金融企业必须了解的全球网络安全监管条例 - 互联网金融门户 未央网

最有看点的互联网金融门户

最有看点的互联网金融门户
国际资讯监管与政策

金融企业必须了解的全球网络安全监管条例

国际资讯监管与政策

金融企业必须了解的全球网络安全监管条例

如今,网络攻击已经成为全球性通病。网络罪犯以及时复杂的攻击方式,将目标对准了世界各地的组织、关键基础设施及国家。

今夏早些时候,Petya、WannaCry等勒索软件使世界各地多种关键功能陷入停滞,近期,Equifax数据泄漏又波及1.43亿美国人。此类网络攻击层出不穷,据估计,到2021年,全球每年因网络犯罪造成的损失达6万亿美元。

网络罪犯一般动因出于索要资金。拿勒索攻击来说,网络罪犯将目标锁准关键性基础设施及医疗组织,劫持其数据直至获得赎金方才罢休。其他网络攻击的目的在于窃取财务记录等消费者个人身份认证信息。个人信息经黑网出售后可被身份盗用、税收诈欺等行径利用。个人身份认证信息被窃影响持久,原因在于个人信息相对固定,且泄漏后追踪盗用行为也十分困难。

网络攻击与数据泄漏事件持续发生,各国监管机构也渐意识到现代网络安全攻击下无人能幸免于难,保护关键资源与市场参与者方面仍有很大的作为空间。因此,欧洲、亚洲、英国与美国推行了新的监管条例,确保保护宝贵数据相应的安全措施恰当完备。

近期网络安全监管条例

跨国运营金融服务企业需了解新发网络安全监管条例及条例对其业务的影响,从而抓准数据监管规则并保持合规,尤其是在涉及跨境交易的情况下。违规通常要缴纳高额罚款,因此保持合规至关重要。

以下为涉及金融服务企业新进执行或推出的网络安全监管条例。

中国

中国《网络安全法》于2017年6月1日起实施。中国政府旨在利用该法规,通过为网络与系统安全设定额外标准,更好地与行业及全球网络安全标准对接。金融服务属重要金信息基建,该法规将直接影响金融服务业。

重要信息基建指的是一旦数据泄漏将损害国家安全与公共利益的行业。按照《网络安全法》规定,一经要求,重要基建实体需允许政府访问数据。金融服务企业也需证明其信息基建符合一定规格且可通过标准网络安全测试与认证。此外,在受过所收集的公民数据需存储在中国境内服务器内,未经许可不可移至境外。违规将面临刑事指控并支付高达100万人民币(15万美元以上)罚款。

在华运营金融服务机构需理解并执行必要网络安全标准及政府对中国数据施加的管控与限制。

新加坡

新加坡网络安全局2017年7月提出新型《网络安全法案》草案。尽管该法案还需经国会审议,但值得注意的是该拟定法规将尤为影响银行机构。

与中国《网络安全法》类似,新加坡网络安全局可更好地审视与监管数据使用、处理及存储方式。该法案要求金融服务等重要信息基建向网络安全委员会报备所有网络事件及系统设计与安全相关的修改。值得注意的是,《网络安全法案》推翻了银行不必分享机密个人信息的隐私法规,允许网络安全局或许调查相关所有计算机系统。违规将被处以高达10万美元的罚款,甚至最高可判处10年有期徒刑。

欧盟

欧盟《一般数据保护条例》将于2018年5月25日生效。条例旨在使欧盟公民得以掌控自身数据。消费者需对想处理其数据的企业主动做出许可,且可随时撤回。消费者还可要求其数据转入其他组织。根据《一般数据保护条例》,欧盟成员还享有"被遗忘权",即岂可要求完全抹去自身数据,或不对其数据进行处理。此外,条例要求机构主动或默认实行数据保护,这就使得安全成为数据监测程序设计初始就应考虑的核心问题。

值得注意的是,《一般数据保护条例》不仅约束欧洲组织,还适用于处理与存储欧洲公民数据的组织,不管其所处何方。金融机构存储处理的个人信息量庞大,监管机构将可能密切关注其合规行为。违规情节较轻,将被处以1000万欧元的罚款,或可上缴其2%的全球年度营业额。违规严重的将被处以2000万欧元罚款,或上缴全球营业额的4%,两者中以金额高的为准。

英国

英国政府已确认,其脱欧决定并不会阻止该国参与《一般数据保护条例》。英国更新了1998年《数据保护法案》,新版《数据保护法案》与《一般数据保护条例》中的标准保持一致。因此,《数据保护法案》中所列条例大部分与《一般数据保护条例》相同,涉及记者与科研工作者部分做了小幅改动。

美国

美国全国与各州都更为关注网络安全。纽约金融服务部(DFS) 23 NYCRR 500网络安全条例规定其首个合规截止日期为8月28日。纽约内银行针对任何可能危害数据的网络事件需在72小时内向金融服务部报告。此类网络数据包含勒索软件与拒绝服务攻击在内。银行需有完备的网络安全计划并雇佣首席信息安全官监管安全程序与维护。未来两年,金融服务企业需遵照一系列合规期限,完全转型截止日期为2019年3月。

违背这些新规将产生严重的金融与运营后果。为确保合规,金融服务企业需审视每项规定,准确理解其对自身的影响。虽然各法规采取的网络安全标准不同,但改善数据传输与使用可视性则具有普遍意义。

进行网络威胁评估可使金融服务企业深入了解其目前安全协议状况及存在风险领域。进行网络安全评估并相应作出安全调整可使监管机构获悉金融服务组织主动优先考虑安全与合规。

为在不同环境中均实现更优的数据可视性,金融服务企业针对安全需采取架构性错书。Fortinet推出的Security Fabric将可见性、区隔与安全自动化范围延伸至全网,包含终端、核心及云端。监管机构日益要求消费者与监管方可及时获取数据,此中数据传输与存储可视性对合规来说不可或缺。

网络攻击日益发展为全球现象,政府出台针对性法规保护公民权益,被视作关键性基建的金融服务就需基于地缘改善其信息与安全基建。金融机构为遵守新要求作出转变,数据可见性仍然至关重要。

Cyberattacks have become a global epidemic. Cybercriminals are now targeting organizations, critical infrastructure, and governments across the world with timely, sophisticated attacks.

Ransomware attacks such as Petya and WannaCry put critical functions across the world on hold earlier this summer, while the recent Equifax data breach has affected as many as 143 million Americans. With such attacks persisting, it is predicted that cybercrime damages will cost the world $6 trillion annually by 2021.

Cybercriminals are typically motivated by monetary rewards. In the case of ransomware attacks, cybercriminals target things like critical infrastructure and healthcare organizations and hold their data captive until paid. Other cyberattacks aim to steal personally identifiable information (PII) of consumers, such as financial records. This information can be sold on the dark web for a profit, then used in instances of identity theft, tax fraud, etc. Theft of this type of information has long-term effects, as personal information is not easy to change, nor is it easy to even track its misuse following a breach.

As these attacks and breaches continue to take place, government regulators around the world are realizing that while no one is immune to modern cyberattacks, there is still a lot that can be done to protect critical resources and market sectors. With this in mind, new regulations across Europe, Asia, the UK, and the US are being implemented to ensure proper security measures are in place to protect valuable data.

Recent Cybersecurity Regulations

Globally operating financial services firms have to be aware of new cybersecurity regulations and how they affect their business in order to navigate data rules and remain compliant, especially as they conduct business across borders. Compliance is especially crucial as the punishments for noncompliance typically include large fines.

Below are some of the most recent implemented or proposed cybersecurity regulations that will affect financial services firms.

China

China’s Cybersecurity Law was put into effect on June 1, 2017. The Chinese government aims to use this law to better align with industry and global cybersecurity standards by placing additional requirements on network and system security. This law will directly impact the financial services sector as it is considered to be a critical information infrastructure (CII).

CII refers to sectors in which a data breach would compromise national security or public welfare. Under the Cybersecurity Law, CII entities must allow authorities access to data upon request. Financial services firms will also have to demonstrate that their IT infrastructure meets certain specifications and can pass standard cybersecurity tests and certifications. Additionally, data collected in China about its citizens has to be stored on servers within the country’s borders and cannot be moved abroad without permission. Lack of compliance can result in criminal charges and fines of up to 1 million yuan, or just over $150,000 USD.

Financial services institutions that do business in China need to understand and implement necessary cybersecurity measures, as well as the control and restrictions the government places on Chinese data.

Singapore

The Cyber Security Agency in Singapore proposed a draft of a new Cybersecurity Bill in July 2017. Although it still has to go through parliament, it is worth noting the potential regulations that will specifically affect banking institutions.

Similar to the Cybersecurity Law in China, the Cyber Security Agency in Singapore would have greater visibility and authority into how data is used, processed, and stored. The bill would require CII such as financial services to report any cyber incidents to the Commissioner of Cybersecurity, as well as any modifications of system design or security. Notably, privacy laws that keep banks from sharing confidential personal information are overruled by the Cybersecurity Bill, allowing the Cyber Security Agency to access any computer system relevant to an investigation. Lack of compliance can result in fines of up to $100,000 or in extreme cases, up to 10 years imprisonment.

European Union

The EU’s General Data Protection Regulations (GDPR) will take effect on May 25, 2018. GDPR aims to put European citizens back in charge of their data. Consumers must now actively give consent to organizations that wish to process their data and can withdraw consent at any time. Consumers can also request their data be transferred to other organizations. Under GDPR, EU citizens also have the “Right to be Forgotten,” in which they can ask that data be completely erased, or not be processed. Additionally, GDPR requires organizations to implement data protection by design and default, making security a core focus at the outset of data monitoring programs.

Notably, GDPR applies not only to organizations in Europe, but also to all organizations that process and store data on European citizens, regardless of physical location. Due to the high volume of personal information stored and processed by financial institutions, regulating bodies will likely be keeping a close eye on their compliance efforts. Noncompliance can result in fines of €10 million, or 2 percent of worldwide annual turnover for lesser infringements. Severe infringements can result in fines of €20 million, or 4 percent of global turnover, whichever is higher.

United Kingdom

The United Kingdom government has confirmed that its decision to leave the European Union will not stop its participation in GDPR. The UK is aligning itself with the measures put forth in GDPR through the Data Protection Bill, which updates the UK’s 1998 Data Protection Act. As such, the regulations listed in the Data Protection Bill are largely the same as those in GDPR, with some minor changes addressing journalists and scientific researchers.

United States

The US is seeing an increased focus on cybersecurity at both the national and state level. Notably for financial services firms, the New York Department of Financial Services’ (DFS) 23 NYCRR 500 cybersecurity regulation had its first compliance deadline on August 28th. Banks in New York now have to report any cyber incidents that could compromise data to the DFS within 72 hours. This includes disruptions by ransomware or DDoS attacks. Banks must also have a robust cybersecurity plan and employ a CISO to oversee security processes and maintenance. There are a series of compliance deadlines that financial services firms must meet over the next two years, with the full transition deadline set for March 2019.

Maintaining Compliance Around the World

Lack of compliance with these new regulations can result in heavy financial and business consequences. To ensure compliance, financial services firms should review each of these new regulations to understand exactly how their organization will be affected. While each law will require different cybersecurity measures be taken, improving visibility into data movement and use across your organization will be valuable universally.

Conducting a cyber threat assessment (CTA) can give financial services firms an in-depth look at their current security protocol, and areas in which they might be at risk. Conducting a CTA and making adjustments to security accordingly demonstrates to regulating bodies that financial services organizations have actively prioritized security and compliance.

For greater data visibility across distributed environments, financial services firms need to take an architectural approach to security. The Fortinet Security Fabric provides visibility, segmentation, and security automation across networks from endpoints to the core and into the cloud. As regulations increasingly require data to be made available to consumers and regulating bodies in a timely manner, such visibility into data movement and storage will be integral to compliance.

As cyberattacks continue to evolve as a global phenomenon and governments respond with individual regulations to protect their citizens, financial services, often seen as critical infrastructure, will need to adapt their IT and security infrastructure based on geography. As financial institutions transition to meet these new requirements, data visibility will continue to be key.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

常笑未央编辑团队

213
总文章数

TA还没写个人介绍。。。

与使用数据的公司相比 数据保护公司从股票市场得到的甜头更多

栀航 07-16

英国央行要求金融企业必须接受网络安全压力测试

高旭 | PYMNTS 06-28

安全认证创企Valimail获2500万美元B轮融资

Frederic L... | 猎云网 05-23

世界经济论坛设立金融科技网络安全联盟

高旭 03-07

SEC:投资者应该了解的5个比特币监管真相

Dan Caplin... 02-27

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1