WP Key Compliance Concepts for Financial Services | Imperva

Archive

Key Compliance Concepts for Financial Services

Key Compliance Concepts for Financial Services

The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting. 

The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector.  In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy

The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialized, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.  

Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organizations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry. 

A common requirement of many regulations is to appoint a chief information security officer (CISO), chief technical officer (CTO) or, in the case of GDPR, a data protection officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organizations stay compliant.  

Data Protection 

Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organizations need to build privacy and protection into their products, services, and applications. 

Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the nonpublic information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.

Data Discovery

To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritize and assign a risk profile to datasets. 

Data Monitoring

A recurring requirement of data regulation is that organizations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organizations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorized or malicious activities by internal and external parties.”

Incident Reporting

Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organization, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.  

The data risk analytics capability within Imperva Data Security addresses this issue using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface, making it easier to recognize a real breach in time to stop it from accessing internal networks. 

Find out more about how Imperva can help manage your compliance challenges here