Block ransomware with compliance-driven security
Even if some lawmakers pursue a more permissive regulatory environment, banks, brokers and insurers have little choice but to build a solid foundation in information security; the health of their businesses and brands rely on it—and so do their customers, shareholders and partners. No one wants to hear “rules are there for a reason,” but the fallout from malware attacks is sobering proof that protections aren’t just for show. In April 2024, Ally Bank suffered a major data breach that exposed sensitive customer data—names, addresses and Social Security numbers—of over 4.2 million customers. Without robust security measures in place, Ally Bank now faces two class-action lawsuits due to non-compliance and failure to disclose the breach. Yikes.
As ransomware tactics have evolved, so have compliance mandates. For instance, European FinServ businesses are currently facing a new wave of data sovereignty laws, including the Payment Services Directive 2 (PSD2), Basel III and the Digital Operational Resilience Act (DORA). While this may seem cumbersome to keep up with, emerging regulations are aimed at helping organizations focus on adopting industry-standard security measures to adapt protections to new threats.
As a result of these requirements, businesses are called to constantly monitor and enforce zero trust principles to protect sensitive data and maintain regular reporting. Here are some of the regulations currently working behind the scenes to keep FinServ locked down:
U.S. data protections and regulations
These U.S.-specific regulations are essential for any company in FinServ to maintain strong defenses against cyberattacks, especially ransomware:
- Gramm-Leach-Bliley Act (GLBA): GLBA requires banks and financial institutions to implement security protocols that protect non-public customer information from threats—helping them avoid potentially millions in losses and mitigations.
- New York Department of Financial Services (NYDFS): Keeping FinServ in check and ensuring companies are fully prepared, NYDFS requires data encryption, regular risk assessments and incident response plans.
- Federal Financial Institutions Examination Council (FFIEC) Guidelines: A blueprint for financial institutions operating in America, the FFIEC calls for key ransomware defense strategies like network segmentation, endpoint protection and ongoing employee training.
Global data protections and regulations
While regulations can vary across countries, these standards set the bar for how financial services operating internationally protect their operations:
- European Banking Authority (EBA) Guidelines: EBA’s focus on risk management, operational resilience and ransomware defense defines the cybersecurity baseline for all financial institutions across Europe.
- General Data Protection Regulation (GDPR): The gold standard for global data protection, GDPR requires financial institutions to notify authorities of a data breach within 72 hours to help minimize data exposure and long-term impact.
- Cybersecurity Law of the People Republic of China (CSL): China’s stringent approach to data security and ransomware defense mandates that companies with operations in China, or that use data related to China, maintain strong defenses for sensitive data and critical infrastructure with regular risk assessments and reporting.