Nearly all financial services companies and financial institutions are subject to a number of compliance mandates. The Gramm-Leach-Bliley Act (GLBA) and the Dodd-Frank Wall Street Reform and Consumer Protection Act both provide specific guidance on how financial services organizations need to protect consumer data within financial systems. The enforcement of these regulations is overseen by both the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). In addition, the Sarbanes-Oxley (SOX) regulation seeks to protect investor information, but is vague when it comes to specific required activities. Those organizations processing credit card information, must also comply with the Payment Card Industry Data Security Standard (PCIDSS). Lastly, those financial services companies residing in the state of New York now must also comply with the new Cybersecurity Requirements (23 NYCRR 500), which outlines specific technical and administrative controls to be in place.
So, financial services organizations require an ability to have complete visibility into every action performed by a user with access to customer, financial, and investor data – every application used, webpage visited, record copied, file saved, print screen generated, and page printed. Only then will a covered entity truly know whether protected data has been appropriately accessed and used by either true insiders, or external attackers posing as insiders via stolen credentials.
But, compliance to GLBA, Dodd-Frank, SOX, PCI, 23 NYCRR 500 or any other mandate is as much about establishing and adhering to policies and procedures, as it is maintaining appropriate technical controls. Both are needed to confirm users have been instructed on proper access to and usage of sensitive data, access to protected data is correctly granted, use is appropriate, and compliance can be demonstrated.
There are severe penalties for non-compliance: GLBA poses imprisonment for up to 5 years, with steep fines of up to $100,000 for each violation, and up to $10,000 fines for officers and directors for each violation. Dodd-Frank poses civil penalties of up to $1,000,000 per day the organization remains in violation. Penalties for non-compliance with PCI range from $50,000 to $500,000. NYDFS’ requirements tout civil penalties, but do not provide specifics.
While most compliance mandates aren’t broken out into separate specific objectives for each stakeholder in the organization, stakeholders each have different needs around the goal of adhering to any:
What’s needed is a technology that cost-effectively addresses compliance requirements by monitoring the access to protected data, aligning with established policy and processes, providing visibility into how protected data is used or misused, and providing context around either demonstrating compliance or determining the scope of a breach.
How Do We Help
The intent of each of the mentioned compliance mandates is to ultimately ensure the privacy of non-public financial, investor, and personal data. As long as the only access a given protected data is performed by someone who both has a legitimate need and only uses that information for the purposes of the organization, your organization will remain compliant. But, because users with access to protected data utilize that access every day, it becomes nearly impossible to tell if and when your organization may be out of compliance. Add to that the fact that, while the access to data may seem appropriate, the cutting and pasting of information into a Word doc saved up on a cloud drive certainly isn’t – which means your organization needs to be monitoring and recording all user activity, regardless of application.
Veriato assists with establishing compliance with requirements specific to financial services organizations by providing IT, security teams, and auditors alike with complete visibility into every action taken by the organization’s users. Veriato solutions help to analyze risk, audit controls, and review activity in an effort to establish, maintain, and continually demonstrate compliance.
GLBA - 15 U.S. CODE 6801 / FTC SAFEGUARDS RULE -16 CFR PART 314
Protection of Non-public personal Information
Veriato acts as a core part of your implementation and maintenance of security measures to protect personally identifiable financial information, specifically around monitoring and reviewing the conduct of you workforce in relation to the protection of non-public personal information.
Below are some examples of how Veriato can assist in addressing GLBA’s requirement for administrative and technical safeguards:
DODD-FRANK - SECTION 154(B)(3), ORGANIZATIONAL STRUCTURE; RESPONSIBILITIES OF PRIMARY PROGRAMMATIC UNITS – DATA CENTER
While broad in scope, this section intends that processes, policy, and technology be put in place to ensure financial data is “kept secure and protected against unauthorized disclosure.” Veriato’s advanced user activity monitoring and behavior analysis technology monitors and can alert the Council or Director (as defined within the Act) of inappropriate access to protected data, regardless of application.Below are some examples of how Veriato can assist in addressing this requirement, include:
SARBANES-OXLEY ACT – SECTIONS 302 & 404
Internal Control Assessment
While SOX does little in the area of providing specific guidance around what internal controls are necessary to ensure the accuracy of financial reporting, section 302 establishes the signing officer is responsible for such controls, and section 404 requires an annual internal control reportBelow are some examples of how Veriato can assist in addressing Sarbanes-Oxley requirements:
NEW YORK STATE DFS – 23 NYCRR 500
Cybersecurity Requirements for Financial Services Companies
New York State has implemented its own additional set of requirements for financial services companies to ensure the integrity and confidentiality of non-public personal and financial information.Below are a few examples of where Veriato can assist in meeting these new requirements:
Veriato helps financial services organizations of all kinds satisfy their compliance obligations through detailed, contextual, rich logging of all user activity – both inside systems housing financial, customer, or investor data, as well as any other application – combined with robust screen recording and playback. This level of visibility into user interaction with protected data provides comprehensive evidence for compliance audits. Activity data is searchable, making it easy for an auditor, security teams, or IT to find suspect actions, with the ability to playback activity to see before, during, and after the activity in question. Reports can be produced in minutes – typically a fraction of the time needed – and don’t require pulling critical resources from other tasks.
Veriato assists in meeting a number of specific requirements, leveraging its deep visibility into user activity to provide context around access to protected data, showing what was accessed and what was done with the data. The following sections outline how Veriato can assist with meeting specific compliance requirements.