Connecting the Dots Between Security and Compliance
Finance has always been one of the most heavily regulated sectors, and today’s modern digital enterprise increases the compliance burden further as financial data and systems become more globally connected…and globally vulnerable. With these multiplied security risks come added risks of compliance violations and enforcement by regulators that can saddle an organization with heavy penalties and fines.
In this first of two blog posts devoted to the issue of compliance, let’s start by clarifying how specific cybersecurity challenges in an organization line up with regulatory rules. While most organizations understand the overall importance of compliance, they often lack visibility into exactly where and how regulations apply to their IT systems and processes. Such visibility is the first step in addressing security and regulatory gaps together in order to make the entire organization more protected and compliant.
Security Risk Leads to Compliance Risk
We’ve talked previously about the security risks financial firms face from ransomware, social engineering attacks, business email compromise and other cyber threats. The organizational cost from these security breaches includes lost revenue, stolen intellectual property, damage to brand reputation, lost customer trust and more.
These security breakdowns are typically a sign of a regulatory breach as well – usually involving data privacy. In addition, there are latent security gaps, such as poor workflow and data management processes that may leave sensitive data exposed. Even if such data is never accessed by a malicious actor, the simple fact that it's exposed can represent a regulatory infraction.
Whether the compliance violation stems from an active breach or hidden vulnerabilities, multiple oversight entities take such issues seriously and have authority to impose steep fines or even decertify a company’s ability to participate in financial exchanges. The penalties can be crucial blows against a firm’s ability to conduct business, and they exert pressure on compliance and risk managers to work more closely with IT and security teams.
Mapping Regulations to IT Operations
The finance sector faces an alphabet soup of regulatory entities – including FINRA, SEC, FDIC, the Federal Reserve Board and more – that scrutinize how a company stores, uses and protects its data. While this regulatory environment can seem daunting, many of the rules are well-defined – meaning that firms with access to the right domain and IT expertise can effectively map operations to the regulatory rules that apply. To illustrate, let’s take the use case of a financial firm’s online customer portal and how it is impacted by the 7 focus areas for cybersecurity management specified by the SEC’s Division of Examinations – previously known as the Office of Compliance Inspections and Examinations (OCIE).
A customer portal is just one component of the IT estate, but it must be compliant along all seven SEC focus areas – Access Rights and Controls, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management and Training and Awareness. Total compliance in this scenario requires the customer portal app to have no weak links in this cybersecurity management chain – including who accesses the system, from what devices, using which third parties, and across various stakeholders collaborating in both training and incident response settings.
If this sounds complicated, that’s because it is. The good news is that strong compliance can be made simple and scalable with the right technology strategy, tools and partners to precisely align digital operations with the government or industry rules that affect those operations. That’s what we’ll explore in the second of this two-part blog series on compliance.