Why 2FA for financial services is (still) so important

The large-scale cyber attack on JP Morgan Chase in 2014 exposed the vulnerability of financial institutions’ digital infrastructure. As a result of the historic attack, hackers gained access to the personal information of 76 million households and 7 million small businesses. The blow to the bank’s reputation was significant, and swift. Beyond the immediate financial losses, the breach shook customer trust across the industry.

The data exfiltration at JP Morgan Chase didn’t result from an advanced, unheard-of hacking technique. Attackers gained access to the server using stolen credentials.

Almost 10 years later, stolen credentials are still responsible for 49% of breaches from external attacks. The problem is the same; so is the solution: two-factor authentication (2FA) ensures hackers need more than valid credentials to gain access. A simple yet powerful security measure, 2FA for financial organizations is a key solution to protect sensitive data, and more importantly, customers’ trust.

How at-risk are financial services to cyber attacks?

The financial services industry sits at the frontlines of a rapidly evolving cyber threat landscape. Financial institutions, treasure troves of sensitive personal and financial data, are prime targets for cybercriminals armed with an ever-expanding arsenal of sophisticated hacking techniques. The industry faces a growing danger as these threats become increasingly complex, necessitating robust security measures that can adapt and respond effectively to these challenges.

How 2FA reduces the risk of cyber attacks at financial services organizations

Two-factor authentication for finance is a critical line of defense. Why?

To stop an attack, start at the logon

Most cyber attacks, excluding perimeter attacks, require some degree of access that starts with a logon. No logon means no access, and no successful attack.

How does two-factor authentication for finance defend the logon?

A simple username and password is not enough. 2FA requires an additional piece of information to verify a user’s identity. This extra layer could be:

1. Something you know: This is a traditional form of authentication, like a password or a personal identification number (PIN).

2. Something you have: This type of two-factor authentication includes hardware tokens or key cards. For instance, a bank may provide a token that generates a new code every 30 seconds or an SMS may be sent to your registered mobile number during the login process.

3. Something you are: This involves biometrics, such as fingerprints, facial recognition, or iris scans.

4. Somewhere you are: This relies on your geographical location. For example, matching the user’s authorized location with the actual login location.

5. Something you do: This includes patterns, like the way you type or swipe on a touch screen.

In essence, each factor offers a different, additional way for users to verify their identity. Layering two factors substantially strengthens an organization’s overall security profile. (Microsoft even estimates MFA can prevent 99.9% of attacks on your accounts).

The importance of two-factor authentication for finance

Further, 2FA for financial institutions is important for four key reasons.

Financial institutions are a frequent target for cyber attacks

Again, this is fairly easy to explain: there’s money in money. Across all industries, most external threat actors are financially motivated. That holds true for the financial industry, as IS Decisions original research shows financial gain is the most common motive behind attacks on the financial industry.

Data breaches on financial institutions are costly

What’s more, data breaches on financial institutions are costly, second only to healthcare, with an average cost of $5.97 million per data breach. The cost extends far beyond immediate financial losses. A breach can severely impact a company’s reputation, customer trust, and market value.

2FA keeps most data breaches from happening

Moreover, cyber attacks, including phishing, credential theft, and ransomware, all require some degree of access. Now, this is where 2FA shines. Even if hackers successfully compromise credentials, 2FA stops the attack before damage is done.

2FA is increasingly a regulatory requirement

Finally, compliance mandates increasingly reflect the critical importance of securing the logon. As a reflection of that, 2FA pops up as a common requirement across regulatory and compliance standards. Regulatory bodies across the globe are tightening their rules around access to financial data, and penalties for non-compliance can be severe. Additionally, the world of cyber insurance also recognizes the value of 2FA, also known as multi-factor authentication (MFA), frequently making MFA a requirement for coverage.

How 2FA supports your financial compliance checklist

To that last point, what are the essential 2FA requirements for financial compliance?

Below, we’ll walk through various compliance standards aimed at financial institutions, and outline what they have to say about 2FA.

The FTC Safeguards Rule

First, the Federal Trade Commission’s Standards for Safeguarding Customer Information (the Safeguards Rule, for short) apply to financial instititutions that store customers’ payment information or financial data. The Safeguards rule requires organizations to implement a reasonable information security program to protect customer information. The updated FTC Safeguards rule, in effect since June 9, 2023, broadens the application to across industries to organizations that store customer financial information, with some exceptions.

A condensed checklist for FTC Safeguards compliance

• Designate a qualified individual for your information security program: This person may be an employee, or work for an affiliate or service provider. What matters is that the person’s expertise must match your business complexity and needs. For example, who is “qualified” will be different for a 5 person company vs. an enterprise with 5,000 workers globally.

• Conduct a risk assessment: You need to know what information you have, where its stored, and what the internal and external risks are. This assessment should be in writing, and you’ll need to run regular reassessments.

• Design and implement safeguards to control risks: You’ll need to understand and safeguard access to sensitive information. The FTC now requires robust access controls, including multi-factor authentication (MFA) for any user accesing customer information on your system.

• Regularly monitor effectiveness of safeguards: You’ll need to test procedures to ensure they do indeed detect attempted or successful attacks. You can do this through continuous system monitoring, or annual penetration testing.

• Train your staff: Because your organization’s information security is only as strong as your weakest link, you’ll need to implement cyber awareness training for employees.

• Monitor your service providers: Your service provider contracts must detail security expectations, and build in periodic reassessments.

• Keep information security program current: Any changes in personnel, emerging threats, or new risks (i.e., regularly), you’ll need to periodically modify and update your security program.

• Create a written incident response plan: You need a written plan to lay out what happens if a security event results in unauthorized access or misuse of information.

The Sarbanes-Oxley Act (SOX)

Also a key standard, Sarbanes-Oxley Act (SOX) applies to all U.S. publically-traded companies, including subsidiaries. In addition, foreign companies conducting business and publicly trading in the U.S., along with accounting firms auditing public firms, must also comply.

A short checklist for compliance with SOX

• Prevent Data Tampering– Leverage software to track user access to all systems containing sensitive data and detect intrusion attempts.

• Establish Timelines – Use a system to timestamp data as it arrives in real-time, storing and securing it remotely to prevent manipulation or loss.

• Track Data Access – Employ software that can gather data from a myriad of sources, supporting collection from file queues, FTP transfers, and databases.

• Verify Safeguard Operations – Utilize an ERP or GRC system that can issue daily reports, enabling remote safeguard operation verification.

• Report Safeguard Effectiveness – Implement systems that generate diverse reports, including those on all messages, critical messages, and alerts.

• Detect Security Breaches – Use a platform that performs semantic analysis of messages in real-time, refining incoming messages into high-level alerts indicating security breaches.

• Disclose Safeguards to Auditors – A system has to be in place that grants auditors access using role-based permissions, allowing them to view specific reports and facilities without making alterations.

• Share Security Breaches with Auditors – Implement technology capable of detecting, logging, and notifying security personnel of breaches in real-time.

• Disclose Security Safeguard Failures – Employ a system that regularly tests network and file integrity, verifying that messages are logged and that the system successfully monitors IT security.

GLBA

As a whole, any financial service organization in the U.S. must rigorously adhere to the Gramm-Leach-Bliley Act (GLBA).The act emphasizes stringent customer data protection. Moreover, the GLBA encompasses key aspects, such as: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions.

A brief checklist for GLBA compliance

• Privacy Notices – Financial firms should craft comprehensive, accessible privacy notices, delineating the type and purpose of collected data, and information-sharing entities.

• Opt-out Mechanisms – Opportunities should be provided for customers to prevent their data from being shared with non-affiliated third parties.

• Protection of PII – Institutions must implement strong security measures like encryption and access controls to safeguard customers’ personally identifiable information (PII).

• Employee Training – Regular training on privacy policies ensures employees adhere to the Financial Privacy Rule and keep up with evolving requirements.

• Privacy Policy Reviews – Conducting periodic reviews of privacy policies ensures compliance with changing regulations.

• Risk Assessment – Regular evaluations to identify customer data types and associated risks are critical for determining necessary security measures.

• Security Policy Development – Institutions should create security policies addressing risk areas like data access, employee training, incident response, and vendor management.

• Designation of a Security Officer – A dedicated individual should be appointed to oversee the security program and ensure compliance.

• Security Systems Monitoring – Regular testing and monitoring of security systems are necessary to identify potential weaknesses or vulnerabilities.

• Vendor Management – Robust controls should be in place for managing third-party vendors with access to customer information.

• Employee Authentication – Strong authentication protocols (i.e., 2FA) should be implemented to verify the identity of employees accessing customer data.

• Data Access Controls – Implement stringent controls to limit data access to authorized individuals only.

• Pretexting Awareness Training – Regular training on pretexting risks, social engineering tactics, and incident response protocols is crucial.

• Suspicious Activity Monitoring – Implement systems that swiftly detect and respond to suspicious activities to prevent unauthorized access attempts.

• Incident Response Plans – Well-defined response plans should be in place for effective containment, investigation, and remediation of security breaches.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines to safeguard cardholder information and prevent data fraud. Established by leading credit card companies, this standard applies to all organizations dealing with cardholder data.

A brief PCI DSS compliance checklist

• Firewall Implementation – Set up firewalls to protect your network, restrict public access to cardholder data, and deploy firewalls on devices used to access the network.

• Default Settings Reconfiguration – Alter default system credentials before deployment, apply custom configurations, and ensure encryption and password protection for non-console admin access.

• Cardholder Data Protection – Limit data retention, refrain from excessive data collection, mask permanent account numbers, and encrypt cryptographic keys.

• Data Transmission Encryption – Utilize strong cryptographic protocols for data in transit and avoid storing payment account numbers in plain text.

• Malware Protection – Equip devices with antivirus software and regularly update it to tackle the latest malware threats.

• System and Application Security Maintenance – Install the latest security updates, establish a framework for identifying new vulnerabilities, and ensure compliance with PCI DSS for developed applications.

• Data Access Restriction – Only allow necessary personnel access to cardholder data and implement access control systems for shared components.

• User Identification – Assign unique credentials to each user, implement strict authentication methods, incorporate two-factor authentication, and avoid storing passwords in plain text.

• Physical Access Restriction – Control physical access to cardholder data, implement effective entry controls, use video surveillance, secure off-site backups, and responsibly discard data-containing media.

• Network Monitoring – Link access to specific users, automate auditing for data reconstruction, and daily review system component logs.

• Security Testing – Utilize wireless analyzers, perform vulnerability scans, and employ network intrusion systems to monitor traffic.

• Cybersecurity Policy – Have a policy covering all PCI DSS requirements, clearly define cybersecurity responsibilities, conduct regular cybersecurity awareness programs, and maintain an incident response plan.

23 NYCRR 500

The NYDFS Cybersecurity Regulation, or 23 NYCRR 500, is a unique set of cybersecurity standards enforced by the New York State Department of Financial Services (NYDFS) for financial institutions operating in New York. Beyond that, it also applies to unregulated third-party service providers. This regulation compels financial institutions to adopt a detailed cybersecurity framework and requires robust reporting on cybersecurity events. These rigorous cybersecurity practices are aimed at securing customer and financial data, serving as a model for financial institutions globally.

To comply with regulation 23 NYCRR 500, financial organizations need to:

• Cybersecurity Program – Establish a cybersecurity program based on periodic risk assessments, aiming to protect information systems and non-public information, and manage cybercrime events effectively.

• CISO Appointment – Appoint a Chief Information Security Officer to supervise and enforce the cybersecurity regulations, either an in-house specialist or outsourced from a third-party service provider.

• Penetration Testing – Conduct regular penetration testing and ensure continuous learning for cybersecurity experts regarding the latest security information and cyber threats.

• Audit Trail – Create audit trails for all transactions following a cyber breach and maintain these records for at least three years.

• Risk Assessments – Perform bi-annual, documented risk assessments to consider threats and assess security risk levels.

• Cybersecurity Personnel – Employ a qualified cybersecurity officer or a third-party service provider to manage institutional risks and oversee cybersecurity strategies.

• Multi-Factor Authentication – Implement multi-factor authentication for all individuals accessing nonpublic information from external sources.

• Training and Monitoring – Provide regular cybersecurity training for all personnel, delivered by professional information and cybersecurity experts.

• Encryption – Implement encryption controls based on risk assessments to secure nonpublic information held or transmitted over external networks.

• Annual Compliance Certification – File an annual compliance certification confirming the board’s review of the firm’s cybersecurity policies and implementation plan.

GDPR

The General Data Protection Regulation (GDPR) is to safeguard individuals’ personal data. GDPR enforces stringent privacy standards, asserting everyone’s right to private life and responding to the blurred boundaries between public and private lives in today’s world. Now, while GDPR does not explicitly require MFA, it significantly helps organizations meet their GDPR requirements. Here’s a condensed checklist for GDPR compliance:

• Data Identification – Understand all personal data your business collects, how it is processed, stored, and disposed of. Recognize the sensitivity level of the data for GDPR compliance.

• Data Protection Officer – Appoint a DPO to oversee the data protection strategy. This is mandatory for organizations conducting large-scale data processing, handling special data categories, or for public authorities.

• GDPR Diary – Create a GDPR Diary or Data Register, detailing your data processing activities and GDPR compliance practices. This helps in audit situations and data breach incidents.

• Data Collection Evaluation – Collect only necessary data. Scrutinize all data requirements using Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA).

• Data Breach Reporting – Immediate notification of data breaches is mandatory under GDPR. Report breaches within 72 hours to the supervisory authority via the correct hierarchy.

• Transparency – Be clear about why you collect certain data. Display data collection acknowledgment at every data collection point to avoid clandestine collection.

• Age Verification – Verify the age of all users. GDPR permits data processing for persons aged 16 and above; younger users require parental consent.

• Double Opt-in Process – Implement a double opt-in process for email list sign-ups. This verifies that users have consciously consented to data relinquishment.

• Updated Privacy Policy – Keep your Privacy Policy current and accessible, informing users about the data collected and its use. Moreover, don’t forget to update customers whenever changes are made.

• Third-Party Risk Assessment – Regularly assess security risks associated with third-party vendors and have remediation strategies in place. Implement GDPR-specific risk assessments to ensure compliance.