Navigating Cybersecurity Regulations Across Financial Services
- Giles Inkson, Director of Services EMEA at NetSPI
- 31.05.2024 10:00 am #Cybersecurity #Regulations
Financial institutions are prime targets for cyber threats because of the large amounts of sensitive data they handle, their place in the economy, and their usage of infrastructure such as mainframes. The need for robust cybersecurity measures has never been more pressing. In response, many regional and national regulatory bodies and industry leaders have introduced comprehensive frameworks aimed at bolstering the enterprise resilience of the financial services sector.
In navigating the intricate landscape of security testing regulations in global financial markets, businesses must adopt an enterprise-wide proactive and strategic approach to manage and comply with these regulations effectively.
As these frameworks mature and roll out globally across territories there are many ways organisations can prepare themselves now, and be ready for upcoming standards, such as the Digital Operations Resiliency Act (DORA). Here are the five areas businesses should consider to help navigate these frameworks and financial services regulations:
Treat threats proactively and embrace regulations to drive positive change
First and foremost, it is crucial for businesses to understand the significance of these regulations in enhancing cybersecurity resilience. Frameworks like CBEST, DORA, TIBER-EU, iCAST and CORIE are essential parts of strengthening defences against cyber threats inside and outside of regional boundaries. Each of these standards focuses on treating either critical business components (the parts that keep the business working), or the entire enterprise as their scope. Viewing compliance not just as a regulatory obligation, but as a critical component of a robust cybersecurity strategy, can help businesses prioritise their efforts and investments accordingly. If an organisation has red teamed before, they might be surprised at the pragmatic and impactful difference in approach, shifting their security mindset to a proactive one.
Assess cybersecurity posture across the whole business
Businesses need to treat their organisations as a single organism. Many traditional red team or penetration testing methodologies only treat cybersecurity in isolation, and not as a part of the whole organisational risk. Financial institutions need to conduct regular intelligence-led penetration testing or red teaming, coupled with cybersecurity risk assessments and gap analyses across their entire business as part of a holistic suite of risk reduction. In doing so, valuable insights are gained into vulnerabilities, threats, process gaps, weak controls and areas of non-compliance within an organisation that other tests cannot expose. By understanding their strengths and weaknesses across cyber and operation resiliency, businesses can target areas of improvement and enhance their overall security posture.
Foster collaboration and a culture of cybersecurity awareness
Collaboration between IT, security teams, and senior leadership is paramount in effectively managing security testing regulations on the world stage. Regional coordination and clear communication on expectations and territorial differences can be complex to negotiate, without centralised administration. Therefore, establishing clear lines of communication and fostering a culture of cybersecurity awareness across all business units is critical. Reinforcing this with processes that encourage accountability throughout the organisation ensure that compliance efforts are aligned with business objectives and strategic priorities without siloing the efforts and investment.
Recognise the global impact of security testing frameworks
As cyber threats cross borders, financial institutions worldwide face similar risks and regulations across their operational sites. Compliance with these testing frameworks isn't just about state-level or national rules; it's about adopting global cybersecurity best practices and common standards throughout. With international financial systems interconnected, one institution's security can impact the entire ecosystem, as does one regional branch or office of a global company. By adopting and aligning the needs of these frameworks, businesses enhance global financial system resilience and may also be combined into wider supersets of tests. Standardised frameworks like CBEST and TIBER and the upcoming DORA enforcement in January 2025, streamline compliance efforts and provide a consistent approach to cybersecurity testing worldwide and across entire businesses, and can reduce the need for repetitive testing.
Invest in broad and deep expertise
Investing in the expertise of accredited cybersecurity partners with global capability, will help financial institutions manage their global testing compliance needs. For example, many finance sector organisations operate legacy mainframes as a part of their critical services. While mainframe testing is a crucial aspect for cybersecurity resilience, it remains overlooked, even though it is a designated area for examination within testing frameworks. This is because many businesses lack the technical expertise to conduct thorough mainframe testing in a safe and realistic manner.
Organisations that can flexibly apply and call upon resources in specialist testing areas like mainframes and red teaming, present the most effective means of truly understanding the operational resiliency across their organisation. Working with experienced professionals especially across multiple disciplines, can provide valuable guidance and support in conducting comprehensive security assessments, interpreting regulatory requirements, and implementing effective cybersecurity measures across an organisation.
Ultimately, navigating security testing regulations across financial services demands a proactive and strategic stance. By adopting a proactive mindset towards compliance and cybersecurity, businesses can effectively mitigate risks, protect sensitive data, and maintain trust and confidence in the global financial markets. Ultimately, embracing these frameworks as opportunities to enhance cybersecurity resilience, can position businesses for long-term success in an increasingly digital world.