WHITE PAPER
HOW I.T. HELPS
FINANCIAL FIRMS
MEET REGULATORY
MANDATES
The right solutions and services can help capital
markets firms navigate the compliance minefield.
EXECUTIVE SUMMARY
Regulatory compliance is a major consideration in any capital
market firm’s cybersecurity strategy. Not only will financial
institutions lose the trust of their customers in the event of a
data breach, but they also operate within a framework of
stringent regulations that govern how they must manage
data. Keeping up with these regulatory demands is a major
challenge — especially for smaller firms that lack the
resources of their larger competitors — and running afoul of
the rules can bring stiff penalties, even when customer
financial data hasn’t been exposed.
The strategic deployment of key technologies and services
can help ease this burden, allowing institutions to focus more
attention on their core business. A trusted partner can help
capital markets firms make sure they are meeting all of the
mandates of the regulations that govern them. Technology
solutions can also bolster compliance efforts while improving
security as well.
FINANCIAL COMPLIANCE
CDW.COM/SECURITY | 888.706.4239
A Minefield of Compliance Issues
2
institutions to keep records of cash purchases
Financial institutions face a patchwork of
of negotiable instruments, to file reports of cash
various regulations with which they must
transactions exceeding $10,000 per day and to
comply. Some of the most significant include:
report actions that point to criminal activity.
Gramm-Leach-Bliley Act: This 1999 law
SEA Rule 17a-4: Rule 17a-4 of the Securities
requires financial institutions to safeguard
Exchange Act of 1934 specifies the manner in which
information such as account numbers, credit
broker-dealers must create and maintain a number of
and income histories, and Social Security
different records, including trade blotters, asset and
numbers. Organizations must take several
liability ledgers, income ledgers, customer account
The percentage of financial
steps to ensure compliance, including
ledgers, securities records, order tickets, trade
services firms that cite
cyber risk as a top-five risk
identifying and assessing the risks to
confirmations, trial balances and employment-related
to the broader economy.1
customer information in each relevant area
documents. The rule was updated in 1997 to allow firms
of the company’s operations. The measure
to store records electronically. Certain records must
also requires capital markets firms to provide
be stored for a minimum of six years, with the records
customers with privacy notices that explain their informationkept in “an easily accessible place” for the first two of those years.
sharing practices.
Dodd-Frank Act: Passed in the wake of the 2008 financial
Services to Help Manage
industry collapse, and primarily meant to lower overall risk in the
the Regulatory Burden
sector, this 2010 legislation also requires financial institutions to
With so many different regulations to manage, many financial
share confidential data with regulatory agencies. Some observers
institutions turn to trusted IT partners like CDW to provide
have also expressed concerns that the law’s expansion of
security and compliance services. These services include:
whistleblower rewards, and provisions to grant consumers broader
Penetration testing: In a penetration test, security experts
access to their information, could weaken information security.
assume the role of hacker, running creative, in-depth analyses
USA PATRIOT Act: This landmark 2001 antiterrorism law
to determine whether security controls are operating as
requires that all financial institutions implement a Customer
intended. By attempting to gain access to corporate resources,
Identification Program. To comply, capital markets firms and
these experts are able to find holes and weaknesses within an
brokerages must verify the identity of any person seeking
organization’s cybersecurity infrastructure, providing valuable
to open an account, and maintain records of that verification
information about vulnerabilities before malicious actors can
process for five years after the account is closed.
exploit them. CDW’s experts then use the information gleaned
Bank Secrecy Act: This 1970 law (formally, the “Currency
from the test to craft customized and prioritized cybersecurity
and Foreign Transactions Reporting Act”) requires financial
roadmaps that shore up weaknesses and protect IT systems
and assets. Often, the results of a penetration test help convince
previously hesitant stakeholders within an organization (usually
those outside of the IT department) that further investments in
Compliance vs. Security
cybersecurity are warranted.
NIST assessments: The National Institute of Standards and
Security and regulatory compliance are
Technology (NIST) has established a Cybersecurity Framework
both top concerns for capital markets
for federal agencies to follow. The guidance for agencies
firms. In its “Capital Markets 2020” report,
applies to capital markets firms as well as brokerages. During
PricewaterhouseCoopers found that 19 percent
a NIST assessment, CDW places cybersecurity experts onsite
of firms say that regulatory compliance will be one of their
at an organization to gather in-depth information about the
top three challenges through 2020. Similarly, 19 percent cited
enterprise’s existing practices. These experts speak with
increasing cyberthreats as a major challenge.
representatives from various company departments, such
Still, as many IT professionals at these firms already know, mere
as human resources and payroll, to better understand the
compliance is not enough.
organization’s IT processes, policies and other safeguards
“You can bamboozle an auditor with a policy that nobody knows,
(such as employee background checks) that may or may not
but that doesn’t really help,” says Mark Lachniet, a CDW security
be in place. From these conversations, CDW can determine the
solutions manager. “Or, a compliance checklist might include an
greatest sources of cybersecurity risk. Then, CDW’s experts
intrusion prevention system that a lot of people have built into
create a list of recommendations, ranking each solution by what
their firewall, but it’s never been properly configured, and nobody
it will cost the organization and how much of a security gain it
monitors it.”
represents; this helps reduce cybersecurity risk in the most
targeted and cost-effective manner possible.
In short, solutions that are adequate for passing a compliance
Configuration services: When financial institutions bring in a
audit may not be sufficient to keep an organization’s information
partner such as CDW to configure new hardware and software
safe. “Compliance does not equal security,” Lachniet says.
— or to check on the configuration of existing solutions — they
can be confident that they are taking advantage of all the
70%
SOURCE: 1 Depository Trust & Clearing Corporation, “Systemic Risk Barometer,” December 2015
FINANCIAL COMPLIANCE
CDW.COM/SECURITY | 888.706.4239
3
cybersecurity features these tools have
These include:
to offer, and that these systems are not
Wireless security and management: With users
exposing them to unnecessary vulnerabilities.
routinely bringing two or more personal devices
Configuration services are helpful for
into work with them, it is crucial that capital markets
optimizing the cybersecurity performance of
firms and brokerages deploy sophisticated tools that
firewalls, network switches, databases and
give them visibility and control over their wireless
other IT tools and systems.
networks. (Some users have even been known
Managed services: Especially in complex
to bring wireless routers into the office to create
environments such as capital markets firms
their own mobile hotspots.) In addition to giving
The percentage of
and brokerages, cybersecurity is not merely a
IT managers real-time visibility into their wireless
security incidents at
financial institutions for
matter of deploying the right tools and letting
networks, cloud-based wireless management
which current and former
them run. Experienced IT professionals must
platforms speed up deployment and allow financial
2
employees are responsible.
also constantly monitor these solutions,
institutions to quickly scale up their networks as they
watching carefully for any anomalous activity
grow or merge with other organizations.
and taking appropriate action when a threat is detected. Smaller
Anti-virus/anti-malware software: While virtually all financial
organizations, in particular, often lack the staff resources to
institutions run anti-virus and anti-malware tools in their IT
appropriately monitor and maintain cybersecurity tools, and
environments, many do not take full advantage of the features that
therefore may choose to outsource these services to a partner
these tools offer. In some cases, organizations activate no more
with the expertise to keep the organization safe.
than 20 or 30 percent of optional features, missing out on benefits
Phishing and ransomware services: The number and
such as desktop firewalls, host-based intrusion prevention
sophistication of phishing attempts have increased in recent
systems and tools that send alerts when potential threats are
years. Further, research conducted by information security
detected. Organizations can also improve the performance of
provider Phishme indicates that 93 percent of phishing emails
their anti-virus and anti-malware tools by investing in “upstream”
contain ransomware. Security providers can help capital markets
solutions, such as next-generation firewalls, web gateways, and
firms address these threats through services such as phishing
cloud-enabled malware inspection and sandboxing tools that
intelligence and advanced user training.
reduce the burden on endpoint protection software.
Incident response: No matter how carefully capital markets
Data storage and encryption: Like all organizations, capital
firms work to protect their IT assets, breaches can still happen.
markets firms, brokerages and other financial institutions
When they do, it is important for these institutions to respond
must consider three factors when architecting data storage
quickly and strategically, not only to root out the cause of the
solutions components: confidentiality, integrity and availability.
problem and prevent further damage, but also to fulfill their
Confidentiality requires that data be made available only to
obligations to notify account holders of the breach and to
authorized users, while integrity refers to the need to maintain
preserve evidence. CDW works with partners that specialize in
consistency, accuracy and trustworthiness over the lifecycle
cybersecurity forensics and can help institutions rebound from
of the data. Availability simply means that data can be accessed
incidents as quickly as possible. CDW’s experts can also help
when and where it is needed. Each of these three components
organizations implement disaster recovery solutions.
is crucial to both cybersecurity and regulatory compliance.
Additionally, regulations require that certain types of data be
The Technology of Compliance
encrypted while in storage, while in transit or both.
A number of IT solutions are either mandated by regulations or
Authentication and access management: Sophisticated
can help financial institutions meet their compliance demands.
access management tools allow financial firms to operate
64%
The Growing Need for HPC in Security and Compliance
The use of high-performance computing (HPC) for security and
compliance has generally been limited to the biggest financial
institutions, because they have the resources necessary to
implement this technology. However, these solutions are
becoming more mainstream, and capital markets firms are
likely to consider adopting them over the next decade.
Here are three ways HPC can improve cybersecurity:
Real-time traffic monitoring: By simultaneously monitoring
thousands of entry points on IT networks, HPC solutions can
detect anomalies and shut down attacks before they inflict
extensive damage.
Advanced fraud detection: Through real-time
monitoring and analysis of millions of payment
card transactions, HPC systems can detect
suspicious patterns, and can also prevent legitimate
transactions from being flagged as fraudulent.
Past intrusion identification: In addition to monitoring
current activity, HPC tools can be used to explore
past intrusions, giving organizations information on
how hackers have circumvented their existing
cybersecurity solutions.
SOURCE: 2PricewaterhouseCoopers, “The Global State of Information Security Survey 2016,” October 2015
FINANCIAL COMPLIANCE
CDW.COM/SECURITY | 888.706.4239
according to “the principle of least privilege,” meaning users are
able to access only the systems, resources and data that they
need to do their jobs, and no more. Authentication and access
management tools make it simple for organizations to grant
access by identity and user role, and can prohibit noncompliant
devices from assessing critical applications. In addition, the
auditing features of such solutions allow organizations to track
who has accessed resources and when, providing valuable
information in the event of a data breach.
Data loss prevention (DLP) solutions: DLP tools can track
and protect data wherever it travels on an enterprise network
CDW: A Financial Industry Partner That Gets IT
For nearly 30 years, CDW has helped more than 15,000 banks,
credit unions, capital markets firms and specialty financial
services companies assess and improve their IT infrastructure.
CDW’s partnerships with leading IT manufacturers give these
financial institutions access to the industry’s leading technology,
and CDW’s solutions experts have the knowledge and
experience to help organizations choose the right security tools
and create a customized regulatory compliance plan.
— on desktops, mobile devices, storage, file-sharing, email and
even in the cloud. To get the full benefit of these powerful tools,
organizations must focus not only on the technology, but also
on the people and processes surrounding the solution. The
team assigned to monitor DLP tools must know what sorts of
incidents they are watching for, and team members must have
the authority to make decisions and take action when an incident
occurs. With a thorough risk assessment and an understanding
of a company’s business processes, IT managers can deploy
DLP tools in a targeted manner so that they protect the most
sensitive data in the enterprise.
The CDW approach to customer
service includes:
o learn more about how CDW solutions
T
and services can help capital markets
firms secure their systems and data,
visit CDW.com/security.
DISCOVER
An initial discovery session to understand
your goals, requirements and budget
ASSESS
An assessment of your existing environment
and definition of project requirements
EVALUATE
Detailed manufacturer evaluations,
recommendations, future environment
design and proof-of-concept
DEPLOY
Procurement, configuration and deployment
of a security solution
SUPPORT
Ongoing product lifecycle support
You
CDW
Tenable SecurityCenter Continuous View™
(SecurityCenter CV™) lets you see into the
shadows. SecurityCenter CV delivers total
visibility of known and unknown assets
on your network. Tenable’s passive traffic
and event monitoring tools detect devices,
services and applications in use, and identify
associated vulnerabilities so you can quickly
and easily determine your relative risk and
exposure. With Tenable, bring shadow IT into
the light so it’s not a risk to your organization.
4
Zscaler ® protects your employees from
malware, viruses, advanced persistent
threats and other risks, and can also stop
inadvertent or malicious leaks of your
company's sensitive data. Our security
services scan and filter every byte of your
network traffic, including SSL-encrypted
sessions, as it passes to and from the Internet.
Give your executives instant insight into
threats and get real-time recommendations
on how to improve your security posture.
The information is provided for informational purposes. It is believed to be accurate but could contain errors. CDW does not intend
to make any warranties, express or implied, about the products, services, or information that is discussed. CDW®, CDW•G ® and
PEOPLE WHO GET IT ™ are registered trademarks of CDW LLC.
All other trademarks and registered trademarks are the sole property of their respective owners.
Together we strive for perfection. ISO 9001:2000 certified
MKT11697— 7/1 — ©2016 CDW LLC
The Trend Micro™ Smart
Protection™ Suites provide
better, simpler, more flexible
security. This connected suite
delivers the best protection
at multiple layers using the
broadest range of antimalware techniques available.