Why Banks, Financial, and Insurance Organizations Prioritize Policy ComplianceEscalating cybersecurity attacks and regulatory mandates are increasing risks for security breaches, audit failures, brand damage, and lawsuits
Banking, financial services, and insurance (BFSI) companies are among the most targeted by threat actors, auditors, and attorneys. The typical financial services employee has access to almost eleven million sensitive files, and cyberattacks in 2020 exposed over 350,000 of these to attackers (Varonis). A single data breach can cost most firms almost $4 million for remediation, and an additional $4 million in litigation expenses (IBM, Ponemon). Banks spent almost $350 billion on cyberattacks in 2020 (Accenture), and insurance companies were not far behind. Given these risks and costs, more than 70 percent of BFSI firms say cybersecurity is a primary concern (Conference of State Bank Supervisors).
Regulatory mandates have become far more complex in recent years. Most BFSI firms are governed by compliance requirements for Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI-DSS), General Data Protection Regulation (GDPR), New York Department of Financial Services (NYDFS), and/or the California Consumer Privacy Act (CCPA). Most regulatory bodies levy still penalties for exposing Personally Identifiable Information (PII) or intellectual property (IP). PCI-DSS 4.0 violation fines cost up to $100,000 per month, GDPR can trigger more than $25 million in fines, and the average cost for non-compliance across in general can easily exceed $15 million per year.
BFSI organizations often struggle with trying to balance cybersecurity maturity and attack prevention against regulatory compliance requirements. In a large enterprise, departmental priorities must also be considered. Functional areas, such as IT, audit, and security, may often conflict with each other. In most enterprise firms, there are typically three disparate teams with different viewpoints:
- Audit/GRC/Compliance: these functional areas are focused on risks. They don’t want to fail audits or wind up in the news. They also want to prevent compliance fines and lawsuits for failing to protect PII, PHI, IP, etc.
- IT: this group typically runs the shop. In larger firms, this might include IT ops, application admins, database gurus, etc. They fix things that break and want to know what is or might soon be broken that could lead to downtime, vulnerabilities, or SLA failures.
- Security: this team is usually tasked with identifying vulnerabilities in applications, databases or across the IT infrastructure before they can result in security breaches. They want to know how to find and remediate security holes that can lead to cyberattacks, ransomware, bad bots, or other malicious threats.
These three teams have different objectives, perspectives, and service level agreements (SLAs) that influence decisions and actions. What’s required is a cohesive approach that supports the entire compliance process and ensures all three teams are on the same page. Although each team has unique responsibilities, they obviously overlap. Compliance requirements for different regulatory mandates may conflict with SLAs or internal policies, which could cause unnecessary expenses for deployment and management across a variety of solutions. Such overlaps offer opportunities to consolidate security, IT, compliance data, policy controls, and other solutions and tasks to cover requirements for all teams and save effort, time, and costs.
Qualys Policy Compliance can help with this objective by adding a vital layer to an enterprise security stack to prevent breaches, audit failures, and IT headaches. For security teams, Qualys PC can augment Qualys VMDR or other vulnerability management solutions by automating the labor-intensive process of assessing security configurations, settings, and controls with a single cloud solution, multiple sensors, robust policy library, and seamless integration.
IT professionals can use the Qualys Cloud Platform to easily deploy Qualys PC across almost any endpoint or operating system without disruption or downtime. Audit and GRC groups can display security configuration issues accurately on a single pane of glass to afford continuous visibility of compliance and security risks. Compliance management workflows allow tracking of exceptions to demonstrate a repeatable and auditable policy management process. You can also customize comprehensive reports to document progress and satisfy auditors.
A recent Qualys white paper titled Preventing Security and Policy Compliance Failures offers additional insights and best practice recommendations on this topic that can help ensure compliance with dozens of regulatory mandates. CLICK HERE to download your complimentary copy.