Safeguarding the confidentiality of corporate information and customers’ personal financial data is more than a best practice. Worldwide, it’s something financial institutions are required to do. It’s a prerequisite to compliance with increasingly stringent legal requirements and industry-driven mandates.
That’s because any lapse in security that allows cybercriminals to commit fraud or theft can devastate consumers and businesses alike.
Specifically because the banking and financial services industry (BFSI) is custodian of the crucial financial and personal data of hundreds of millions of people, it is one of the most prized
targets for cybercriminals. According to figures compiled by
IBM Managed Security Services, the financial services sector moved from the third most-attacked industry in 2015 (behind healthcare and manufacturing) to the first in 2016.
This white paper provides BFSI security managers with guidance in understanding and complying with access management standards unique to this business sector, and explains how access management can ease regulatory compliance burdens. The paper also explains how security measures can be business enablers both internally (for employees and business partners) and externally (for current or prospective customers or clients) by providing user-centric authentication options that connect users smoothly to the data and services they need.
“Nearly three- quarters of CISOs we surveyed said that intrusions resulted in significant operational disruptions over the past two years.
For financial institutions, issues of access are paramount, especially in organizations spanning dozens of systems, thousands of employees, hundreds of thousands of customers and millions of stored records. In fact, attacks such as phishing aimed directly at users rather than at technology, along with the actions of inadvertent actors, such as employees who mistakenly opened the door for an attack through an innocent mistake, made up the bulk of attacks on the financial service industry in 2016.
This underscores the importance of identity and access management (IAM) in the security environment for any organization that manages customers’ money, or stewards valuable financial information such as insurance valuations or stock holdings.
Consider that financial institutions’ point-of-sale systems have become one of the main targets of organized crime and cyber terrorists. Besides their business interest in protecting their own assets and reputation more generally, the BFSI sector is also held
to finance-specific governmental regulations that reflect the value financial assets represent to the public. These include European Union (EU) requirements such as those found in the Revised Payment Services Directive (PSD2), as well as US laws such as the Sarbanes-Oxley Act (SOX) and industry-formulated data privacy schemes such as the Payment Card Industry Data Security Standard (PCI DSS).
Centralizing the identification of authorized users, and successfully managing each legitimate user’s access to computing or data resources (including personal information), are strongly related challenges. An infrastructure that includes IAM capabilities can help financial institutions deal with both of these business needs and decrease the complexity of managing security across systems and user populations..
The size of the IAM market in the banking, financial services and insurance industries was estimated at nearly USD3 billion in 2016—with a projected compound annual growth of 8.7 percent through 2021.2
Adopted in October 2015 by the European Parliament to extend the Payment Service Directive of 2009, the Revised Payment Services Directive (PSD2) requires enterprises that do business in Europe (even if based elsewhere) to focus on standardizing, integrating and improving payment efficiency. PSD2 requirements, which become effective in 2018, are meant to protect consumers’ online payments, promote the development and use of new online and mobile payment systems, and reduce the risks of cross-border payment services.
PSD2 affects many kinds of payment-industry participants. It requires account service providers to make certain kinds of account information available to registered third-party providers by means of application programming interfaces (APIs), and to allow those parties to initiate payments from a specified account. By mandating access to customer accounts, PSD2 expands the ways that non-traditional financial providers can provide consumers with financial services. PSD2 introduces guidelines for risk assessment and strong customer authentication (SCA) to ensure that requiring this level of openness from banks does not jeopardize consumer’s
security or trust in the financial system. While PSD2 does not require a standardized API specification for these interactions, concurrent mandates such as the Open Banking initiative in the UK have arisen to define and support the development of standard APIs. The API requirements of PSD2 and Open Banking present opportunities to deliver value-added services to customers, but for every institution they present technical challenges, including:
The Sarbanes-Oxley Act of 2002 (SOX) is a US federal law enacted in response to major corporate and accounting scandals in which corporate financial information was manipulated, withheld or misused. SOX mandates that covered corporations (including all US company boards, management and public accounting firms) ensure that their financial data is preserved uncorrupted for government auditors. Its provisions dictate that adequate controls be implemented, tested and documented for financial reporting and governance.
IAM can help organizations ensure compliance by limiting access to sensitive records; a solution with built-in reporting capabilities can make it easier to document user interactions with data.
A strong access management platform can help IT and security managers comply with the SOX mandate by:
SOX noncompliance can trigger criminal penalties, as well as civil penalties ranging as high as USD15 million.
The Payment Card Industry Data Security Standard (PCI DSS) was first released in 2004 by a coalition of major credit card providers, with the goal of enhancing cardholders’ security and facilitating the adoption of consistent data security measures among these card issuers. The compliance details have evolved with a series of updates reflecting changing security risks and leaps in credit card technology, but the core principle has remained consistent: credit card issuers and merchants must minimize the risks to cardholder data by employing the best practices specified in the regularly updated standard, several of which have implications for access management. The practices outlined by the PCI DSS are backed by an incentive to comply: an entity that is compromised while it was not compliant is subject to fines.
The PCI DSS specifies 12 requirements for organizations that handle credit cards, such as assigning a unique ID to each person who has access to the credit processing system.
A strong access management platform can help IT and security managers comply with the SOX mandate by:
The costs of a data breach include customer turnover, customer acquisition activities, reputation losses and diminished goodwill.
An integrated approach to IAM and systems access isn’t just about regulatory compliance. An effective IAM approach can help organizations use security as a driver for business, giving users simple, flexible access to services, and helping assure that their information is secure. Innovations such as multi-factor authentication (MFA), federation and fraud protection can help financial institutions meet their access management challenges, while still delivering superlative user experiences. These three capabilities can be united with a well-implemented IAM solution such as IBM Security Access Manager. With a robust IAM system in place, your security team can implement:
Users at risk: Keeper Security recently analyzed a set of 10 million compromised accounts and found that nearly 17% of accounts were guarded with the password “123456.”
To learn more about IBM Security solutions, including IBM Security Access Manager, please contact your IBM representative or IBM Business Partner, or visit: ibm.com/security
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.
Additionally, IBM Global Financing provides numerous payment options to help you acquire the technology you need to grow your business. We provide full lifecycle management of IT products and services, from acquisition to disposition. For more information, visit: ibm.com/financing