by 2021 the cost to the world of cybercrime could reach £6 trillion every year.
Cybercriminals are most often motivated by money. Ransomware attacks targeting critical infrastructure such as the NHS hold these organisations to ransom by holding their data captive until they pay out. Other attacks target our personal information, known as personally identifiable information or PII, such as our financial records. When this information is stolen it is sold on the dark web for a profit.
It can then be used for identity theft, tax, fraud etc.
This can have long reaching effects for some, personal information is not easy to change and is often almost impossible to track the misuse of PII when a breach does occur
Government regulators all around the word realise that whilst no one is immune to these attacks a lot more can be done to protect market sectors and critical infrastructure.
As a consequence, new regulations across Europe, Asia, the UK and the US are being implemented to make sure that the proper security measures needed to protect valuable data are in place.
Financial services companies operating in a global market must be aware of new cybersecurity regulations and how they relate to their businesses in order that they remain compliant and can navigate the data rules, especially if they are conducting their businesses across borders. Compliance is crucial, not least as the penalties for non-compliance can include large fines.
Some of the most recently implemented or proposed regulations that will affect the cybersecurity of financial services companies are listed below.
Recent Cybersecurity Regulations
The EU’s General Data Protection Regulations (GDPR) will take effect on May 25, 2018.
The aim of GDPR is to put European citizens back in charge of their data. Consumers will now actively give consent to organizations that wish to process their data and can withdraw consent at any time. Consumers can also request their data be transferred to other organizations. Under GDPR, EU citizens also have the “Right to be Forgotten,” in which they can ask that data be completely erased, or not be processed.
GDPR will apply not only to organizations in Europe, but also to all organizations that process and store data on European citizens, regardless of physical location. Noncompliance can result in fines of $10 million, or 2 percent of worldwide annual turnover for lesser infringements. Severe infringements can result in fines of €20 million, or 4 percent of global turnover, whichever is higher.
In the UK, government has confirmed that its decision to leave the European Union will not stop its participation in GDPR. The UK is aligning itself with the measures put forth in GDPR through the Data Protection Bill, which updates the UK’s 1998 Data Protection Act. The regulations listed in the Data Protection Bill are largely the same as those in GDPR. There are some minor changes addressing journalists and scientific researchers.
China’s Cybersecurity Law was put into effect on June 1, 2017. The Chinese government aims to use this law to better align with industry and global cybersecurity standards by placing additional requirements on network and system security. This law will directly impact the financial services sector as it is considered to be a critical information infrastructure (CII).
In China CII refers to sectors in which a data breach would compromise national security or public welfare.
Under the Cybersecurity Law, CII entities must allow the Chinese authorities access to data upon request.
For Financial services companies this will mean they will also have to demonstrate that their IT infrastructure meets certain specifications and can pass standard cybersecurity tests and certifications.
Any data collected in China about its own citizens can only be stored on servers within the country’s borders and cannot be moved abroad without permission. The Lack of compliance her can result in criminal charges and fines of up to 1 million yuan, or the equivalent of just over $150,000 USD.
So, for Financial services institutions that do business in China, they not only need to understand and implement necessary cybersecurity measures, but will also need to understand the control and restrictions the government places on Chinese data.
Singapore’s Cyber Security Agency proposed a draft of a new Cybersecurity Bill in July 2017. it still has to go through parliament, but as the potential regulations will specifically affect banking institutions, it is worth noting now.
Although similar to the Cybersecurity Law in China, the Cyber Security Agency in Singapore would have greater visibility and authority into how data is used, processed, and stored. The bill would require CII such as financial services to report any cyber incidents to the Commissioner of Cybersecurity, as well as any modifications of system design or security.
Privacy laws that keep banks from sharing confidential personal information will be overruled by the Cybersecurity Bill, allowing the Cyber Security Agency to access any computer system relevant to an investigation. Lack of compliance can result in fines of up to $100,000 or in extreme cases, up to 10 years imprisonment.
Cybersecurity at both national and state level in the US has seen increasing focus especially for financial services companies. The New York Department of Financial Services’ (DFS) 23 NYCRR 500 cybersecurity regulation had its first compliance deadline on August 28th.
The Banks based in New York now have to report any cyber incidents that could compromise data to the DFS within 72 hours. This includes disruptions by ransomware or DDoS attacks.
There are a series of compliance deadlines that financial services firms must meet over the next two years, with the full transition deadline set for March 2019.
Banks must also have a robust cybersecurity plan and employ a CISO to oversee security processes and maintenance.