Maintaining an effective security posture is difficult enough for any organization. But for those in financial services, the task can be even more challenging. Banks and other financial institutions must comply with numerous regulations. These standards, whether designated and governed by law or simply outlined in an independent framework, can be difficult to identify, decipher, and fulfill. If your organization is seeking to make changes to your cybersecurity compliance strategy, then there are some things you should be considering regarding the tools and systems you put in place to comply and whether or not a Network Detection and Response solution (NDR) should be part of your solution.

What is Cybersecurity Compliance?

Cybersecurity compliance is the act of implementing information security practices that protect sensitive customer data and financial loss in accordance with local or national laws, regulations, and standards for data security. These standards are often set by governments or administrative authorities, though independent third-party frameworks are often used as a basis for maintaining compliance. Unlike other industries — which might have less-stringent and more generalized regulations for data protection — the compliance standards for financial institutions in both North America and Europe are fairly explicit in their expectations and requirements.

In this article, we review some of these relevant standards and answer the question, “How can network detection and response (NDR) help financial institutions maintain cybersecurity compliance?”

North American Cybersecurity Compliance Regulations and Frameworks

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

The NIST CSF is a cybersecurity compliance framework that highlights best practices and guidelines for businesses to manage and reduce their cybersecurity risk. Though it is not technically a legal requirement to follow the NIST framework, it is designed to help organizations satisfy a number of legal cybersecurity aspects of the regulations. For some financial services organizations, like those in the insurance industry, the NIST framework is a requirement. Many North American financial institutions are members of the Depository Trust and Clearing Corporation (DTCC) which is regulated by the U.S. Securities and Exchange Commission (SEC). Based on SEC rulings, the DTCC requires all members to follow an approved cybersecurity framework. Of those approved frameworks, the NIST CSF is the most popular. The NIST CSF has a number of sections that are particularly relevant to network security (see standards PR.AC-5, ID.RA-3, PR.DS-5, DE.AE-2, DE.AE-3, DE.AE-5, DE.CM-1, and RS.AN-3).

Sarbanes-Oxley (SOX) Act

Passed by the United States Congress in 2002, the SOX Act was written to help protect investors from financial fraud. Over time, the SOX Act has been updated to include cybersecurity considerations for all businesses in the financial sector. SOX compliance is required for all publicly-listed businesses, which includes those in the financial services industry. Section 404 of the SOX Act is the primary section detailing the cybersecurity policies. In 2018, the SEC released some official guidance to clarify this section of the SOX Act as it relates to cybersecurity systems in an organization’s disclosure controls and procedures.

European Cybersecurity Compliance Regulations and Frameworks

General Data Protection Regulation (GDPR)

The European Union (EU) requires GDPR compliance for financial services that collect or process personal data from EU residents, regardless of the business location. This means that, while technically an EU regulation, any organization in any location that collects or processes personal data from EU residents must maintain GDPR compliance. The primary elements of GDPR that factor into cybersecurity practices are outlined in Article 5, which calls for the use of appropriate organizational measures to protect against unauthorized data processing and accidental loss or damage (see also recital 78, article 32.1b, and article 33.3).

NIS2 Directive

The EU Network and Information Society Directive (formerly NISD, now known as NIS2) is an EU-wide legislation on cybersecurity that aims to improve cybersecurity across EU member states. NIS2 applies to all operators of essential services (OES) and relevant digital service providers (RDSPs) in the EU — which includes organizations in the financial services industry. NIS2 also requires all foreign enterprises that leverage services available to individuals in the EU to appoint an EU-based NIS representative to ensure implementation of the directive. The articles in this directive include extensive measures that should be taken to protect personal data and other sensitive information, but it is also very explicit about what kinds of systems must be in place. For example, it requires organizations to operate a system for “monitoring and analyzing cyber threats, vulnerabilities and incidents at national level” (Article 11.3a) that is also capable of “providing early warnings, alerts, announcements and dissemination of information to essential and important entities concerned” (Article 11.3b).

Global Cybersecurity Compliance Regulations and Frameworks

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is a set of standards developed by the Payment Card Industry Security Standards Council (PCI SSC) which was formed by the major credit card companies American Express, Discover Financial Services, JCB International, Mastercard, and Visa. Any organization that receives or processes credit card information — including financial institutions — are subject to PCI DSS standards. These standards include very clear expectations for cybersecurity, particularly in the area of network security. For example, the very first regulation communicated in the PCI DSS requires that “network security controls (NSCs) are configured and maintained” (PCI DSS req. 1.2.). Additional requirements call for regular testing and monitoring of network activities and controls to protect against malicious software (malware).

Basel III Framework

The Basel III Framework does not apply to every country, however it was developed for global use by an independent organization within the banking industry in response to the 2008 financial crisis. Many countries, like the United States, do require financial institutions of a certain size to comply with the Basel III regulations. Relative to cybersecurity compliance, Basel III includes several sections on risk management of cyber-resources (principles 15, 21, and 26).

How Does NDR Help Financial Institutions Maintain Cybersecurity Compliance?

So how does a financial institution ensure they are compliant with their applicable standards? This question is not easily answered, as every organization is different and is subject to the specific regulations set by their government or industry bodies. In addition, many of these regulatory compliance standards can be satisfied in multiple ways with different systems.

If your organization is subject to any of the aforementioned regulations or guided by one of the frameworks described above, monitoring your network traffic for intrusions and attacks is vital to your cybersecurity compliance. For many years deploying a network intrusion detection system (IDS) was the preferred mechanism to satisfy this requirement. Their ability to detect known threats and capture an evidence trail have proven invaluable. Unfortunately, problems with alert overload and insufficient visibility have plagued those legacy IDS solutions making them less valuable in practice. This has led many organizations to seek new solutions that can replace their legacy IDS with a more effective alternative.

The good news is that a properly-designed network detection and response (NDR) can help eliminate alert overload, provide greater visibility and deliver improved forensic evidence needed to accelerate response to an incident.

Today, it is important to consider including a Network Detection and Response (NDR) platform into your security strategy.

NDR alone won't fulfill every requirement in these regulations, but it can satisfy many of the cybersecurity related elements. By providing real-time threat detection, guided threat hunting, extensive forensic evidence, flow data and network packet capture, and insights into policy violations and unauthorized user activity, NDR can not only help protect your organization from threats, but also assist in maintaining financial cybersecurity compliance.