cybersecurity compliance

How to Ease Cybersecurity Compliance Burdens in Banking

By Divyansh Arora, Information Security Manager, ERMProtect

The banking industry stands as one of the most heavily regulated sectors globally, not just in the U.S. With over 20 regulations to grapple with, including heavyweights like the Fair and Accurate Credit Transactions Act (FACTA) and the Gramm-Leach Bliley Act (GLBA), achieving compliance becomes a formidable undertaking. Moreover, if we observe the trend carefully, the government is going to increase its focus on compliance and regulation in the coming years.

An Intelligent Approach to Bank Cybersecurity Compliance

The best way for banks to ease the burden is to use “smart compliance," a strategic approach developed by ERMProtect through years of collaboration with financial institutions. Leveraging the overlap and commonalities across different cybersecurity frameworks, standards, and laws, we can adopt an intelligent strategy that allows for simultaneous compliance with multiple controls.

This approach is possible because many frameworks and guidelines have the same controls around cyber security. For example, PCI DSS requires organizations to develop risk assessments and incident response plans, and so does GLBA. Almost all the regulations require banks to provide security awareness training to their employees. Vulnerability assessments and penetration tests are commonly required in almost all the regulations and guidelines, including GLBA, 23 NYCRR 500, and, in some cases, PCI DSS.

By developing a matrix of regulations and required controls, banks can simplify their cybersecurity compliance obligations. You can develop the matrix by simply listing in the left, vertical column the requirements, such as a vulnerability assessment or vendor management program, then, horizontally, across the top, list the regulations that require the control. Add check marks where a control is required and add frequency.

The Banker’s Cybersecurity Compliance ‘Cheat Sheet’

We call the resulting matrix, demonstrated below, the banker’s cybersecurity compliance “cheat sheet.” It provides an at-a-glance view of required compliance assessments, and shows commonalities among them, so they can be leveraged to simplify compliance and avoid duplication.

This is a valuable resource for bankers and auditors alike, streamlining the process of aligning with cybersecurity controls across various regulatory frameworks. The matrix not only simplifies the compliance journey but also embodies the essence of working smarter, not harder, in the intricate landscape of banking regulations.

Staying Ahead of Evolving Bank Regulations

It's worth considering that standards and frameworks continuously evolve in response to emerging technologies. As these changes occur, it becomes essential to adapt and ensure compliance with evolving regulatory requirements. Engaging an external professional firm can provide valuable expertise and support in navigating these changes, assisting your organization in achieving compliance effectively and efficiently.

ERMProtect, for example, provides up-to-date guidance and assessments related to the main regulations, standards, and laws, applicable to financial institutions: GLBA, PCI DSS, FACTA, SOX, GDPR, and NYRCRR 500.

Guide to the Main Banking Regulations

To review, here are the main regulations, standards, laws applicable to the financial institutions:

  1. Gramm-Leach Bliley Act (GLBA): Protect the confidentiality, security, and integrity of nonpublic personal information about consumers.
  2. Payment Card Industry Data Security Standard (PCI DSS): Protect cardholder data and sensitive authentication data wherever it is processed, stored, or transmitted.
  3. Fair and Accurate Credit Transactions Act (FACTA): Protect consumers from identity theft.
  4. Bank Secrecy Act (BSA/AML): Promote financial transparency and deter and detect those who seek to misuse the U.S. financial system to launder criminal proceeds, finance terrorist acts, or move funds for other illicit purposes.
  5. Sarbanes-Oxley Act of 2002 (SOX): Protect investors from fraudulent financial reporting by corporations.
  6. General Data Protection Regulation (GDPR): Protect individuals' fundamental rights and freedoms, particularly their right to protection of their personal data.
  7. New York Codes, Rules, and Regulations (NYCRR 500): Protect customer information as well as the information technology systems of regulated entities.

We Can Help with IT Risk Assessments

ERMProtect has been conducting risk assessments since its founding in 1998. We have the expertise and experience required to help your organization navigate regulatory, security, and risk issues. Please contact Silka Gonzalez at [email protected], Judy Miller at [email protected] or call 305-447-6750 to set up a free consultation on the type of risk assessment that would best protect your business.

Divyansh Arora is an Information Security Manager at ERMProtect Cybersecurity Solutions where he performs vulnerability assessment and penetration testing, along with PCI DSS assessments for various clients across the globe. He holds a master’s degree in information technology – Information Security from Carnegie Mellon University.

Subscribe to Our Weekly Newsleter

Intelligence and Insights

pci dss compliance

Why PCI Standards Are Just the Starting Point for Securing Payment Data

While PCI DSS compliance offers a solid baseline, it is not an all-encompassing solution to build a proactive and resilient data security framework …
pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …