The costs of regulatory non-compliance can be high for a business and its executives:

• GDPR can levy fines of up to 20 million Euros or 4% of global turnover.

• PCI DSS non-compliance carries the risk of being forbidden to process payment card transactions.

• Sarbanes-Oxley Act (SOX) allows executives to be held personally liable for gross negligence.

While these are some of the more established regulations and penalties, things are changing quickly. The rise of AI has many jurisdictions scrambling to manage their creation and use. 

As Institutional Decentralized Finance (DeFi) expands, companies are struggling with unclear requirements, especially as transitions in national leadership drive policy U-turns.

Many of these regulations have explicit cybersecurity components, and protecting sensitive data is a common theme. CISOs are responsible for ensuring that their organization remains compliant now and in the future.

Often, companies take a “check the box” approach to compliance, which can create unscalable and unmanageable compliance programs. Since many regulations have overlapping requirements, a better approach is to build a strong security program and map it to compliance. 

We’ll provide some suggestions for this later on, but you should also consult legal counsel or accredited advisors for various regulations as part of your compliance efforts.

6 key regulations and standards for the financial industry

Many of the financial sector’s numerous regulations vary from one jurisdiction to another. For example, many countries have anti-money laundering laws, and international standards exist. However, there can be significant differences in regulatory requirements and fine print.

Here, we’ll highlight some of the most significant international laws and standards, as well as regulations in other related areas, such as corporate transparency and anti-money laundering. 

Note: This is not an exhaustive list, and it may not be directly applicable to every financial institution, but it will give you a sense of the types of requirements and controls that a security leader should know about and prepare their org to comply with.

Payment Card Industry Data Security Standard (PCI DSS)

Unlike many regulations in this list, PCI DSS wasn’t created by a government entity, but by the largest banks in the financial industry, who banded together to combat potential payment card fraud. 

The PCI DSS is a standard that applies to any businesses that accept payments using credit or debit cards, making it one of the most widely applicable sets of requirements in the world.

Who has to comply with PCI-DSS requirements?

All merchants and service providers that process, transmit, or store cardholder data must comply with the PCI DSS:

• Merchants accepting debit or credit card payments for goods or services. Note that the PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.

• Service providers are directly involved in processing, storing or transmitting cardholder data on behalf of another entity.

Cost of PCI DSS non-compliance

Fines for non-compliance range from $5,000 to $100,000/month, plus credit monitoring fees. Violating PCI DSS can trigger cascading violations—for example, a data breach due to poor payment data protection can breach EU GDPR, risking heavy penalties. 

Where to start 

At its core, PCI DSS is focused on protecting cardholder data against unauthorized access and misuse. Its 12 requirements include best practices for endpoint and network security, access management, and employee training.

A good starting point for PCI DSS compliance is figuring out what systems and business flows require access to actual payment card data (and not unique identifiers). 

Then, isolate these systems and processes from the rest of the business using network segmentation, least privilege access controls, and encryption to minimize the scope of compliance and the digital attack surface. 

This creates what the PCI DSS calls a Cardholder Data Environment (CDE), and protecting that is a key component of PCI DSS compliance.

Develop cyber capabilities to maintain & achieve compliance

Create and maintain a compliance-ready security function with workforce development plans aligned to your organization.

Request a demo

General Data Protection Regulation (GDPR)

The European Union’s (EU) GDPR was designed to protect the personal data of EU citizens against unauthorized collection, use, or breach. 

It includes “adequacy” requirements for cross-border data transfers, which mandate that countries or companies processing and storing EU citizen data have equivalent protections in place. These have prompted many similar laws in other jurisdictions in the years since its enactment.

GDPR is highly relevant to the financial industry due to the fact that almost all financial data counts as personally identifiable information (PII) that is protected under GDPR. 

This means that financial organizations need to comply with requirements regarding:

• Consent to collect and process data.

• Data security measures.

• Incident response.

• Restrictions on automated decision-making.

Additionally, GDPR has overlapping requirements with other financial regulations, such as the USA’s Gramm-Leach-Bliley Act’s (GLBA) requirements regarding data security and disclosure of data-sharing practices.

GDPR boils down to keeping tight control over an organization’s data to maintain users’ rights to privacy and control over their own data. 

To start, CISOs need to map out all potential sources, repositories, and users of protected data. From there, they can ensure that each of these operates in compliance with regulatory requirements, such as consent for collection and processing, data encryption, and access management.

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) is a U.S. regulation introduced in the wake of Enron’s collapse in 2001, when a $63.4 billion energy company went bankrupt, sending ripples throughout the US Stock Market and many of its C-level executives to prison for fraud and other financial crimes. 

SOX requires reporting on the potential risks to an organization’s financial activity because it’s designed to protect investors in publicly traded companies against fraud. This report includes cyber risks, which means that the organization needs to accurately assess and report on its cybersecurity posture to regulators.

While responsibility for SOX compliance largely falls on the CEO and CFO—who have to personally attest to the accuracy of reported information—the CISO plays a key role in generating an accurate report of cybersecurity risks. 

This means that CISOs need to ensure that their teams can accurately assess cybersecurity posture and that executives have a clear understanding so that they can certify the final reports.

Bank Secrecy Act (BSA) and anti-money laundering (AML) laws

• The Bank Secrecy Act (BSA) is the U.S. regulation addressing money laundering and terrorist financing. Similar laws include:

• The U.K.’s Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. 

• Singapore’s Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act and MAS Notice 626 on Prevention of Money Laundering and Countering the Financing of Terrorism.

These anti-money laundering (AML) laws are primarily focused on ensuring that banks report large transactions and have AML and know-your-customer (KYC) controls in place. 

However, this also means that financial institutions need to have controls in place to protect against breaches of the data required to make these determinations.

Transaction monitoring and reporting under the BSA and similar laws might not fall under the CISO’s remit. However, they should ensure that the data required to accomplish these goals is protected against unauthorized access and managed in accordance with other applicable regulations, such as PCI DSS or the California Consumer Protection Act (CCPA).

Systems and Organization Controls 2 (SOC2) 

SOC2 is an optional standard in which an auditor assesses a service provider’s capabilities in key areas, developed by the American Institute of CPAs (AIPCA). 

While all SOC2 reports will include a security assessment, service providers can also seek accreditation against the availability, processing integrity, confidentiality, and privacy Trust Services Criteria (TSCs).

Achieving SOC2 certification helps build trust with investors and customers. Additionally, this optional standard can have significant overlap with other mandatory regulations due to its requirements for privacy (such as GDPR), security (for example, GDPR and PCI DSS), and availability (such as NIS2 or DORA).

When seeking SOC2 certification, the first step is to identify the TSCs that would provide a positive ROI for the business. 

While security is a mandatory component, the organization can optionally add any of the others based on what customers would value most or for synergy with other regulations, such as seeking availability certification if an organization is already subject to NIS2 and DORA. 

This will help to determine which controls apply and what the organization needs to do to implement and demonstrate them.

SEC Rule

In the U.S., the Securities and Exchange Commission (SEC) is one of the government agencies responsible for regulating the financial sector. One of their requirements is that a public company experiencing a material event must file Form 8-K to inform shareholders.

While this could include announcements of events such as acquisitions or bankruptcies, an SEC rule released in July 2023 mandated that material cybersecurity breaches be reported via a Form 8-K within four days of the company determining that they are material. 

Additionally, public companies’ annual 10-K report needs to include information on their cyber risk management practices, likely effects of cyber threats and past incidents, and management’s role and expertise in cyber risk management.

This new requirement places specific requirements for CISOs to have certain governance and incident management capabilities in place. From a governance perspective, the organization needs to have well-defined cyber risk management and oversight practices in place that the board can attest to. 

On the incident response front, CISOs can help ensure that security teams have the knowledge and skills required to remediate security incidents and to make a determination of “materiality” that can be defended to regulators and shareholders.

Start with a single framework that maps to specific regulations

In some regulations, such as the U.S. BSA, security plays a secondary role, while in others, the primary goal is to protect sensitive financial data against attack. Even similar laws, like the GDPR, the UK Data Protection Act (DPA), or the CCPA and California Privacy Rights Act (CPRA), may have significant differences in their requirements.

In general, the best way to build a compliance program is to adopt a single framework that maps to various regulations, rather than attempting to individually address the requirements of each specific regulation. For financial sector requirements, two useful framework options include:

• ISO/IEC 27001: ISO/IEC 27001 is an international standard that provides guidance on developing information security management systems. This is highly relevant to regulations where organizations need to know what data they’re collecting and how they’re using it, such as GDPR and the U.S. BSA.

• NIST Cyber Security Framework (CSF): The US National Institute of Standards and Technology (NIST) CSF is a well-respected framework for building a complete information security program. It includes best practices for key elements, such as access control, data encryption, incident response, and auditing. This tool can help with designing controls for security-focused regulations, such as PCI DSS, GDPR, etc.

Important: Consult a lawyer or legal team before investing a lot of time and work into a compliance program, to ensure that your compliance efforts will cover all of the requirements for your specific industry and jurisdiction. This can help you target programs to meet certain requirements and save time by only working towards applicable requirements.

After designing a comprehensive and scalable security program based on these tools, security leaders can work on identifying and addressing potential gaps between their existing controls and regulatory requirements. 

For example, neither ISO/IEC 27001 nor the NIST CSF will include all of the consent requirements and “right to be forgotten” of GDPR. But, the data visibility and control provided by a solid security program that follows those standards should simplify the process of adhering with these requirements as well.

Build, test, & improve security capabilities with HTB

Achieving and maintaining compliance with these regulatory requirements poses a significant challenge for security leaders. This includes taking note of existing security controls and processes to ensure they meet regulatory requirements, as well as protecting customers against data breaches and other cyber threats.

Many industry-leading frameworks and regulations, like the NIST Cybersecurity Framework (CSF), ISO/IEC 27001, and PCI DSS, emphasize the importance of testing and refining your incident response playbooks.

Hack The Box (HTB) offers organizations the tools they need to build core skills and effectively test their cybersecurity and compliance programs. From Crisis Control simulations to DFIR labs for incident response, HTB provides valuable skills training for blue teams looking to meet strict new incident reporting deadlines.