This article was originally posted March 22, 2021
Any business providing financial services is effectively required to defend against phishing attacks, and to report cyber incidents that may have compromised client information. Navigating both the threat landscape and regulations regarding data security can be its own challenge, however.
The finance industry is one of the most targeted, often after the healthcare and public sectors, and the type of information that is passed between you, your employees and your clients will continue to make you a potentially lucrative victim. This article will discuss how to spot the red flags that accompany a business email compromise (BEC) attempt, prevent your critical systems and data from being phished, and ensure compliance with FINRA and other regulatory guidelines.
Here are the top reasons why financial services firms need phishing defense:
Why Financial Services Data Requires Phishing Defense
Any time money changes hands (or is facilitated by) via electronic or digital channels, there is a chance that hackers will try to take advantage of any security gaps that exist in your attack surface. There are many ways hackers and cyber scammers can exploit this, from wire fraud to extortion.
Phishing is the first step many cybercriminals deploy to create a bridge to their value return, either from money stolen directly or by gaining access to your critical data. Once someone has clicked on a link, downloaded an infected file, or completed some other action that an attacker has thought of to compromise access, the hackers will have several options for figuring out a way to monetize their intrusion. The key moment is once they have gained entry – from there, they are able to do whatever they need to for escalating the breach until it is too late to mitigate the damage.
Data Breach Regulations for Financial Institutions
Whether you work in a bank, advisory firm, or anywhere else in the financial services industry, you face a multitude of regulations dictating proper procedures and protocols for managing the data of your clients. One of the most important factors that unfortunately can be easy to miss is that the cybersecurity obligation in these rules may extend beyond the immediate language presented. Phishing itself is not always explicitly mentioned in all compliance guidelines, but it is inherently an avenue that must be guarded against to uphold the spirit of the law.
There are also several regulations that include mandatory breach reporting requirements as of 2025:
- The FTC Safeguards Rule requires notification within 30 days of discovering a breach affecting 500 or more consumers
- The Gramm-Leach-Bliley Act’s (GLBA) Privacy Rule creates additional notification obligations
- State-level laws like the New York Department of Financial Services (NYDFS) Cybersecurity Regulation mandate reporting within specific timeframes
Here is a quick overview of how these and other rules impact phishing defense or reporting compliance:
Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule
The GLBA requires financial institutions to protect customer nonpublic personal information (NPI) and honestly disclose data-sharing practices. The FTC Safeguards Rule, a key component of GLBA, mandates specific security controls including:
- Access controls limiting who can view customer information
- Multifactor authentication for accessing customer information
- Staff training to identify security threats including phishing
- Regular vulnerability assessments and penetration testing
- Written incident response plans
Phishing attacks directly threaten these requirements by attempting to steal credentials or trick employees into revealing customer information.
Sarbanes-Oxley Act (SOX)
While primarily focused on financial reporting accuracy, SOX includes cybersecurity components to ensure financial institutions address risks that could impact financial activity. Social engineering attacks, particularly phishing campaigns impersonating executives to initiate fraudulent transactions, are explicitly recognized as compliance threats under SOX.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS requires organizations that process payment card information to implement controls securing the processing, storage, and transfer of cardholder data. Phishing attacks targeting payment processing systems directly threaten PCI compliance and can result in penalties ranging from $5,000 to $100,000 per month.
Federal Financial Institutions Examination Council (FFIEC) Guidelines
The FFIEC provides uniform principles and standards for financial institutions, including comprehensive cybersecurity guidance. Its Information Security Handbook specifically addresses social engineering attacks and requires training and controls to mitigate phishing risks.
Hackers Know Which Emails Financial Services Firms Open
Everyone is inundated with electronic communications today, and going deeper into the topic will bring up many theories that we are being overwhelmed with digital touchpoints. However, email is still the fastest and most cost-effective mode of correspondence and requires you to commit to the tedium of going through your inbox to ensure you do not miss an urgently important message. If you are noticing a pattern emerge, then you are beginning to understand how hackers think – phishing at its core leverages social engineering to catch you when you are more likely to make an emotional decision.
The sophistication of cybercriminals varies tremendously, but even the decent ones get to where they are by studying potential victims to be able to understand their triggers, like receiving a supposed update from FINRA. The best are those that can analyze individual targets to the finest detail and employ the right type of resources to catch them off guard so effectively that no one realizes until it is well past too late. Those spam emails you already received could have been from amateur hackers, or they could have been from professionals testing everyone in your firm for the weakest link.
Cyber Insurance Coverage Requirements
On top of the regulatory requirements around phishing defense measures, cybersecurity insurance providers often also include similar obligations to be covered or to even be qualified for benefits in the event of an incident. Many cyber insurance policies align with much of the same needs for compliance, and liability coverage can include higher premiums or be cancelled altogether if these are not met. This typically also extends to sufficiently demonstrating steps have been or are being taken to defend your systems and data.
Where cyber liability policies may differ from regulations, however, is that these actions are often more explicitly required to qualify for full coverage or lower premiums. To successfully mitigate their risk, providers want to see that your firm is being proactive about potential cyber threats before they underwrite a policy.
Employees Are Your First and Last Line of Phishing Defense
Phishing is an unavoidable reality of modern cybersecurity, one of the many that compels you to adjust how you approach keeping your endpoints secure against threats both external and internal. To protect your valuable data, including critical client PII (personally identifiable information), you must empower the natural guardians of your network – your users.
Your employees are your first and last lines of defense against cyber attacks, especially methods like email compromise that rely on personal indiscretion as a stepping stone to exploiting an entire system. The consequences of phishing can be destructive, but the first stage to any successful attack is someone making a momentary mistake, whether from distraction, ignorance or any number of other factors that come into play every day.
How a Managed Service Provider Helps
Several regulations and cyber insurance policies actively require either validation by or direct engagement with a third-party managed service provider (MSP) to ensure compliance with certain guidelines. For other stipulations, working with a certified MSSP (managed security service provider) makes it easier to implement and maintain the required protections at scale. From providing expert consultation to helping your existing IT department perform critical maintenance or troubleshooting faster, having the right network support partner makes the difference when you need cost-effective solutions the cybersecurity challenges of the finance industry.
Get Tailored Phishing Defense Training with SWK Technologies
Don’t let sophisticated phishing attacks compromise your firm’s sensitive data and put you at risk of costly regulatory violations. SWK Technologies, with our comprehensive managed security services and compliance expertise, will help you safeguard your business with security awareness training and other tailored cybersecurity solutions that satisfy requirements across various federal regulations and industry standards.
Contact SWK here to schedule your security assessment and discover how we can strengthen your defense against evolving phishing threats that can target your firm’s valuable data.