The proliferation of cyberattacks targeting the financial sector has forced the establishment of several mandatory cybersecurity regulations. Though often considered an unnecessary burden on security teams, regulatory compliance is one of the most effective strategies for keeping financial services accountable for their security posture.
Cybersecurity regulations must be malleable to remain relevant in a rapidly evolving threat landscape. This means the financial sector must constantly keep track of changes to existing regulations as well as the establishment of new information security standards.
The stress of such a burden is unnecessarily amplified by the lack of a reliable reference for all the regulations impacting financial institutions.
To address this silent frustration we've compiled a list of all the primary cybersecurity regulations impacting the financial services industry. Each item is also supported with compliance resources and details of penalties for non-compliance.
To learn which regulations impact you and how to maintain compliance in the financial sector, read on.
A Brief Overview of Cybersecurity Compliance in the Finance Sector
To iron out all of the wrinkles created by piecing together different online resources, it's helpful to take a step back to revise the details of financial compliance.
What is Financial Cybersecurity Compliance?
Financial cybersecurity compliance is the adherence to laws and security regulations setting the minimum standard for data security within the financial industry.
These regulations are either established by governments or authoritative security bodies and their application impacts the entire financial services industry, including:
- Commercial Banks
- Investment Banks
- Insurance Companies
- Brokerage Firms
- CPA Firms
- Wealth Management Services
- Mutual Funds
- Credit Unions
The Problem with Regulatory Compliance in Finance
One of the main problems disrupting cybersecurity compliance in the financial sector is the sheer volume of different security standards and the significant overlaps between them - an expected problem for the most heavily regulated of all industries.
This can be resolved by only focusing on regulations that are mandatory for financial organizations, and avoiding those that are optional.
The benefit of still implementing optional regulatory standards is that the addition of their security controls could further decrease cybersecurity risks.
However, this effort is usually counter-productive because of the overlap in security controls between mandatory and optional standards.
A much better alternative is to implement security solutions offering the desirable security benefits of optional standards, rather than overwhelming security teams with entire optional frameworks and their redundant security controls.
Top 13 Cybersecurity Regulations in the Financial Sector
Each of the following cybersecurity regulations supports customer data security and data breach resilience. To aid in understanding this complex subject, the following useful information is also included alongside each listed regulation:
- List of impacted regions
- Whether or not the regulation is mandatory
- Fines for non-compliance
- Links to compliance resources
This list is not presented in any intentional order.
The European General Data Protection Regulation (EU-GDPR) is a security framework by the European Union designed to protect its citizens from personal data compromise.
All businesses processing data linked to EU citizens, either manually or through automated mechanisms, must comply with the GDPR.
Examples of data processing include:
- Website form submissions.
- Collecting cookie data from web visitors.
- Sending marketing emails.
- Storing IP addresses.
- Posting photos or personal details about an individual on a website.
- Shredding documents contained personal information.
The GDPR outlines separate security guidelines for both data controllers and data processors to secure the entire lifecycle of user data.
Is Complying with the GDPR Mandatory?
Yes. The EU mandates GDPR compliance for financial services collecting or processing personal data from EU residents, regardless of the physical location of the business.
For example, a business selling a SaaS solution to an international customer base - including Europe - would need to comply with the GDPR even if the business's headquarters are located in the United States.
According to a PwC survey, 92% of U.S. companies categorize GDPR compliance as a top priority.
GDPR compliance for third-party vendors is most efficiently tracked through GDPR-specific security questionnaires - this type of questionnaire is available on the UpGuard Platform.
What Countries are Covered by the GDPR?
Any organization must comply with the GDPR if it processes the data from EU citizens, meaning residents of the following countries:
- Republic of Cyprus
- Czech Republic
- United Kingdom
If your business model is open to international customers, it's safest to comply with the GDPR to protect you in the event an EU resident interacts with your website.
What are the Penalties for GDPR Non-Compliance?
The maximum fine is €20 million (about 23 million USD), or 4% of annual turnover (whichever is larger).
GDPR Compliance Resources
The following list of free resources could help organizations achieve GDPR compliance:
- 10 Step Checklist: How to be GDPR Compliant in 2021 (UpGuard)
- Everything You Need to Know About GDPR Compliance (GDPR.EU)
Brexit has removed the United Kingdom from any affiliations with European policies, including the European GDPR.
This has prompted the UK to create its own version of the EU-GDPR known as the United Kingdom General Data Protection Regulation (UK-GDPR).
In saying that, the EU-GDPR still applies to the United Kingdom because it’s retained in domestic law as the UK-GDPR.
In other words, the UK-GDPR still retains EU-GDPR laws, they've just been slightly modified to accommodate certain areas of domestic law in the United Kingdom.
Another difference is that the UK-GDPR is solely focused on the protection of the personal data of UK residents.
Is Complying with the UK-GDPR Mandatory?
Yes. Any business collecting or processing private data from individuals located in the United Kingdom must comply with the UK-GDPR.
What Countries are Covered by the UK GDPR?
The UK GDPR covers every country in the United Kingdom.
What are the Penalties for UK-GDPR Non-Compliance?
The maximum fine for not complying with the UK GDPR is £17.5 million or 4% of annual global turnover (whichever is greater).
UK-GDPR Compliance Resources
The following list of free resources could support UK-GDPR compliance:
- The Data Protection Act 2018 (Gov.uk)
- Comparisons: DPA 1998 v UK GDPR and DPA 2018 (Thomas Reuters Practical Law)
- Guide to the UK General Data Protection Regulation (Information Commissioner's Office)
ISO/IEC 27001 is an internationally recognized standard for reducing security risks and protecting information systems.
ISO/IEC 27001 is comprised of a set of security policies and processes that offer organizations across any industry guidance on how to improve their security posture.
Because ISO/IEC is an internationally recognized standard for cyber attack resilience, financial entities wishing to demonstrate their exemplary cybersecurity practices to stakeholders should pursue ISO 27001 certification.
Is Complying with ISO/IEC 27001 Mandatory?
ISO 27001 is not mandatory in most countries. However, because of the advanced protection of sensitive data offered by the framework, it's highly recommended for the financial services sector.
Other highly regulated industries, such as healthcare, can also demonstrate their cybersecurity due diligence with ISO 27001 certification.
Financial service providers not wishing to pursue the effort of ISO 27001 certification, could still improve their cybersecurity by just complying with the list of domains and controls of the framework.
Certification is only recommended if an organization wishes to publicly display proof of ISO/IEC 27001 compliance.
The other benefit of adopting this framework is that it could assist with GDPR compliance when coupled with an Information Security Management System (ISMS).
Which Countries are Impacted by ISO/IEC 27001?
ISO/IEC is an internationally recognized standard.
What are the Penalties for Not Complying with ISO 27001?
Because ISO 27001 is not mandatory, there are currently no penalties for non-compliance.
ISO/IEC 27001 Compliance Resources
The following list of free resources could help organizations achieve ISO/IEC compliance:
Learn how UpGuard helps Intercontinental Exchange with vulnerability management and compliance.
The National Institute of Standards and Technology (NIST) is the United State's equivalent of the International Organization for Standardization (ISO) - an international organization governing national standards bodies.
Like the ISO, NIST covers a range of information security standards including cybersecurity compliance, namely NIST publication 800-53.
Originally, NIST 800-53 only related to federal and government entities, but the latest revision of the publications - revision 5 - has broadened its focus to also apply to non-government entities.
Besides having a greater emphasis on data protection than previous revisions, NIST 800-53 revision 5 also now includes a unified set of controls to accommodate the harmonization of multiple regulations.
Is Complying with NIST Mandatory?
NIST compliance is mandatory for all federal entities and their contractors.
NIST compliance is voluntary for all businesses in the private sector, including finance.
However, there are still many benefits for financial services implementing the NIST framework.
Here are the top 3 benefits.
Benefit #1: The NIST framework is free
Because of this, financial institutions that don't yet have a cybersecurity program, such as startups, don't need to develop their own framework from the ground up.
The NIST framework can be adopted to raise the security posture of any business up to a resilient level.
Benefit #2: The NIST framework is flexible
The flexible design of the NIST frameworks means it can be easily moulded to any industry - even financial services.
Its flexibility, free price tag, and effective risk management make NIST an intelligent option for financial intuitions with a limited budget seeking to improve their cybersecurity.
Benefit #3: NIST integrates well with other regulations
NIST helps solve the problem of security control duplicates between multiple regulations by mapping to other frameworks such as FFIEC and ISO 27002.
NIST compliance for third-party vendors is most efficiently tracked through NIST 800-53 specific security questionnaires - this type of questionnaire is available on the UpGuard Platform.
Which Countries Does NIST Apply To?
NIST can be adopted by any business in any country because the framework maps to globally accepted standards.
What are the Penalties for Not Complying with NIST?
Government agencies, as well as their contractors and vendors, that don't comply with NIST risk losing all federal funding.
In the United States, NIST compliance is enforced under the Federal Information Security Management Act (FISMA).
NIST Compliance Resources
The following list of free resources could help organizations achieve NIST compliance.
- Tips for NIST SP 800-53 Compliance (UpGuard).
- NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001 (NIST).
- NIST Risk Management Framework (NIST).
The Sarbanes-Oxley (SOX) act of 2002 is a law passed by U.S Congress to protect investors from financial scams.
The SOX framework outlines best security practices for avoiding fraudulent financial transactions through a system of internal checks.
Recently, SOX has evolved into more than just a framework for ensuring financial record accuracy. It now includes cybersecurity components to ensure financial institutions address common cybersecurity risks that could impact financial activity.
An example of such a cyber threat is phishing attacks. During these attacks, hackers commonly pose as CEOs and CFOs to convince staff to initiate fraudulent transactions. Ubiquiti suffered from such an event.
SOX compliance now also supports the implementation of security controls across resources and IT infrastructures housing financial data.
Is Complying with SOX Mandatory?
SOX compliance is mandatory for all public companies, including those in the financial sector.
Because SOX shares common security controls with the NIST, SOX compliance can be supported with the following controls from the NIST Cybersecurity Framework (CSF):
- Deploy risk assessments - Risk assessments are one of the best ways of discovering deficiencies in regulatory compliance, both internally and for each third-party vendor.
- Protect critical assets - Assets housing sensitive information critical to business continuity require significant protection against cybercriminals. This process begins by identifying all critical assets and quantifying the business impact if they're compromised.
- Establish a regular auditing schedule - To prove SOX compliance, two yearly audits are required - one by an external independent auditing body and another by the organization - to highlight internal controls and management's contributions to supporting continuous improvement in financial data protection.
- Harmonize cybersecurity initiatives - To support rapid security posture improvements, governance is required to harmonize security efforts throughout the organization. Deep attack surface visibility is key to achieving this.
- Ensure business continuity - Establish policies demonstrating business continuity in the event of a cyberattack. This can be achieved with an Incident Response Plan (IRP).
What Countries are Impacted by SOX?
Only public organizations in the United States are expected to comply with SOX.
What are the Penalties for Not Complying with SOX?
The penalties for not complying with SOX include:
- Public stock exchange delisting
- Loss of Officers Liability Insurance (D&O)
- Removal of directors
Management is also penalized, with the severity increasing when fraud is intentional.
If a CEO of CFO intentionally certifies a periodic report that doesn't comply with SOX:
- They could be imprisoned for up to 10 years.
- They could be fined up to $1 million.
If a CEO of CFO intentionally falsifies certification:
- They could be imprisoned for up to 20 years.
- They could be fined up to $5 million.
SOX Compliance Resources
The following list of free resources could help organizations achieve SOX compliance:
- What is SOX Compliance? 2021 Requirements, Controls, and More (UpGuard).
- Sarbanes-Oxley Section 404: A Guide for Small Business (SEC).
- Sarbanes-Oxley (SOX) Compliance Requirements (McAfee).
Payment Card Industry (PCI) Data Security Standards (DSS) - PCI DSS for short - is a set of standards for reducing credit card fraud and protecting the personal details of credit cardholders.
The security controls of this regulation are designed to secure the three primary stages of the cardholder data lifecycle:
Is Complying with PCI DSS Mandatory?
Every organization that processes customer credit card information must comply with PCI DSS, including merchants and payment solution providers.
What Countries are Impacted by PCI DSS?
PCI DSS is an internationally recognized standard that applies to all entities globally that process credit card data.
Merchants are expected to complete Self Assessment Questionnaires (SAQs) to validate compliance. There are varying degrees of compliance processes depending on the size of the merchant.
For example, enterprise merchants processing millions of transactions require annual onsite audits conducted by a Qualified Security Assessor.
What are the Penalties for Not Complying with PCI DSS?
Failure to comply with PCI DSS could result in fines ranging from $5,000 to $100,000 per month until compliance is achieved.
PCI DSS Compliance Resources
The following list of free resources could help organizations achieve PCI DSS compliance:
- PCI Compliance Without the Headache (UpGuard).
- Best Practices for Cybersecurity Compliance Monitoring in 2021 (UpGuard).
- Payment Card Industry (PCI)Data Security Standard Self-Assessment Questionnaire (PCI Security Standards).
- How to prepare for a PCI DSS audit (UpGuard)
- Meeting the Third-Party Risk Requirements of PCI DSS (UpGuard)
The Bank Secrecy Act (BSA), also known as the Currency and Foreign Transactions Reporting Act, aims to prevent financial institutions from laundering money, either willfully or through force during a cyberattack.
The BSA forces financial institutions to work alongside the U.S Government in the fight against financial crime.
BSA compliance is regulated by the Office of the Comptroller of the Currency (OCC) through regular audits. Banks are expected to verify the legitimacy of all currency transactions.
Under the BSA, national banks are expected to institute controls that:
- Detect and deter money laundering activities
- Detect terrorist financing
- Facilitate the timely notification of money laundering activities to law enforcement
To mitigate the compromise of internal financial activities, banks are expected to outline clear data breach remediation workflows in their Incident Response Plan.
Is Complying with the Bank Secrecy Act (BSA) Mandatory?
Compliance with the BSA is mandatory for financial institutions accepting money from customers including:
- National Banks
- Federal Branches
- Agencies of Foreign Banks
- Federal Saving Associations
Under the BSA, all large transactions exceeding $10,000 need to be reported by submitting form 8300 by the 15th day after the event took place.
What Countries are Impacted by the Bank Secrecy Act (BSA)?
The BSA is the primary anti-money laundering law in the United States.
What are the Penalties for Not Complying with the Bank Secrecy Act (BSA)?
An individual or bank employee found guilty of willfully violating the BSA could be fined up to $250,000 and jailed for up to five years.
Bank Secrecy Act (BSA) Compliance Resources
The following list of free resources could help organizations achieve compliance with the Bank Secrecy Act (BSA):
The Gramm–Leach–Bliley Act (GLBA) requires financial institutions to protect customer data and honestly disclose all data-sharing practices with customers.
Under this U.S law, financial entities must establish security controls to protect customer information from any events threatening data integrity and safety. This includes strict financial information access controls to mitigate the chances of unauthorized access and compromise.
Entities expected to comply with GLBA are also likley required to comply with the FTC Safeguards rule (a subset of the GLBA).
Learn how to comply with the FTC Safeguards rule >
Is GLBA Compliance Mandatory?
Yes. GLBA compliance is mandatory for all U.S organizations selling financial products or services.
The financial entities that must comply with GLBA include those that:
- Sell financial products.
- Sell or offer financial services.
- Offer financial loans.
- Offer any financial or investment advice.
- Sell insurance.
What are the Penalties for Not Complying with the Gramm–Leach–Bliley Act (GLBA)?
There are separate penalties for non-compliance, applicable tothe violating organization and its officers and directors.
The penalties for violating organizations are:
- A civil penalty of up to $100,000 per violation.
- Fines in accordance with Title 18 of the United States Code.
The penalties for violating officers and directors are:
- A civil penalty of up to $10,000 per violation.
- Imprisonment up to 5 years.
Gramm–Leach–Bliley Act (GLBA) Compliance Resources
The following list of free resources could help organizations achieve compliance with the Gramm–Leach–Bliley Act (GLBA):
- GLBA Compliance Requirements (McAfee).
- What is the Gramm-Leach-Bliley Act (UpGuard).
- Gramm-Leach-Bliley Act (Federal Trade Commission).
Learn how UpGuard helps XINJA continuosly monitor their third-party risks.
The Financial Industry Regulatory Authority (FINRA) is an organization that has established a set of rules for protecting customer data from compromise. FINRA also promotes controls for detecting cyber threats and mitigating their impact.
FINRA regulates the following financial entities:
Is FINRA Compliance Mandatory?
FINRA requires all brokers in the United States to be licensed and registered.
What are the Penalties for Not Complying with FINRA?
Penalties for not complying with FINRA could include:
- Orders of restitution
Which Countries are Impacted by FINRA?
FINRA regulates brokers and brokerage firms in the United States only.
FINRA Compliance Resources
The following list of free resources could help organizations achieve compliance with the Financial Industry Regulatory Authority (FINRA):
- Compliance Tools (FINRA).
- Compliance Resources (FINRA).
- FINRA Compliance Requirements 101 (RSI Security).
The Payment Services Directive (PSD 2) is a directive by the European Union supporting competition in the banking sector.
PSD-2 is part of the Payment Card Industry Data Security Standard (PCI DSS) for financial data security.
To ensure banking activities in the EU proliferate security, the PSD 2 also includes regulations for protecting online payments, enhancing customer data security, and strong customer authentication (eg, multi-factor authentication).
Is PSD 2 Compliance Mandatory?
Yes. All banks and financial institutions in the European Union must comply with the PSD 2 directives.
What is the Penalty for Not Complying with PSD 2?
The penalty for not complying with PSD 2 is a fine of up to EUR 20.000.000 (approx. 23 million USD) or 4% of annual revenue (whichever is greater).
Which Countries are Impacted by PSD 2?
All countries in the European Union are impacted by PSD 2.
PSD 2 Compliance Resources
The following list of free resources could help organizations achieve compliance with the Payment Services Directive (PSD 2).
- PSD2 Regulation - Get ready with Thales (Thales).
- PSD2 Regulation: How to Be PSD2 Compliant (Jotform).
- Payment Services Directive (Adobe).
Bill C-11 is an attempt to reform Canada's limited data privacy law by enacting the Consumer Privacy Protection Act (CPPA). This will impose new requirements for obtaining user consent for collecting their data, similar to the GDPR.
This reform is expected to have a significant impact on businesses utilizing social media platforms to collect marketing data.
Prior to any data collection, individuals must knowingly offer consent for relinquishing their data. The consent requests must be clear and easily understood so that users are completely aware of the specific data being requested.
These data collection requests must not exceed what is strictly necessary for the business's objectives at the time of collection. Individuals will also have the option of withdrawing their consent within a time limitation.
Under the CPAA, individuals will have greater ownership of their personal data. As a result, organizations must inform individuals when they possess any personal data linked to them.
Furthermore, because individuals will be granted greater authority over their data, all requests to delete personal data storage must be honored.
Bill C-11 models the New York Department of Financial Services (NYDFS) Cybersecurity Regulation of 2019.
Is Bill C-11 Compliance Mandatory?
Bill C-11 hasn't yet been passed as law, so compliance is not mandatory.
Once C-11 is passed, compliance is expected to be mandatory for all retailers and organizations processing personal information in Canada.
What are the Penalties for Not Complying with C-11?
Because C-11 proposes to enact CPPA, the penalty for non-compliance will mirror CPPA's penalty, which is:
A fine of up to $10 million, or 3% of global revenue (whichever is greater).
Which Countries are Impacted by C-11?
If passed, C-11 will become a law in Canada.
C-11 Compliance Resources
The following list of free resources could help organizations achieve compliance with C-11:
- Submission of the Office of the Privacy Commissioner of Canada on Bill C-11, the Digital Charter Implementation Act, 2020 (Office of the Privacy Commissioner of Canada).
- BILL C-11 (House of Commons).
- Canada: New Federal Privacy Legislation is Moving Through the Legislative Process (JDSUPRA).
OSFI Self Assessments
The Office of the Superintendent of Financial Institutions (OSFI) published a Cyber Security Self-Assessment for federally regulated financial institutions (FRFIs) in Canada.
The purpose of this framework is to address the expanding attack surface caused by digital transformation in the financial sector.
OSFI strongly encourages all federally regulated financial institutions to adopt this self-assessment and its associated tools to continuously evaluate and improve their security posture.
OSFI has outlined its strategic plan for building the cyber resilience of all of the financial institutions it regulates. This document can be accessed here.
OSFI offers guidance for financial entities in Canada to provide clarity on the expectations of different financial legislations and regulations in North America.
These self-assessments are an example of some of the guidance OSFI offers.
Are OSFI Self Assessments Mandatory?
OSFI's self-assessments are not mandatory, but they’re highly recommended to ensure compliance with Canada's financial regulations.
Which Countries are Impacted by OSFI's Self Assessments?
OSFI's self-assessments only apply to regulated financial entities in Canada.
OSFI Self Assessment Resources
For more information on OSFI's self-assessments, refer to the following resources:
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that aims to prescribe uniform principles of best practices for financial institutions.
The FFIEC is governed by the following five financial regulators:
- The Board of Governors of the Federal Reserve (FRB) - Regulates Domestic Banks
- The Federal Deposit Insurance Corporation (FDIC) - Regulates Federal Banks
- The Office of the Comptroller of the Currency (OCC) - Regulates Federal Banks
- The National Credit Union Administration (NCUA) - Regulates credit unions.
- Consumer Financial Protection Bureau (CFPB) - Regulates banks, thrifts, and credit unions.
The FFIEC outlines its cybersecurity guidelines in its Information technology examination handbook series consisting of the following 10 handbooks:
- Business Continuity.
- Development and Acquisition.
- Information Security.
- Architecture, Infrastructure, and Operations.
- Outsourcing Technology Services.
- Retail Payment Systems.
- Supervision of Technology Service Providers.
- Wholesale Payment Systems.
All of these booklets can be accessed via the complete FFIEC IT Handbook.
Is Complying with FFIEC Mandatory?
Yes. All federally supervised financial institutions, including their subsidiaries, need to comply with FFIEC regulations.
What Countries are Covered by the FFIEC?
FFIEC regulations apply to financial entities in the United States.
What are the Penalties for FFIEC Non-Compliance?
Non-compliance with FFIEC regulations could result in fines of up to $2 million.
The maximum fine for not complying with the UK GDPR is £17.5 million or 4% of annual global turnover (whichever is greater).
FFIEC Compliance Resources
The following list of free resources could support FFIEC compliance:
- FFIEC IT Booklets (FFIEC).
How to Maintain Cybersecurity Compliance in the Financial Sector
Many of the overlapping security controls across these regulations can be addressed with the following best cybersecurity practices.
Implement a Zero-Trust Architecture (ZTA)
A zero trust architecture assumes all network activity is malicious until proven otherwise. This framework encourages more secure privileged access management, making it more difficult for cybercriminals to access sensitive resources.
Implement a Third-Party Risk Management Program
A TPRM solution will secure the entire third-party vendor network by testing compliance with security assessments and confirming cybersecurity improvements with security ratings.
Advanced TPRM solutions can also map security assessment responses to mandatory regulations associated with each vendor to uncover deficiencies preventing compliance.
Detect and Shut Down Data Leaks
Data leaks don't only make data breaches happen faster, they also expose sensitive information that could violate regulation guidelines.
A data leak detection solution capable of addressing these exposures both internally and throughout the vendor network could prevent overlooked regulatory violations and their associated penalties.
Use an Attack Surface Monitoring Solution
An attack surface monitoring solution will aid in the rapid detection and remediation of vulnerabilities that could facilitate data breaches. Such a solution helps financial services improve their security posture and meet the strict cyber resilience expectations of most regulations.
UpGuard has developed an attack surface management solutiion specifically designed to address the unique cybersecurity risks and regulatory compliance requirements of the finance industry.