2020 brought with it an alarming level of cyber threat against banks, which spurred government officials to call for new levels of regulation. In September 2020, the Government Accountability Office (GAO) released a report asking for the US Treasury Department to create a unified task force with the Department of Homeland Security intended to protect the banking industry against cyberattacks. This could result in extended federal regulations which will affect banks directly.
Banks and financial services companies are already subject to a vast host of regulations—and the regulations are there for a good reason. Banks hold a great deal of money and personal information, so any data breach or criminal activity at a bank can lead to vast consequences. Although ordinary consumers are relatively insulated from monetary or identity theft, business accounts have fewer protections. In addition, a sufficiently widespread breach could even threaten the US economy. Any widely publicized data breach will likely lead to calls for even stricter rules.
Attacks On Banks Have Ramped Up Exponentially
Right now, banks are undergoing an absolute flurry of cyberattacks, with attempted breaches increasing by 238% at the start of 2020. With many banking employees now working from home, attackers are taking advantage of the confusion and the technology resets that have made remote work possible for bankers. What’s more, 82% of CIOs in the linked report say that not only are attacks becoming more frequent, they’re also becoming more sophisticated, incorporating advanced social engineering techniques to fool banking employees into giving up their credentials.
This isn’t great news for banks—because FSI companies have had a difficult time defending themselves from data breaches even before the pandemic hit. In 2017, companies in the financial services industry experienced 8.5% of all data breaches. In other words, they were 300 times more likely to experience a data breach than companies in other industries. The wave of technically sophisticated attacks against banks in 2020 is therefore very likely to be met with success.
How Security Awareness Training Can Help Banks Cope with Future Regulation
A new era of regulation had already begun before the current crisis hit. Although it doesn’t deal with banks specifically, the EU’s GDPR (General Data Protection Regulation) mandated a host of sweeping changes when it came into effect in 2018. These changes included:
- Redefining PII (Personally Identifiable Information) to mean, “any information relating to an identified or identifiable natural person (or ‘data subject’)”.
- Mandatory reporting of all data breaches within 72 hours
- Requiring companies to staff the position of a Data Protection Officer to enforce GDPR compliance and report to the EU’s Information Commissioner’s Office.
Security awareness training has been critical for companies attempting to comply with the GDPR. The regulations add many new rules around the way that companies handle data, limiting the amount of data companies can collect and mandating disposal once it’s no longer needed. Staff needs to be able to recognize these contingencies once they arise–which means that extensive training is necessary for companies across all industries, including banks.
Meanwhile, US states are beginning to adopt regulations similar to the GDPR. For example, California’s CCPA (California Consumer Privacy Act) went into effect at the beginning of 2020. Heavily inspired by the GDPR, the CCPA most notably allows consumers to file class-action lawsuits against companies who they believe have mishandled their data.
Banks have certain exemptions under the CCPA, mostly because they’re already regulated under the Gramm-Leach-Bliley Act (GLBA). However, these exemptions only apply to the data that the GLBA covers, not to the institutions themselves. This means that banks have to expand the amount of personal information they protect in order to remain compliant with both the GLBA and the CCPA.
Extrapolating from the CCPA, it’s likely that future state and federal regulation will take the same approach—use the GLBA as a model, expand the amount of data that banks need to protect, and then give consumers greater power to punish banks for perceived misuse of private information.
Security Awareness is Critical for Compliance
The financial services industry now has an obligation to either forestall additional regulation by enhancing their compliance with existing rules or to prepare themselves to comply with future regulations. Either way, security awareness training will be central to their plans.
First, it seems likely that future regulations will take the GLBA as a starting point—and security awareness training is a keystone of the GLBA. The act states that each bank needs to have a comprehensive information security program and that each program should, “include security awareness training to inform personnel of information security risks associated with the activities of personnel, as well as responsibilities of personnel in complying with bank policies and procedures designed to reduce such risk.”
The fact of the matter is that employee buy-in is central to the success of compliance. Compliance fails when employees aren’t aware of the regulations affecting their industry, when they can’t identify social engineering attempts, and when they don’t have a process for reporting attempted breaches. Without security awareness, the industry is stuck in a vicious cycle of failing to comply with regulations, falling victim to cyberattacks, and then becoming subject to more regulation it then fails to comply with.
Here at CybeReady, we aim to break that cycle by implementing continuous security awareness training for employees. Security awareness isn’t something that can be done once (or once a quarter)—rather, it needs to be an instilled habit. By creating automated tailored training sessions continuously, we can create lasting compliance that can help your workforce mitigate attacks and breaches, comply with existing regulations, and adapt seamlessly when regulations change once again.
