The emergence of cybersecurity1 many years ago meant that financial services had to adhere to the laws and regulations that came with it. While some industries experienced little disruption from these regulations, the same cannot be said for the global banking industry.
Here are the elements of cybersecurity regulations that have the most impact on the banking industry and have disrupted existing procedures in the world's most prominent financial institutions.
Emphasis on Board and Senior Management Accountability
As part of the widespread regulations placed on banks to ensure that they meet cybersecurity standards, the appointment of a chief information security officer (CISO)2 is mandatory in some cases. The CISO has the responsibility of overseeing and enforcing the cybersecurity policies of the organization. The CISO, board and senior management are to be held accountable for deficiencies in cyberrisk management.
This mandate has had a significant impact on the responsibilities of boards in the banking industry. Before this regulation, boards tended not to involve themselves in matters associated with IT risk, believing those to be out of their jurisdiction. They would rather the IT department attend to such matters. Now, senior management in the banking industry acknowledges that the impact cyberrisk has on the financial system is far greater than regular IT risk.
Penetration Testing and Vulnerability Assessment
Different regulators require banks to undergo varying levels of penetration testing. This is a test to determine the resilience of an organization's policy to cyberattacks. Vulnerability assessment and penetration testing help the organization discover the steps it needs to take to limit or eliminate cybersecurity weaknesses. A good case scenario is the global adoption of magnetic stripe cards,3 which would have been impossible without thorough vulnerability assessment.
Banks now invest in ethical hacking as it is a crucial element of vulnerability assessment and testing.
Banks now invest in ethical hacking as it is a crucial element of vulnerability assessment and testing. Because bank staffs with proper knowledge of cybersecurity are scarce, organizations in the industry tend to outsource such tasks. In a way, the banking industry has resorted to paying professional hackers to breach their own security. It may be ironic, but it is a necessity for the biggest banks in the world.
Encouraging Information Sharing
Cybersecurity regulations exist that encourage banks to share information regarding cyberthreats among one another. The aim is to mitigate cyberattacks and enhance overall cybersecurity in the banking industry. Platforms such as the Cyber Security Information Sharing Partnership (CiSP)4 provide an avenue for banks to share information on recent cyberthreats. Several regulators in the industry such as those in Hong Kong (Cyber Fortification Initiative [CFI] ),5 have made it mandatory for banks within their jurisdiction to join their sharing programs.
Information sharing regulations create one of the few scenarios where banks interact with one another for the greater good of the industry. Although all banks are required to lodge reports of any cyberrisk event to the appropriate authorities, the sharing of useful cybersecurity information with other banks does not apply to all. However, certain regulations encourage this as it facilitates progress in the fight against cyberattacks. By sharing such intelligence, banks and regulatory agencies are actively working toward one goal for the first time in a long while.
Conclusion
These regulations are a few of the many that govern banking sectors in various countries. Their existence has made it clear to the banking industry that cybersecurity is, perhaps, the most delicate aspect of running a bank.
All over the world, banks are investing in staff training on cybersecurity. This is because their susceptibility to cyberthreats is closely linked to the human elements of financial institutions. All employees need to undergo proper orientation on the subject, even if it costs the banking industry billions of dollars to implement.
David Smith
Is a cryptographer with 12 years of experience in both the public and private sectors. Before branching out to start his second start-up (currently in stealth mode), he was the lead cyber/information security officer for a Fortune 500 company for 8 years. His second start-up project focuses on tracking and interpreting the use of contactless payments in the Greater China region. His expertise includes system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with Asia Pacific (APAC) market trends and consumer preferences. Smith occasionally consults with smart card companies at Cardzgroup.com.
Endnotes
1 SentinelOne, “The History of Cyber Security—Everything You Ever Wanted to Know,” 10 February 2019
2 Fruhlinger, J.; “What Is a CISO? Responsibilities and Requirements for This Vital Leadership Role,” CSO, 14 January 2019
3 Cardzgroup, Contactless Smart Cards
4 National Cyber Security Centre, Cyber Security Information Sharing Partnership (CiSP), United Kingdom
5 Hong Kong Monetary Authority, Cyber Fortification Initiative (CFI)