Financial Industry Under Stricter Scrutiny

It doesn’t feel so long ago that more and more people were beginning to recognize the unprecedented growth of cybercrime and data breaches, reflected in the increasing number of outlets (present company included) forewarning about the progressive frequency of data breaches.  How stories like Target’s and Michaels’, and even smaller businesses, were becoming the norm.  Well, it seems that new reality is already underway, and regulatory agencies tasked with oversight on cybersecurity are acting accordingly.  HIPAA measures already govern the health care industry, providing protections for patients’ sensitive information and enacting punishments for those entities which do not adequately follow these requirements in the event of a breach.  Following suit, the Financial Industry Regulatory Authority (FINRA), is now imposing similar measures in the financial sector, along with the Securities and Exchange Commission (SEC).

Both organizations have issued reports recommending best practices and policies for entities to pursue, and are not shy about taking action against the negligent.  Fines have been given to firms like Sterne Agee, who experienced a laptop theft that exposed unencrypted information of 350,000 customers, earning a $225,000 penalty.  Another firm experienced a breach that exposed 200,000 customer profiles, including their Social Security numbers, and got hit with a $375,000 fine when FINRA determined its system penetration tests were insufficient for its password management and encryption procedures.  Speaking of which, while FINRA does acknowledge that every entity is unique, with no one solution applicable to every organization’s operations and structure when it comes to data security, it also emphasizes the crucial importance of of encrypting data at rest and in transit, as well as training employees in cybersecurity policies, to mitigate the risk they pose as walking vulnerabilities who deal with a firm’s sensitive information on their personal devices.

The Web grows as the world shrinks, facilitating the efforts of cyber thieves targeting organizations and the people whose information they keep.  A stronger stance is thus being taken with financial firms, with enforcement actions ready to be levied at those who fail to “safeguard confidential customer information,” demonstrate “inadequate user access restriction,” and do not “rapidly remediate a device the firm knew was exposing customer information to unauthorized users.”

By: Jonathan Weicher