Why is cybersecurity compliance challenging for financial institutions?
Have you ever thought about what it would be like to open a bank?
Arguably, today it’s easier than ever to start a new bank. The popularization of internet banks and online banking means you no longer need ATMs, hard currency, vaults, physical branches, tellers, or security guards.
So why isn’t everybody just doing it?
It’s the regulations.
To run a bank, you’ll need to navigate a multifaceted, regularly shifting environment where regulations, laws, and standards are complex, demanding, and sometimes contradictory. Right off the bat, this requires a non-trivial effort to understand the legal intricacies, nuances, and ramifications of compliance.
Then, you’ll need to spend time and money ensuring the right tools and processes are put in place to ensure compliance with all requirements.
Let’s examine the many cybersecurity compliance hurdles financial institutions face.
Stringent cybersecurity regulations #
Imagine Huxley Credit Union is coming to a web browser near you. Here’s what you must comply with for cybersecurity if you start a local credit union doing business only in the United States:
Industry standards and frameworks #
There are other frameworks for the industry that apply as well:
To recap, all the above are just for cybersecurity. There will be other regulations to consider for the rest of the business — each with their own requirements and standards to meet.
Compliance is ongoing — and regulations change #
Setting up tools and systems to ensure compliance isn’t a one-and-done event either.
Compliance is a continuous process. And to make matters worse, regulations change — with the updated versions imposing new or altered requirements. For example:
The cost of falling behind #
Failing to keep up with regulatory changes can have substantial material impacts, alongside the reputational damage.
In 2023, OneMain Financial Group paid a $4.25 million fine pursuant to a consent order to settle alleged violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500). These included improperly storing passwords and not sufficiently managing risk from third-party data storage. Even though the regulation became effective in 2017, the consent order cited violation as late as 2021, indicating a significant failure to keep up with regulatory changes.
Regulatory language is open to interpretation #
Different interpretations of the language used in regulations can lead to additional costs or unexpected penalties.
How to define ‘material’? #
More recently, the Security and Exchange Commission (SEC) released an update stating:
“The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material.”
How an institution interprets ‘material’ can materially impact cost and effort (pun intended).
A bank may expose itself to fines or penalties with a stricter interpretation of ‘material’. While with a looser interpretation, it may end up doing unnecessary work.
Unfortunately, regulatory deadlines typically apply to large swathes of institutions simultaneously. So you can’t wait to see how the agency judges your peers and then act accordingly.
Customer expectations shape what’s viable #
Even when — or especially when — financial institutions are expending significant effort on compliance, they mustn’t lose sight of the fact that their primary purpose is to service customers.
Borrowers and depositors come from all walks of life, with varying levels of tech-savviness and tolerance for hurdles to accessing and moving their money.
Compliance could be easier if banks could put more onus on customers. But if a bank required a retinal scan for each online banking login, customers would offboard in droves.
Following regulations would be less complicated if banks could spend a longer period undertaking certain processes. But if a bank took three weeks to vet a digital transfer, they would lose out to their speedier competitors.
Even the data doesn’t make it easy to comply #
Complying with these various regulations and requirements would be challenging enough if each bank had just a single database. But that is not remotely the case.
Financial institutions deal with millions, even billions of records, typically spread across several databases and systems: countless customers, accounts, transactions, financial instruments, and internal operations.
Transaction data, in particular, stands out as a data type with extremely high velocity. This makes it difficult to conduct any sort of real-time monitoring that regulations may require. Monitoring is made even harder given that the data is often unstructured (e.g. email messages) or binary (e.g. uploaded screenshots or Microsoft Word documents).
Compounding the problem, financial data often comes from legacy systems. Compliance when working with legacy data from legacy systems becomes drastically more difficult.
Exchanging data with (many) third parties #
Let’s not forget that it’s not just the data stored in-house that needs managing in a compliant way. Banks are also responsible for ensuring data security and compliance when data is shared with or handled by third parties.
Here is a non-exhaustive list of third parties that banks typically interoperate with:
Ensuring cybersecurity compliance #
From keeping up with changing regulatory requirements to meeting customer expectations, and from deciphering ambiguous meanings to unpacking legacy data, cybersecurity compliance is a complex challenge for financial institutions.
They face a huge array of complicated and continually evolving regulations, laws, and standards on cybersecurity. Ensuring compliance with these requires a comprehensive and robust security program, including tools and processes to generate periodic reports or disclosures, processes to remediate any violations, and the staff to make it all happen.
And while all of this costs time and money, the costs of non-compliance — either through fines or cybercrime — are considerably heftier.
All of this is why you won’t, after all, see Huxley Bank in a web browser near you any time soon.
Subscribe and stay in the loop!
We won't share your email.
Unsubscribe at any time.