A Guide to Improving

Cybersecurity for
Finance Organizations

June 2024

A Guide to Improving Cybersecurity for Finance Organizations

Introduction
Data breaches cost more for the finance These findings highlight how several
sector than they do for many other industries. challenges complicate cybersecurity in finance
According to IBM’s Cost of a Data Breach organizations. For instance, as some of the
Report 2023, the average cost of a data most regulated businesses worldwide, financial
breach for financial organizations amounted organizations face significant responsibilities
to $5.90 million. That’s second only to those in to prioritize their cybersecurity and data
healthcare at $10.93 million. management in compliance with the Cyber
Risk Institute (CRI) Profile v1.2, FFIEC-CAT,
Let’s take a closer look at what data breaches PCI DSS, and 23 NYCRR 500, among others.
in the financial sector entail. In the 2024 Data Financial institutions also must contend with a
Breach Investigations Report, Verizon recorded larger attack surface driven by open financial
3,348 incidents in the finance sector, 1,115 of data sharing and hybrid work, outdated IT
which involved confirmed data disclosure. infrastructure, limited cybersecurity awareness
External actors made up approximately and expertise, as well as the growing cost of
two thirds of the cyber threat actors (CTAs) digital fraud.
responsible for those incidents. Motivated by
financial gain, they compromised personal With these challenges in mind, finance
information three quarters of the time. They organizations like yours face the obstacle of
did so primarily using system intrusion, trying to address them all at once. Where do you
miscellaneous errors, and social engineering as start? How can you make the most of your time,
their preferred attack patterns. money, and resources?

Fortunately, you don’t need to answer these

questions alone. In this white paperguide, we’ll
discuss how you can use no-cost and cost-
effective resources from the Center for Internet
Security® (CIS®) to improve your financial
organization’s cyber defenses.

A Guide to Improving Cybersecurity for Finance Organizations Introduction 1

Laying a Foundation with
CIS Security Best Practices
As we discussed above, you need to implement The CIS Controls can help your organization
effective security best practices so that you address risks confronting the financial sector,
have a robust cyber defense posture in place. such as unauthorized access to customer
You also need to make sure you’re achieving accounts and financial data.
your compliance objectives with multiple
regulations, which oftentimes overlap with one The Controls break down into Implementation
another in that they require you to fulfill similar Groups (IGs) to help you sequentially grow
principles. your cyber maturity. They start with essential
cyber hygiene, as embodied in Implementation
What you need is a set of security measures that Group 1 (IG1). From there, they move on to
you can use to progressively strengthen your more sophisticated defense techniques, as
cybersecurity and remove duplicate effort when shown in Implementation Group 2 (IG2) and
it comes to meeting your compliance objectives. Implementation Group 3 (IG3).

This is where the CIS Critical Security Controls® The Controls counterbalance a lack of
(CIS Controls®) and the CIS Benchmarks™ can cybersecurity skills and/or expertise internally.
help. We’ll examine both in detail below. A global community of IT and security experts
develop the Controls via consensus. Each
Control consists of multiple CIS Safeguards,
The CIS Critical Security Controls which prescribe individual actions you can
take to improve your cybersecurity posture.
The CIS Controls are prioritized, prescriptive, This removes the guesswork from building
and simplified, and essential security actions the foundations of an effective cyber defense
you can implement to strengthen your cyber program so that you can grow your cyber
defenses against today’s common attack types. maturity regardless of your level of security
In fact, they’re proven to help mitigate common expertise. What’s more, the Controls — which
MITRE ATT&CK are free to download and implement — map
(sub-)techniques to popular frameworks such as the National
associated with Institute of Standards and Technology (NIST)
today’s top common attack types, as shown in Cybersecurity Framework (CSF) v2, helping you
our CIS Community Defense Model v2.0. More to meet your compliance objectives.
specifically,

2 Laying a Foundation with CIS Security Best Practices A Guide to Improving Cybersecurity for Finance Organizations
The CIS Benchmarks The value of the Benchmarks is that they
explain specifically what you need to do to
CIS Control 4 involves securely configuring your securely configure a piece of technology so you
enterprise assets and software. This Control don’t have to guess. Prioritize security efforts
includes Safeguards you can implement in a based on industry best practices. This reduces
general sense, but those Safeguards don’t have human error and minimizes misconfigurations,
specific recommendations for a specific asset or thus shrinking your attack surface. Each
software CIS Benchmark also contextualizes each
you’re using. recommendation with its impact so that you can
Nor could plan your system hardening efforts accordingly.
they. As a finance organization, your business
requirements and technology landscape are Like the Controls, the Benchmarks go through
evolving at an ever increasing ratetoo quickly. a community-driven consensus development
process. In fact, they map back to the Controls,
Fortunately, the CIS Benchmarks can serving as a natural extension of your cyber
help. They consist of secure configuration defense program at the technology level.
guidance for hardening 100+ technologies Additionally, they map to numerous frameworks,
including desktops, mobile devices, and cloud helping you to save time on your compliance
environments across more than 25 product objectives.
vendor families.
In fact, PCI DSS Requirement 2 references
the CIS Benchmarks for security. Combined
with the CIS Controls, the CIS Benchmarks can
help with multiple aspects of PCI compliance,
including firewall and router configurations,
patch management, access control, and
change control.

A Guide to Improving Cybersecurity for Finance Organizations Laying a Foundation with CIS Security Best Practices 3
PCI DSS v4.0
A Case Study in Keeping Up With
Cybersecurity Change for Finance

The CIS Controls and CIS Benchmarks can help The most significant change introduced in
your finance organization to lay a foundation for PCI DSS 4.0 is the Customized Approach,
your cybersecurity and compliance objectives. which allows your finance organization greater
The issue is change. The threat landscape flexibility in selecting methods and controls
keeps changing. Your business environment to manage risks associated with specific
keeps changing. The regulatory environment requirements.
keeps changing.
Moving beyond the strict adherence to technical
Let’s look at PCI DSS as an example. controls mandated by the traditional Defined
Approach, the Customized Approach enables
you to adopt innovative solutions tailored to
The Shift from v3.2.t to v4.0 your environment—provided you can document
and demonstrate to a Qualified Security
PCI DSS v4.0 includes 64 new requirements Assessor (QSA) that your chosen methods
covering the formal requirement of risk meet the stated requirement objectives. This
assessment, strengthened authentication approach offers adaptability but requires
controls (multi-factor and enhanced password additional documentation and custom testing
complexity), software development lifecycle, procedures by the QSA.
automated mechanisms for audit log reviews,
intrusion-detection/prevention techniques, Organizations can use either the Defined
and other areas. On March 31, 2024, 13 of those Approach or the Customized Approach for
requirements went into effect. (PCI DSS 3.2.1 each requirement depending on their specific
retired on that date, as well.) The remaining 51 needs and circumstances. Just make sure
new requirements are future-dated to enter into you discuss the Customized Approach with a
effect on March 31, 2025. QSA before implementation to ensure proper
documentation and assessment.

4 PCI DSS v4.0 A Guide to Improving Cybersecurity for Finance Organizations

Reflecting Change in the The Challenges of Complying with
Financial Industry PCI DSS v4.0

The changes introduced in PCI DSS 4.0 reflect Acknowledging the changes introduced by PCI
the need to build in and leverage processes to DSS v4.0, the challenge or opportunity will be to
standardize your security controls. The 64 new enhance internal practices to address the new
requirements provide a threat-aware approach controls as well as the updated requirements.
to managing your systems and data against The emphasis on proactive approaches and
the ever-changing landscape of cybersecurity complete awareness of data processing across
threats, the availability of new defensive options, your payment infrastructure in particular will
and the impact of new regulatory requirements. certainly have implications for those meeting
The Customized Approach in particular only the minimum requirements of compliance.
acknowledges this dynamic environment and If you’re a more mature organization engaged
provides you with the flexibility to adapt your with building security programs, you will have
security controls accordingly. some items to augment. Overall, however, you
won’t face too many issues incorporating these
Take the addition of the Targeted Risk Analysis security controls and updates into your program.
to Requirement 12 as an example. This
Analysis is mandatory for organizations that Indeed, while PCI DSS v4.0 introduces
choose to leverage the flexibility offered by significant changes, the core process of
the Customized Approach or for any PCI DSS achieving compliance remains largely similar to
control where the organization has discretion version v3.2.1. The following considerations can
over the frequency of implementation. The guide you to compliance with v4.0:
Targeted Risk Analysis process evaluates
factors that could contribute to the likelihood • If you have intricate and interconnected
and/or impact of a threat to your assets. systems, you may find it a complex endeavor to
By conducting this Analysis, you can make determine the scope of PCI DSS compliance.
informed decisions about which appropriate You’ll need a comprehensive assessment of
security measures to implement based upon your cardholder data environment to identify
your specific risk profile. the systems and processes that fall within the
purview of PCI DSS 4.0.
As another example, PCI DSS v4.0 emphasizes
the importance of awareness and training toof • The implementation process for technical
internal controls. It also identifies multitenant security measures outlined in PCI DSS 4.0 can be
service providers, which reflects the changing a demanding one. You must ensure that you’ve
reality of modern finance and the evolution of properly configured and effectively deployed
the security controls framework. encryption, firewalls, access controls, and other
security technologies to protect cardholder
data. Additionally, you must carefully evaluate
whether to adopt the Defined or Customized
Approach for each requirement, as this decision
will impact your implementation process.

A Guide to Improving Cybersecurity for Finance Organizations PCI DSS v4.0 5

• If you’re in the process of transitioning to PCI Continuous Monitoring in Practice
DSS 4.0, you may need to make substantial
changes to your existing security measures In your efforts to comply with PCI DSS v4.0,
and processes. This can complicate the you might struggle to continuously monitor
process of meeting compliance deadlines your security posture using the Controls and
within the required timeframe, particularly if Benchmarks alone. The Benchmarks are PDF
your infrastructure is complex. Furthermore, documents with hundreds of recommendations.
to achieve and maintain PCI DSS v4.0 At their core, they require you to manually
compliance, you must invest significant harden your systems against their configuration
financial resources and personnel, which can be guidance. You might not have the time or
a hurdle depending on your size and availability resources to invest in this manual effort,
of resources. especially as your business scales.

PCI DSS v4.0 compliance is not a one-time

achievement but an ongoing process.
Regular monitoring, updates, and continual
assessments are necessary to maintain
compliance and address new security threats as
they emerge.

• You must be prepared to continuously adapt

your security posture to remain compliant
with the evolving PCI DSS standards and
modern threats.

6 PCI DSS v4.0 A Guide to Improving Cybersecurity for Finance Organizations

CIS SecureSuite®
Meeting Change with Strategy

You can save time and money on implementing CIS Build Kits
the Controls and Benchmarks by becomingwith
a CIS SecureSuite® Membership in your CIS Build Kits save you even more time on
journey of continuous compliance and security your system hardening efforts by enabling
improvement. It comes with benefits, tools, you to rapidly deploy secure configurations
and resources to help you strategize your on your technologies in conformance to the
implementation plan and meet the requirements Benchmarks, thus sparing you manual effort
of PCI DSS v4.0, among other standards. Let’s and reducing errors. They’re available as Group
take a look at a few of those benefits now. Policy Objects (GPOs) on Windows and shell
scripts on Linux and Unix machines.

CIS-CAT® Pro
CIS CSAT Pro
The pro version of our CIS Configuration
Assessment Tool (CIS-CAT Pro) enables you The pro version of our Controls Self Assessment
to run automated scans and identify gaps Tool (CIS CSAT Pro) enables you to track
inof your systems’ settings against the secure and prioritize your implementation of the CIS
recommendations of the CIS Benchmarks. Controls. Your environment and security needs
That way, you can quickly see which are unique to you. You can use CIS CSAT Pro to
recommendations you’ve passed and failed, prioritize your implementation of CIS Controls
saving you time and money so that you can plan and Safeguards based on your specific risk
out future hardening tasks and while tracking profile as well as track your progress toward
and addressing instances of configuration drift your cyber maturity goals.
with your team.
Toward that end, you can assign implementation
CIS-CAT Pro also comes with a Dashboard tasks and roles to team members so that you
component that graphically displays the impact collaborate together on strengthening your
of your hardening efforts over a recent period cyber defenses. You can also use CIS CSAT
of time. You can use these results to track Pro to monitor your alignment to frameworks
configuration drift so that you can stay on top like PCI DSS and collect evidence for
of your compliance commitments as well as upcoming audits.
communicate the progress of your efforts to
leadership.

A Guide to Improving Cybersecurity for Finance Organizations CIS SecureSuite® 7

Finance Cybersecurity
as a Journey
As a financial organizations, you face Through CIS SecureSuite Membership, you
complicated cybersecurity challenges, including can receive access to tools through which you
outdated IT infrastructure, the need to meet can prioritize your implementation of security
stringent regulations, an ever-increasing best practices, run automated scans of your
attack surface, and the growing cost of digital systems’ settings, and rapidly deploy secure
identity fraud. configurations. Together, these tools are
designed to increase your overall cyber hygiene
To address these challenges, you need to and provide the impetus for maturing your
build a stronger security posture, save time information security program. Start Secure. Stay
and resources, and achieve compliance Secure.® with CIS SecureSuite.
with industry regulations. You can do this by
maintaining a process that incorporates security
controls, compliance, and monitoring.

8 Finance Cybersecurity as a Journey A Guide to Improving Cybersecurity for Finance Organizations

About the Authors
Sean Atkinson Phil White
Chief Information Security Officer Director of Benchmarks

Prior to CIS, he served as the Global Phil’s journey in the tech industry began when
Information Security Compliance Officer for he obtained a Bachelor of Science degree in
GLOBALFOUNDRIES, serving Governance, Electrical and Computer Engineering from
Risk and Compliance (GRC) across the globe. Wayne State University. Later he earned a
Prior to GLOBALFOUNDRIES, Atkinson led Master of Science in Computer Science from
the security implementation for the New Union College, further solidifying his expertise
York State Statewide Financial System (SFS) in the field. Early in his career he worked for
implementation from 2007 to 2014, and his IBM, where he contributed significantly to the
last role and responsibility was as the Internal development and implementation of automated
Control, Risk and Information Security Manager. manufacturing systems. His skills caught the
attention of various industries, leading him to
Atkinson was born in Brooklyn, N.Y. and lived in venture into Industrial Control Systems (ICS),
England for 18 years, graduating from Sheffield Supervisory Control and Data Acquisition
Hallam University in 2000. After moving back (SCADA), and E911 product development
to the United States, he has pursued multiple and deployment. Over the past 12+ years,
degrees and certifications in the IT arena. he has focused on offensive and defensive
cybersecurity strategies. His dedication to
In addition to his work with CIS, Atkinson is also product development and cybersecurity
an adjunct professor of Computer Science at innovation has resulted in four issued patents.
the College of Saint Rose.
Phil’s passion for improving the security of
individuals and organizations alike has become
a driving force in his career. He has earned
considerable recognition for his knowledge
and commitment to the industry, including an
invitation to serve as the CIS representative
on the Board of Advisors for the PCI Security
Standards Council. This role allows him to
contribute his insights to the development
and maintenance of security standards for the
payment card industry, further reinforcing his
commitment to protecting businesses and
consumers from potential cyber risks.

A Guide to Improving Cybersecurity for Finance Organizations About the Authors 9

The Center for Internet Security, Inc. (CIS®) makes the connected
world a safer place for people, businesses, and governments
through our core competencies of collaboration and innovation.
We are a community-driven nonprofit, responsible for the
CIS Critical Security Controls® and CIS Benchmarks™, globally
recognized best practices for securing IT systems and data.
We lead a global community of IT professionals to continuously
evolve these standards and provide products and services
to proactively safeguard against emerging threats. Our CIS
Hardened Images® provide secure, on-demand, scalable
computing environments in the cloud.

CIS is home to the Multi-State Information Sharing and

Analysis Center® (MS-ISAC®), the trusted resource for cyber
threat prevention, protection, response, and recovery for U.S.
State, Local, Tribal, and Territorial government entities, and
the Elections Infrastructure Information Sharing and Analysis
Center® (EI-ISAC®), which supports the rapidly changing
cybersecurity needs of U.S. election offices.

cisecurity.org
[email protected]
518-266-3460
Center for Internet Security
@CISecurity
TheCISecurity
cisecurity

A Guide to Improving Cybersecurity for Finance Organizations