The massive digital transformation of the global financial system and customer demands for ubiquitous transactions make financial institutions prime targets for cyberattacks. The breadth of cyber risks and threats runs the gamut, but the mobile banking applications and payments now pervasively used are a particularly fast-growing target. The sensitive personal information transacted through mobile devices greatly increases the risk of endpoint attacks. 

Thus, financial institutions now face a growing list of cybersecurity and data privacy regulations designed to protect customers’ information and assets. For instance, as of May 2022, the Federal Reserve System in the United States requires that financial institutions disclose cyber incidents to regulators within 36 hours of an incident if it could impact the U.S. banking system. The New York State Department of Financial Services has published its NYDFS Cybersecurity Regulation (23 NYCRR 500), requiring financial services institutions, including agencies and branches of non-U.S. banks licensed in the state of New York, to assess their cybersecurity risk profile. 

Verimatrix Extended Threat Defense (XTD), App Shield, Code Shield, and Key Shield protection solutions help banking and financial services organizations comply with the breadth of regulations, leveraging leading industry frameworks and standards that guide best data protection practices. The following is a list of leading United States and European cybersecurity regulations that are particularly relevant for banking and financial institutions to address and how Verimatrix can help support those efforts:

General Data Protection Regulation (GDPR) – EU & some non-EU entities

The General Data Protection Regulation, which applies to EU entities as well as non-EU entities processing the data of EU citizens, is considered by many to be the toughest privacy and security law in the world. Enacted in May 2018, it applies to any organization that targets or collects data about EU citizens and establishes specific protections for the processing of that data. 

The law was, in large part, a response to the growing numbers of people providing their personal data to cloud service providers. Of particular relevance to mobile apps is Article 25: Data protection by design and by default, under which data processors and controllers are required to consider privacy while designing new applications, systems, or processes that use personal data. Also, Article 32: Security of processing, which requires application developers, data controllers, and processors to implement necessary and sufficient organizational and technical measures to assure the integrity of processing data and deploy a level of security appropriate to the risk of breach, loss, unlawful destruction, or modification of data.

Data Protection Act of 2018 (DPA) – United Kingdom

The Data Protection Act (DPA) regulates the handling of UK citizens’ personal data. Intended to control how that personal data is used by organizations, businesses, or the government, it sets data protection principles that require personal data be used only for specified, explicit purposes, in a way that is adequate, relevant, and limited to only what is necessary, accurate, and current, and handled in a way that ensures appropriate security. 

The DPA requires organizations to inform customers about their data handling practices and provide a way for customers to access and delete their data. It also sets out requirements for handling data breaches, preventing unauthorized access, and ensuring secure data disposal.

EU Cybersecurity Act – EU

The EU Cybersecurity Act imposes cybersecurity obligations on all products with digital elements whose use includes direct or indirect data connections to a device or network. It provides an EU-wide cybersecurity certification framework for information and communication technology (ICT) products, services, and processes, rather than leaving a patchwork of differing regulations across member countries. 

It introduces cybersecurity by design and by default principles and imposes a duty of care for the lifecycle of products. The Act also grants a permanent mandate and increased resources for the watchdog European Union Agency for Cybersecurity (ENISA).

Gramm Leach Bliley Act – United States

Issued by the U.S. Federal Trade Commission, the Gramm Leach Bliley Act is a consumer protection act enacted to ensure that financial institutions protect the privacy of consumers’ personal financial information. It regulates the collection, usage, and disclosure of that information. For instance, it includes efficiently delivering information and services that are financial in nature through the use of technological means, including any application necessary to protect the security or efficacy of systems for the transmission of data.

Network and Information Systems Directive 2 (NIS2) – EU

Widening the scope of the original Network and Information Systems Directive, NIS2, slated for enforcement by November 2024, is the first EU-wide cybersecurity legislation. It is intended to enhance cybersecurity and resilience in European organizations by improving cybersecurity risk management practices across the EU. 

It mandates that entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems that those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.

Payment Services Directive 2 (PSD2) – EU

The Payment Services Directive 2 (PSD2) legislation requires payment service providers to contribute to a more integrated, secure, and efficient payment ecosystem. Beyond the first Payment Services Directive, PSD2 mandates stronger security requirements for online transactions through multi-factor authentication. It also forces banks and other financial institutions to give third-party payment service providers access to consumer bank accounts if an account holder has given their consent. 

For mobile banking apps, PSD2’s security requirements require protection against known and unknown attacks on mobile apps. Mobile app requirements are particularly guided by Article 9 of PSD2’2 final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC).

Verimatrix XTD provides passive protection through continual data monitoring and integrates AI/ML that evolves to identify future and unknown attacks against mobile apps. Additionally, Verimatrix provides Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) while also providing protection against man-in-the-middle (MITM) attacks.

Cyber Resilience Act (CRA) – EU

(Legislation pending as of late 2023)

On December 3, 2023, the European Parliament and EU Council reached an agreement to move forward with the Cyber Resilience Act (CRA). Now subject to formal adoption by the same bodies, the CRA would go into force 20 days after being entered into the Official Journal of the European Union.

The CRA’s intent is to set common security standards for connected devices and services, which would make the CRA the first IoT legislation anywhere in the world. The goal of the Act is to bolster cybersecurity rules to ensure more secure hardware and software products, which are increasingly subject to successful cyberattacks. This includes a breadth of mobile and IoT devices, many of which run applications to make them useful. 

The CRA is intended to overcome a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them; and an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner. 

Verimatrix provides mobile app security and cybersecurity for connected devices (typically managed employee devices), while defending the enterprise against myriad unmanaged devices powered by those apps. And now, Verimatrix XTD (Extended Threat Defense) expands these defenses to the new unmanaged endpoint, defending against endpoint attacks by preventing apps from being weaponized. XTD enables configuration capabilities that only allow apps with an XTD low-risk score to connect, adding an independent second factor of security.

U.S. state-level data privacy regulations

There is no national data privacy law in the United States. However, several individual states have passed their own regulations imposing privacy obligations on entities handling the data of each state’s residents. Below is a list of existing state regulations:

Given the risks associated with the widespread use of mobile applications that are now an integral part of financial institutions’ service delivery and business models, these organizations need trustworthy, military-strength yet simple-to-adopt solutions that ease the burden of compliance so they can focus on priority business concerns.

Protection against man-in-the-middle (MITM) attacks

Verimatrix application shielding technologies and continuous monitoring service help safeguard information and reduce the risk of a breach, particularly man-in-the-middle (MITM) attacks. Devices are a vulnerable attack vector because they communicate with backend servers, potentially leaving the operation exposed to “man-in-the-middle” attacks. Protecting client-device communication is key to safeguarding valuable data.

Man-in-the-middle attacks occur when hackers insert themselves in the middle of the communication. With these attacks, a customer assumes that he/she is interacting directly with the intended component/service, but the attacker “in the middle” is eavesdropping or changing the information to their benefit. 

For a mobile banking application, communication encryption is a combination of industry-standard Transport Layer Security (TLS) and bespoke application layer security. By analyzing the app, an attacker can reverse engineer the protocol and find the cryptographic keys used to secure it. The communication protocol is fundamental for any MFS. If an attacker understands how the communication protocol works, they can discover and exploit its vulnerabilities. Verimatrix shielding and monitoring service as well as its anti-debug, anti-tamper, and anti-hook technologies, significantly reduce the chance of these types of attacks.

Verimatrix provides comprehensive security via multi-layered solutions that offer:

  • Code obfuscation, anti-tamper and anti-reverse engineering shields to make it difficult and unappealing to hack an application
  • Runtime app behavior analytics to detect abnormal activities
  • Machine learning models to identify known and zero-day threat patterns

Additionally, continuous application threat monitoring is a vital component of protection, enabling a financial institution to gain important intelligence and effectively deploy countermeasures. Verimatrix threat monitoring includes:

  • Real-time analysis of app stores to identify repackaged or trojanized apps
  • Monitoring developer accounts for unauthorized modifications
  • Tracking dark web forums for emerging attack tools and methods
  • Maintaining databases of known malicious IP addresses, domains and device IDs
  • Identifying anomaly patterns indicative of a breach

This enables security teams to recognize threatening activities, compromised devices, and high-risk users early before major damage occurs. Analytics from threat monitoring also strengthen machine learning models to better anticipate future attacks. 
Click here to schedule a demo with Verimatrix.