Thales | Cloud Protection & Licensing Solutions
More About This Author >
Thales | Cloud Protection & Licensing Solutions
More About This Author >
If you work in compliance for a financial services organization, chances are you have been focused on the March 31st deadline for the implementation of the Payment Card Industry Data Security Standard version (PCI DSS 4.0). However, as important as PCI may be, United States financial services organizations operate in one of the world’s most stringent and complex compliance landscapes. Financial institutions must navigate a maze of requirements on the road to compliance and it is important to understand how to simplify and streamline compliance efforts across multiple regulations to achieve a faster time to compliance.
Understanding the US FinServ Compliance Landscape
The US financial services industry is subject to a vast number of laws and regulations. Some of the most important are Gramm-Leach-Bliley Act (GLBA), the National Association of Insurance Commissioners (NAIC) Data Security Model Law, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, and the National Credit Union Administration (NCUA) cybersecurity guidance. Here is a quick summary of the most relevant regulations:
Gramm-Leach-Bliley Act (GLBA)
The GLBA mandates that a broad range of financial institutions based or operating in the United States, from banks and brokerage firms to payday and tax preparers, protect consumers’ personal financial information. It emphasizes the need for encryption, data governance, and secure information-sharing practices to prevent and mitigate cyber threats.
The most important components of the GBLA include the Federal Trade Commission (FTC) Safeguards Rule, which requires the development of a written information security plan, and the Financial Privacy Rule, which governs how financial data is collected and shared.
Compliance with the GBLA requires prioritizing data encryption and robust access controls to protect sensitive consumer information throughout its lifecycle.
NAIC Data Security Model Law
Designed to secure non-public information (NPI) within the insurance industry, the NAIC Data Security Model Law’s requirements closely resemble the GLBA requirements. It includes expectations for implementing comprehensive security programs, including risk assessments, incident response plans, periodic reporting, and controls like governance frameworks and application security protocols.
The NAIC, which applies to all insurance providers in the United States, is a perfect example of the value a unified approach to compliance can provide because its requirements overlap significantly with broader, well-established cybersecurity best practices, such as those found in the NIST Cybersecurity Framework.
NYDFS Cybersecurity Regulation
The NYDFS Cybersecurity Regulation (23 NYCRR 500) is arduous. While it is a state regulation, because it applies to any financial organization that operates in the state of New York, it ends up applying to most organizations in the United States. The regulation is incredibly stringent and sets an unusually—albeit necessarily—high bar for cybersecurity practices. More than any other FinServ regulation, it includes unique components, such as the requirement for a Chief Information Security Officer (CISO) and an annual compliance certification.
That said, many of the requirements – establishing a risk-based cybersecurity program, maintaining secure access controls, and conducting regular penetration testing, for example – are either strongly recommended or mandated by the other regulations. Moreover, other compliance requirements included in the NYFDS, such as encryption, cloud security, and governance, are ubiquitous across US FinServ frameworks.
National Credit Union Administration (NCUA) Guidance
The NCUA guidance applies to credit unions and focuses heavily on data protection, vendor risk management, and incident response planning. Like other regulations, the NCUA calls for encryption to safeguard member data, governance policies to ensure accountability, and application security measures to protect against cyber threats. Access to resources can be a genuine concern for credit unions. As such, implementing a simplified, consolidated compliance strategy that addresses multiple frameworks at once is especially important.
Bringing it All Together
Now that you have a broad understanding of the US financial services regulatory landscape, you might notice that many of these regulations have significant overlaps. Every single one of the US financial services regulations mandates that organizations implement:
- Risk Assessment: Identifying data and systems at risk.
- Encryption: Protecting data at rest and in transit.
- Governance: Establishing accountability and enforcing policies.
- Cloud Security: Securing cloud environments against vulnerabilities.
- Access Control: Limiting access based on roles and responsibilities.
- Multi-Factor Authentication: Asserting the identity of people or systems.
- Application Security: Ensuring software is resilient to cyber threats.
Therefore, most requirements can be addressed with the same core technologies, without the need to duplicate efforts and dramatically reducing the time, effort, and resources necessary to achieve compliance. Differences between regulations can be addressed on a case-by-case basis.
Thales: Forging a Simplified Path to Compliance
As a leader in data security and cloud protection, Thales offers a comprehensive suite of solutions tailored to address financial institutions’ unique challenges. Partnering with Thales will help address the vast majority of requirements included in PCI DSS 4.0, GLBA, NAIC, NYDFS, and NCUA regulations – including risk assessment, encryption, governance, cloud security, access controls, and application security – and simplify the path to compliance so you can focus on the essentials: innovation, growth, and offering the best possible service to your customers.
I hope you will take the opportunity to review our new eBook to learn more about how Thales helps Financial Institutions operating in the United States to meet compliance requirements. It contains a detailed mapping of our cyber security capabilities to specific regulation requirements in the United States.