Cloud Security Solutions and Regulations for BFSI

On October 7, 2023

The worldwide security market is expected to develop at a breakneck pace, owing to increased demand for cloud-based security solutions, evolving cyber threats, and a shifting regulatory framework that necessitates enhanced and increased security compliance day by day.

The highly regulated BFSI industry is a favorite target for cyber criminals due to its financial gains on successful breaches. Cyber assaults against BFSI organizations have escalated in recent years especially after the pandemic and they’ve also gotten more sophisticated. Increase in the number of fraud instances has resulted in significant financial losses for firms and industries. Experts think that these attacks will continue unabated for the foreseeable future, with attacks increasingly geared towards stealing money and identities.

With the increase in targeting, the regulatory body is not lagging behind and they have initiated EU’s Digital Operational Resilience Act (DORA) in 2022 to bring in regulations to modernize the information security management process to increase digital operational resilience across the BFSIs.

How do Insurance firms and the BFSI industry fare when it comes to cyber security and risk management?

Banks, Insurance organizations, non-banking finance companies, new age Fin-Techs, and microlending institutions all serve millions of consumers spread throughout a large geography. They hold control and custody of personal and confidential information about each client, such as income source, pension/social security number, tax identification, email, phone numbers, date of birth, and so on. “What’s the big deal if that information is stolen or compromised?”. Well, it leads to identity theft and huge financial losses. Loss of millions of customers’ banking information, health records, credit/debit card data in breach has proven that the perpetrators largely target the BFSI.

From the advent of the GDPR to the transition of the new UK privacy regulations post Brexit have all proved the passage of the personal data protection and information security has been the forefront of all Board and Regulators discussion in the Board Rooms to the Parliament in the past years. With GDPR reviews and monetary fines we all have seen the adverse impacts, if the organization responsible has not kept pace with the regulatory requirements. With DORA around the corner BFSIs should be well prepared during the grace period of 12-18 months provided in the draft regulations.

The key areas of focus being:

  • Risk management

  • Incident identification and reporting

  • BCP & DR updates

  • Threat VA-PT processes

  • Threat intelligence and defense strategies

  • Third-party/ vendor risk management

With cloud adaption and migration activity from on-premises to cloud solution will also increase the complexity of implementation with the ever-changing security landscape.

Some latest incidents:

Identity fraud is one of the most severe threats to the financial services industry, with cyber hackers taking money from unsuspecting consumers’ accounts. For example, hackers stole more than two million pounds from the accounts of over 9,000 clients of a major British bank. Another challenging dodge technique that the BFSI sector is dealing with is synthetic fraud. Cyber criminals create detailed profiles of non-existent people and commit financial crimes using stolen consumer data and fake credentials.

Due to increased risk surface with the off-site and work-from-home culture around the globe, challenges to ensure cyber security or protection from such bizarre new world order, changing landscape, securing home networks, increased patch management; the InfoSec Team already has their hands full in dealing with the situation. The focus on cyber risk and security shifted dramatically during the pandemic, and with the regulatory change the situation may feel intimidating. BFSIs and the health care industry saw a tsunami of cyber incidents at an unprecedented scale when it came to cyberattacks and ransomware occurrences in particular.

We witnessed legitimate companies with hundreds of machines running age old legacy operating systems and programs that had no support or patch updates, leaving them exposed to cyber-attacks. Significant vendor-related security preparedness even made the deal sweeter for the black hats in difficult times.

The issue of data governance and interpretation

Until recently, Data governance in the BFSI sector was more concerned with regulatory compliance than with maximizing the business value of the torrents of diverse data that flowed across the organization at all times. As a result, massive volumes of data may be aggregated utilizing a number of parameters and definitions. When varied tailwinds such as policy changes or government programs, mergers and acquisitions, a growing rural digital client base, pandemic-induced upheavals, and developing marketplace complexity are included in; data remains rife with competing interpretations. During such times, there is a significant need to rethink and reinterpret data governance in order to obtain a far more comprehensive, consistent, and forward-thinking definition. This interpretation conflict may result in a flurry of concerns that must be addressed.

While financial institutions are expected to follow regulatory norms and standards in order to keep their systems risk-free, there may be occasions when they do not understand or implement them in the spirit required. Most organizations lack a cyber-audit approach that includes periodic penetration tests using diverse protocols. Inadequate testing and a lack of cyber security personnel are typically the causes of non-compliance. The sector may also face issues with regard to incident management and reporting timelines challenges faced similar to the GDPR. Threat intelligence is an area which is naïve and may require more focus in the times to come. As a result, cybercrime, data breaches, and handling regular IT issues are all too typical.

Compliance rules usually address the geographical location of the data in relation to the clients served. GDPR, for example, protects the security and privacy of personal data held by EU citizens.

BFSI security requirements include some of the following:

  • GDPR – The General Data Protection Regulation protects the personal data of EU citizens

  • DORA – Aims to streamline the information security and risk management to increase digital operational resilience across BFSIs

  • ISO/IEC 27001 and 27701 are international security standards. ISO/ IEC issued the revised standards that came into force in 2013 and 2019 respectively. It defines the criteria for building, implementing, maintaining, and enhancing the security and privacy related challenges of an enterprises.

  • SOC 2 – The AICPA guided certification is an auditing procedure that is carried out to provide uniform security over the organization’s interests and the privacy of its clients.

  • PCI DSS – The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard for businesses that deal with major credit card systems’ branded cards.

In the midst of digital transformation and the adoption of new technologies, cybersecurity issues in the Fin-tech and BFSI sectors continue to evolve. Malicious and fraudulent intentions are increasingly targeting and exploiting commercial banks, credit unions, stock brokerage firms, asset management firms, and insurance companies that allow digital transactions through web, mobile applications or alternate means. Thus, a collaboration with Regulators and Security providers shall allow the BFSI to remain on top of compliance changes, changing regulations, and bringing justice to the security and privacy requirements.