Why cyber regulation needs improvement

The need to improve regulations regarding Shutterstock image cybercrime

Banks are a goldmine for malicious actors because they not only protect customer funds but also store tons of sensitive customer data. The rapid evolution of digital banking and the growing number of interconnected devices have made it easier for customers to manage their finances through online channels, exposing banking companies to increasing levels of cyber threats. The impact of cyberattacks on banks can be devastating, and decisive measures are needed to counter the ever-changing cyber threat landscape.

While many of these efforts are regulatory, they provide more of a foundation for effective online practices than comprehensive manuals. As a result, banks have had to constantly find ways to combat threats such as ransomware, distributed denial of service (DDoS) and phishing attacks.

Ordinance

The importance of cyberattacks in the banking sector has led to the creation of a number of cybersecurity regulations, which puts constant pressure on banks to maintain strong cybersecurity practices. These regulations affect, among other things, data processing, cyber risk testing and incident reporting. Examples include the Bank Secrecy Act, the Gramm-Leach-Billey Act, and most recently the Digital Operational Resilience Act. Failure to comply with cybersecurity regulations often results in financial penalties for banks imposed by the authorities. For example, in October 2023, Paytm was fined $645,000 (INR 53.9 million) by the Reserve Bank of India for failing to timely report cybersecurity breaches.

Many cybersecurity regulations in the banking industry overlap, creating challenges for banks in devoting resources to compliance. A 2023 study by ServiceNow found that 80% of banks have issues with data protection and privacy regulations. To solve this problem, most banks prioritize mandatory regulations and avoid or pay less attention to optional regulations. These issues have led to industry-wide calls for improved cybersecurity regulations. For example, in November 2023, the Bank Policy Institute and the American Bankers Association called on the White House Office of the National Cybersecurity Director to take action to address multiple overlapping regulations.

Industry best practices

It is becoming increasingly clear that regulatory compliance alone is not enough to ensure cyber resilience in the banking sector. Banks must also implement effective strategies to prevent, identify and eliminate cyber threats. These best practices include creating internal frameworks, teams, cultures and incident response plans. Such efforts can also help banks comply with cybersecurity regulations.

A best practice that has received a lot of attention over the past two decades is hiring a chief information security officer (CISO). CISOs play a key role in a company’s cyber resilience as they work to understand cyber threats and vulnerabilities and communicate them to key stakeholders across the company. In some cases, the CISO will sit on the board of the company where he works, which will enable him to correspond his findings with other members of the management team. A study by GlobalData found that 18 of the top 20 banking companies by market capitalization employed a CISO as of May 17, 2024. However, none of these CISOs serve on their company’s board of directors.

Access the most comprehensive company profiles on the market, powered by GlobalData. Save hours of research. Gain a competitive advantage.

Company Profile – free sample

Thank you!

You will receive a download email shortly

We are sure of the exceptional quality of our company profiles. However, we want you to make the most beneficial decision for your business, which is why we offer a free sample, which you can download by submitting the form below

By GlobalData

Check here to opt-out of receiving selected industry news, reports and event updates from Retail Banker International.

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information about your rights in relation to your personal data and how you can unsubscribe from future subscriptions marketing messages. Our services are intended for corporate subscribers and you warrant that the email address you submit is your corporate email address.

New technologies and initiatives

Many banks are exploring the use of other technologies alongside existing security controls to improve risk levels and protect against potential future threats. Banks are using artificial intelligence to strengthen their cybersecurity efforts. For example, Nubank offers so-called intelligent defense, a protection system built on artificial intelligence that recognizes, warns and can prevent transactions that deviate from a customer’s purchasing patterns.

Biometric authentication systems have become common in the banking sector. In particular, payment processors have integrated biometrics into digital and physical payment interfaces. At the most basic level, fingerprints are often used as a method of verifying the identity of customers. However, such practices raise concerns about biometric data processing processes.

Examples of other initiatives include using behavioral science to help customers and employees better understand and protect against phishing attacks, and take preventive measures to protect quantum computing data. For example, in July 2023, HSBC joined BT and Toshiba’s Quantum-Secure Network to secure the transmission of test data and information between multiple physical locations using quantum key distribution.

Future perspective

If banks are to ensure cyber resilience, a number of changes need to be implemented. Most importantly, regulatory requirements must be consolidated if banks are to ensure that they fulfill their mandates effectively. Moreover, advanced biometric identification methods require wider acceptance of significant barriers and ensuring proper protection of biometric data. While the idea of hiring a CISO is a relatively new area of interest, banks that do not have a CISO on their board may not fully recognize the importance of cybersecurity as a top priority for their organization or, at the very least, may risk the impression that cybersecurity is not a primary area of concern.

Suneet Muru is an associate analyst on GlobalData’s thematic team