Management, compliance & auditing

Critical security concerns for the financial services industry

Susan Morrow
May 20, 2020 by
Susan Morrow

Compliance regulations in the financial services industry 

The financial services industry is heavily regulated with compliance requirements focusing on the management of risk and fraud. The sector must comply with a raft of regulatory measures, including: 

  • PSD2
  • MLD4
  • MiFID
  • GLBA
  • SOX
  • EBA
  • National/state data protection law

Financial service providers also must comply with the tenets of GDPR, which revolve around personal data protection. Because of the nature of international banking and finance, these regulations must span international jurisdictions. Even regulations which seem to be outside the direct remit of cybersecurity have implications on the security of personal data, authentication and identity/financial fraud and integrity. The whole is a complex web of requirements and cross-requirements. 

Bank Secrecy Act

Applicable to financial institutions operating in the U.S.

The Bank Secrecy Act (BSA) requires financial institutions in the U.S. to help government agencies prevent money laundering. BSA requires all institutions to create anti-money laundering programs (AML programs). AML programs must incorporate a variety of controls, including independent review of the program, ongoing employee education and written policies and procedures. 

Fourth Money Laundering Directive

Applicable to financial institutions operating in the EU & UK

The EU’s Fourth Money Laundering Directive (MLD4) has a number of provisions to reduce the risk of financial transactions. This includes having strict Know Your Customer or Customer Due Diligence (KYC checks) measures in place. 

Payment Card Industry Data Security Standard

Applicable to financial institutions worldwide

The Payment Card Industry Data Security Standard (PCI DSS) sets out a raft of controls around payment card processing, storage and transmission. This includes secure networks, protection of cardholder data and access control measures. It also describes security policies and assessment rules.

Gramm-Leach-Bliley Act

Applicable to financial institutions operating in the U.S.

The Gramm-Leach-Bliley Act (GLBA) focuses on handling personal information. The act covers banking, insurance, financial advice and stocks and shares. It sets out regulations around the security and confidentiality of personal records.

Payment Services Directive

Applicable to financial institutions operating in the EU & UK

The Payment Services Directive (PSD) is administered by the EU and was initially focused on leveling the playing field in banking. The second derivative of PSD, PSD2, has a number of new changes including improvements in customer protection and security, and payment processing security. 

There is also an express facility within the directive to handle open banking. Open banking requires that banks and other payment providers expose payment interfaces so customers can access their finances using other services. This is one of the main drivers for the financial-tech revolution.

Sarbanes-Oxley Act

Applicable to financial institutions operating in the U.S.

The Sarbanes-Oxley Act (SOX) act creates transparency in data governance and financial reporting. The data security requirements of the act are high level, but it sets out a framework for the auditing of IT infrastructure and managing data-security risks. 

Markets in Financial Instruments Directive

Applicable to financial institutions operating in the EU & UK

The Markets in Financial Instruments Directive (MiFiD) includes regulations which touch the heart of IT system security.

Top security concerns in the financial sector

The regulations described earlier have, in most cases, evolved overtime as a reaction to certain cybersecurity threats. However, cybersecurity threats are constantly changing at pace that even regulations struggle to match. Here are five critical security concerns that should be on any financial security leader’s radar. Understanding and mitigating these threats will help prevent breaches, fraud and noncompliance. 

1. Costs of data exposure

The 2019 Ponemon study on data breach costs reported financial services has the second highest cost of a data breach, at $5.86 million per breach, with an average per-capita cost of $210 per record.[3] Data security issues within banking affect customers’ privacy and security of personal data. Data exposure takes advantage of a multitude of security vectors, including human. 

Safeguarding critical financial data requires a multi-layered approach. Security awareness training is a baseline for tackling the human aspect of security. A security policy that sets out the classification of data and offers measures to address risk across corporate layers should be a critical part of any financial service company’s data protection strategy.

2. Preventing money laundering

Westpac, one of Australia’s largest banks, is expected to pay $900 million in fines for AML noncompliance. Anti-money laundering penalties for noncompliance are estimated to have reached over $8 billion with the U.S. and UK receiving most fines.[4]

Money laundering is a massive issue for banking and contributes to terrorist and other criminal activities. According to the United Nations, laundering transactions total around 2 to 5 percent of global GDP, i.e., $1.6 to $4 trillion a year.[5] 

Together, AML regulations and technology tools can be leveraged to help banks to prevent money laundering. But this is not without cost: Celent estimates global spending on AML compliance and operations globally to be US$8.3 billion US$23.4 billion, respectively, in 2019.[6]

3. Securing endpoints

Like every other industry, endpoint security is an important issue in financial services. The 2019 Verizon Data Breach Investigations Report found that 94 percent malware came in via email and 80 percent of reported incidents involved phishing.[7] 

Endpoint security has become a major headache for financial organizations. No longer does the security perimeter stop at internal networks — it now includes millions of connected mobile and IoT devices. Helping clients and employees understand the impact of a malware infection at the endpoint source can dramatically help mitigate the issue of endpoint security. 

4. Combating insider threats

Insider threats can lead to a number of security incidents in financial services. These include fraud, loss of intellectual property, critical infrastructure disruption, financial loss and reputation damage. 

Insider threats can be both malicious and accidental. Research by Forrester shows 36 percent of lost data comes from accidental exposure. A survey by Kaspersky found that 52% of businesses say employees are their biggest weakness in IT security, careless actions security at risk.[8]

Employees often lack understanding of the impacts their actions can have on their company’s security. This can be combated with workforce security awareness training.

5. Managing third-party & cloud computing risks

Many financial organizations are part of a much wider supply chain network. They also often provide associated services with partner companies. This opens up new entry points to a financial organization through their partner companies’ networks. 

As more companies opt for cloud storage and processing, financial organizations must monitor the impact of a more open infrastructure. Cloud computing, especially if outside of the organization's control, must adhere to security regulations, including the application of advisories from the OWASP Top 10 Application Security Risks report. 

Getting executive buy-in for security awareness training

Cybersecurity continues to be a top concern of IT leaders in an organization. In Ponemon Institute’s 2018 survey, 2018 Global Megatrends in Cybersecurity, they found continued strategic development in the area of cybersecurity, with emphasis on expanding the remit of the CISO, threat intelligence sharing and hiring of managed security services (MSSP).[9]

The trend of cybersecurity inclusion at the board level arises from the danger of both financial and reputational losses from security breaches. A cyberattack has real and far-reaching impact across an organization. It affects the bottom line with costs in remediation, non-compliance fines and even class actions by customers. It also affects how the business is viewed. In the financial services sector, this can be highly damaging: financial service providers must be trustworthy and secure. Loss of customer confidence in a financial organization can result in not only customer loss, but also drops in share value.

Making the links to the business

High-profile attacks in the sector, such as the Carbanak malware $1 billion bank heist of 2015, likely means your executives are aware of the impact of a cybersecurity threat. If not, using clear examples of the impact of cybersecurity issues at a business level will gain advocates. It is important when educating your executives to align your cybersecurity mitigation plan and strategy to real business goals. If you can link those two together, you will gain support from executive-level management.

Foundations of awareness

Management executives also must understand how to address this threat by using their influence as business leaders. This starts with understanding the importance of creating a culture of security and implementing it across the organization and beyond. 

Security awareness training is an integral part of a culture of security and is something executive management must support and promote. There are four steps in encouraging executive buy-in and security awareness training dissemination: 

  • Executive buy-in: Hold formal and informal sessions with the executive team to help them understand the impacts of cybersecurity threats on the organization, and the strategies available to manage them. 
  • Security strategy: Align your security strategy with business goals to maximize buy-in and resource efficiency. 
  • Advocating for support: Recruit your leaders as security advocates in the push towards a culture of security.
  • Building a culture of security and risk management: Implement a culture of security with workforce security awareness training. This is your foundation stone in cybersecurity threat mitigation planning across the organization.

An ongoing business

Building executive buy-in should not be a one-off initiative. Instead, it must be an ongoing, business-led initiative. Consider hosting a mix of formal and informal meetings, workshops and presentations for your executive team. The output from these sessions will be invaluable, both as a baseline for your security policy/strategy and as a way to ensure alignment of business goals around security strategy, compliance and protection against cost implications of a successful security breach.


The financial sector is a prime cybercrime target. It faces cyberthreats at every endpoint — from clients’ personal devices to third-party vendor networks. If a financial service provider is successfully breached, hackers have access to both clients’ personal and financial information. While regulatory frameworks outline security expectations of the industry, it ultimately comes down to people and processes to prevent breaches. 

A security-first culture will help manage these risks and keep data secure. The tools to implement this are human-based as well as technological. The commitment to creating this secure working environment must be made at the executive level. This group of people has massive influence over not just immediate employees, but the wider supply chain and partners. They must instill an expectation that security is integral to business. From this commitment, security awareness training can be used to impart the knowledge needed to make this cultural adjustment a success at the workforce level. 



Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment, IMF 

For Wealth Managers, Off Year Sparks Opportunity to Reignite Growth, Boston Consulting Group (BCG)

2019 Cost of a Data Breach Report, IBM 

Encompass Corporation 2019 AML Penalty Analysis - $8.14 Billion Of Fines Handed Out In 2019, With USA And UK Leading The Charge, Mondovisione 

Cleaning Up: Countries are advancing efforts to stop criminals from laundering their trillions, IMF 

IT and Operational Spending in AML-KYC: A Global Perspective, Celent

2019 Data Breach Investigations Report, Verizon

The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within, Kaspersky

Ponemon Institute Announces the Release of the 2018 Megatrends Study, Ponemon Institute

Payment services, European Commission

How to conduct proper customer due diligence (CDD), AML-CFT

Anti-Money Laundering (AML) Source Tool for Broker-Dealers, US Securities and Exchange Commission

MiFiD II, Financial Conduct Authority

PCI Security, PCI Security Standards Council

Gramm-Leach-Bliley Act,

The Sarbanes-Oxley Act, Sarbanes-Oxley Act 2002

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.