The previous post in this two-part series on regulatory compliance clarified the link for financial organizations between security and compliance. We also illustrated how every tool, platform, database or other element of the IT estate must be compliant in multiple, complementary ways that may involve several regulations at once.
At first glance, that can seem like an impossibly complex challenge, and some organizations may be tempted to simply avoid technology modernization as a way to sidestep the compliance burden. But that’s not the right response because 1) you lose competitive advantage if you don’t embrace technology in the highly disruptive financial sector, and 2) you’re still responsible for data and cybersecurity compliance even when trying to make do with older legacy and on-premises systems that have data security vulnerabilities of their own.
Rather than avoiding technology investments, financial firms should instead be strategic with those investments to make compliance more seamless, automated and scalable. The easiest way to achieve this is through collaboration with a strategic MSP partner with the right blend of technical and domain-specific expertise.
EXAMINING A COMPLIANCE USE CASE
In part 1, we highlighted the need to ensure a customer portal remains compliant with the SEC’s 7 focus areas for cybersecurity management. Now, we’ll go through each of the seven focus areas to illustrate how a strong partnership with the right MSP can align the customer portal’s data and operations for maximum security and compliance.
-
Governance and Risk Management – Much of this SEC focus area revolves around senior member engagement and ensuring processes are in place to measure and validate security posture. An MSP can help with gathering and dashboarding these data in executive reports, metrics reviews and other tools for easy analysis and decision support.
-
Access Rights and Controls – The SEC requires secure access controls for all stakeholders interacting with the customer portal to either maintain it or manage user queries. An MSP can implement privileged, role based and other access management policies, with continuous scanning for threat patterns and controlling everyday policy changes like adding or removing access for new or departing employees.
-
Data Loss Prevention – This is perhaps the biggest technical control area of concern for our example, especially since the customer portal is public facing. An MSP can help orchestrate server and network hardening, implement data loss prevention rules and run continuous scans to identify and close any security gaps.
-
Mobile Security – Customers and internal users alike may both be accessing the customer portal through mobile devices, and some of those devices may be BYOD vs. company-owned. The SEC requires mobile security regardless, and the MSP can help ensure that via mobile and endpoint device management that includes geofencing, conditional access and other advanced controls.
-
Incident Response and Resilience – Beyond normal operations, a company’s performance during a breach or other security crisis is also subject to regulation. The MSP can support this by designing and implementing SOC roles and responsibilities frameworks and communications trees – as well as backup provisioning and other business continuity plans and templates to aid in resilience.
-
Vendor management – Third party risk management is deceptively simple when it comes to compliance: You are on the hook for the mistakes of any vendors that support your customer portal. An MSP can help govern the third-party ecosystem with industry-specific due diligence – interpreting vendor reports, credentials and business models to ensure they run an operation that’s highly compatible and compliant with your systems.
-
Training and Awareness – Security and compliance is a team effort, and the SEC expects adequate training and awareness for all relevant stakeholders in the organization. The MSP can support this with workshops, tabletop exercises and other trainings highly customized to the organization – such as tailoring phishing tests to specific at-risk platforms.
THE BOTTOM LINE
We’ve seen in Parts 1 and 2 that compliance requires a holistic understanding of how financial sector-specific regulations affect a firm’s IT systems. With this greater understanding comes the realization that adequate financial sector compliance today also requires the help of an MSP partner – one who offers cross-disciplinary expertise and consolidated solutions to apply both preventive controls and detective controls across the entire enterprise ecosystem.
