Download our FREE whitepaper on data loss prevention best practices. Download Now

Federal Reserve and FFIEC Requirements for Safeguarding Customer Data

When it comes to protecting customer data, breaches are occurring more frequently as a result of Insider Threats, and poorly-implemented security controls that allow for the mishandling of sensitive data from within the organization itself.

Insider Threats are not necessarily due to nefarious actions by employees. Often they are the result of today’s collaborative IT infrastructures and workforces; which increases the potential for data to be shared across internal systems, employee endpoints, and beyond organizational control.

Assessing risk and establishing controls to meet data protection obligations set by the Federal Reserve and the FFIEC, is nuanced and will vary according to the institution. However, examples of such controls include the deployment of a Data Loss Prevention solution to mitigate the risk of customer data being exfiltrated by employees. This should span all potential exit points; for email and messaging apps, cloud uploads, removable storage media, printers, etc.

Tighter regulations for protecting customer data

Financial institutions are among the most heavily regulated in the world. This is particularly true when it comes to cybersecurity, with a number of regulations in place to protect not only critical banking infrastructure from external attack, but also customer data.

The protection of this type of data – which spans everything from customer PII to financial records, credit card numbers, and banking details – has become increasingly important in recent years, with a number of high profile cases demonstrating the damage that a data leak can have on an organization, not only in the form of regulatory fines, but also brand damage, and business continuity.

Insider threats have changed the risk landscape

The risk landscape has shifted dramatically in recent years, with regulatory breaches occurring more frequently as a result of Insider Threats, and poorly-implemented security controls that allow for the mishandling of sensitive data from within the organization.

Unfortunately, such occurrences are not uncommon; not necessarily due to nefarious actions by employees, but simply because the collaborative nature of today’s IT infrastructures and workforce increases the potential for data to be shared across internal systems, employee endpoints, and beyond organizational control.

The role of the Federal Reserve in maintaining data protection standards

One of the organizations responsible for promoting effective cybersecurity practices in the U.S. is the Federal Reserve. It is responsible for supervising, monitoring, inspecting, and examining several thousand financial institutions to ensure that they comply with the necessary rules and regulations, including those published by the Federal Financial Institutions Examination Council (FFIEC), and that they operate in a safe and sound manner.

In 2021, the Federal Reserve further increased the requirements it places on financial institutions for safeguarding customer data by mandating section 501 of the Gramm-Leach-Bliley Act (GLBA). The mandate SR 01-15 (SUP) – Standards for Safeguarding Customer Information – requires institutions to establish controls relating to administrative, technical, and physical safeguards for customer records and information. The goal being not only to ensure the security and confidentiality of customer records and information, but to also protect against any anticipated threats and unauthorized access which could result in substantial harm or inconvenience to the customer.

Safeguarding customer data: Obligations, risk, and the role of Data Loss Prevention

Of course, establishing controls to meet this obligation, and assessing risk, is nuanced and will vary according to the institution. Like many Federal Reserve guidelines, the responsibility for compliance falls to the financial institution’s board of directors who should oversee efforts to develop, implement, and maintain an effective information security program that is built against a risk assessment that identifies foreseeable internal and external threats.

Examples of such controls include the deployment of a Data Loss Prevention solution to mitigate the risk of customer data being exfiltrated by employees. This layer of protection (which identifies common customer PII and PCI, etc) should span all potential exit points; for example:

  • Email and Messaging: Identifying and blocking customer information (either from within a file, or the body text of the message) from being shared through email clients, and enterprise messaging apps such as Slack and Microsoft Teams.
  • Cloud uploads: Preventing customer data from being uploaded to cloud storage services, particularly where the cloud storage service is connected to a personal account and not the organization’s own instance.
  • Removable storage media: Controls put in place to restrict the use of removable media, or restrict the type of data that can be copied to removable media. This not only includes devices such as USB flash drives, but also smartphones, or other storage devices that are either physically connected or attached via (e.g.) Bluetooth.
  • Printers: Printers are often overlooked, but remain a key area of risk for data exfiltration. Protection can be applied by either blocking access to local or networked printers, or by applying a content-aware DLP policy that inspects the file being sent to print for sensitive customer data.

What the Federal Financial Institutions Examination Council (FFIEC) says about data protection

As a regulator and supervisor of banks and financial institutions, the Federal Reserve is responsible for conducting examinations of the organizations it regulates to ensure compliance with applicable laws and regulations, including those of the Federal Financial Institutions Examination Council (FFIEC).

The FFIEC is an interagency body that is responsible for setting uniform principles and standards for the examination of financial institutions. There are five members, comprising the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).

Any institution that is governed by one of the five member agencies is subject to FFIEC rules; meaning its breadth spans not only the banking community under the watch of the Federal Reserve, but credit unions also. Failure to comply with FFIEC guidelines can result in fines and penalties.

The FFIEC provides a view of data protection requirements which it publishes in a series of “IT Handbooks.” These set the regulatory standards for banks and other financial institutions, and are used by federal examiners to determine if financial institutions are adequately identifying and managing the risks associated with banking infrastructure, electronic payments systems, IT auditing, and other intersections between finance and computer systems.

Within these handbooks, the “Information Security Booklet” is of particular interest to those organizations looking to meet their data privacy and customer data protection obligations. The following sections offer the clearest guidance:

FFIEC Information Security Booklet – II.C.13(a) Storage
This section outlines how organizations should govern the secure storage of all types of sensitive information, whether on computer systems, on physical media, or in hard-copy documents. It notes that data storage in portable devices, such as laptops, smart phones, tablets, and removable USB storage media, poses unique problems given that these devices may be lost, stolen, or subject to unauthorized and undetected use.

FFIEC Information Security Booklet – II.C.13(b) Electronic Transmission of Information
Electronic transmission of information can include e-mail, file transfer protocol (FTP), and, more commonly over the last few years, collaboration apps such as Slack or Microsoft Teams. It notes that management should implement appropriate controls or, if they are not available, restrict the type of information that can be transmitted through these channels.

FFIEC Information Security Booklet – II.C.13(e) Rogue or Shadow IT
Guidance recommends that organizations have policies explaining that employees should not, and are not authorized to, use unsanctioned or unapproved IT resources (e.g., online storage services, USB storage, and unapproved devices). Security awareness or information security training should include procedures for identifying and reporting shadow IT.

How Endpoint Protector is helping banks and financial institutions to safeguard customer data

Endpoint Protector by CoSoSys is the recognized leader in multi-OS Device Control and Data Loss Prevention (DLP) solutions, and is able to assist financial organizations in meeting many of the obligations set out by the FFIEC and Federal Reserve.

Controlling what employees connect to their endpoints
Endpoint Protector’s Device Control solution allows organizations to manage the use of USB drives and other portable storage devices connected to employee endpoints. This includes USB Flash drives, external HDDs, SD Cards, and even storage media connected via Bluetooth (e.g., smartphones).

It can also be used to control the use of printers – an often overlooked element when assessing potential egress points for sensitive data.

Connected devices, printers, and external storage media can be blocked at a company level, or controls put in place to allow access at group/team or individual level. Permissions can also be assigned only to approved storage media (e.g., IT approved USB drives). The solution even includes a File Shadowing feature that allows security administrators to monitor and report on all data transfers made to external storage at an individual employee level.

Controlling the type of data employees share
Endpoint Protector’s Active Data Defense solution is built to allow security teams to protect sensitive data from leaks and from being exfiltrated at the employee endpoint.

Precise control over the exfiltration or transfer of documents can be achieved at a company, group/team, or individual level, as well as content type. Content-level policies and controls can be built around defined confidential data, such as PII or Payment Card Information (PCI), or by custom policies to protect unique assets such as Intellectual Property (IP) or source code.

Protection spans potential exfiltration of data not only through hardware devices (i.e., USB drives, external HDDs, Bluetooth-connected devices, printers, and more), but also through software applications (e.g., email, Slack, file uploads to cloud services, etc) with the solution blocking any attempts to exfiltrate data beyond organizational control in real-time.

Endpoint Protector Advantages

  • Multi-OS – Endpoint Protector allows you to build policies to protect Windows, macOS, and Linux endpoints from a single admin console. This is vital for organizations that want to consolidate policy management and reduce the number of security platforms being maintained.
  • Protect offline activity – It’s important to remember that many cloud-based solutions don’t offer endpoint protection when the employee goes offline. Because Endpoint Protector uses a lightweight agent, policies remain in place regardless of the endpoint’s connectivity status or employee location. Any attempted policy violation is reported back to your administrators when connectivity to the endpoint is restored.
  • Deployment – Endpoint Protector can be deployed in multiple ways to meet any existing security and data compliance requirements that your organization might have in place. This includes on-premise / virtual appliances or cloud-based (either within your own cloud service or hosted by us).

To learn more about Endpoint Protector and how we’re helping banking and financial institutions to meet their cybersecurity goals and data compliance requirements, book a demo with one of our Data Loss Prevention solution experts.

Request your demo here.

Organizations are solely responsible for determining the appropriateness of using Endpoint Protector by CoSoSys to achieve their compliance obligations.

explainer-c_learning

Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

In this article:

    Request Demo
    * Your privacy is important to us. Check out our Privacy Policy for more information.