Comparison of Kazakh law and U.S. law

One of the main problems disrupting cybersecurity compliance in the financial sector is the sheer volume of different security standards and the significant overlaps between them – an expected problem for the most heavily regulated of all industries.

This can be resolved by only focusing on regulations that are mandatory for financial organizations, and avoiding those that are optional.

The benefit of still implementing optional regulatory standards is that the addition of their security controls could further decrease cybersecurity risks.

However, this effort is usually counter-productive because of the overlap in security controls between mandatory and optional standards.

Cyber risks include:

— theft of funds of clients of financial organizations due to violation of security requirements when using mobile banking applications,

— loss of funds in financial institutions due to poorly organized information security processes of their own business processes and information systems,

— violation of the reliability and continuity of the provision of financial services, arising from a poorly organized process of ensuring business continuity on the side of financial organizations,

— the development of systemic risks due to cyberattacks aimed at systemically important financial institutions and their supporting infrastructure services.

KZ regulation of financial services security

State bodies involved into regulation of financial services security

  1. National Coordination Centre for Information Security

In accordance with the Law of the Republic of Kazakhstan “On informatization”, JSC “State technical service” acts as National Coordination Center for Information Security.

NCCIS involves:

  1. KZ-CERT Computer Emergency Response Team is the single centre for national information systems users and Internet segment providing collection and analysis of security incidents reports as well as consultative and technical assistance to users in prevention of cyberthreats.
  1. Monitoring of information security events of informatization objects of state bodies
  1. Monitoring of ensuring information security of informatization objects of “electronic government”
  2. The Agency of the Republic of Kazakhstan for Regulation and Development of Financial Market

One of the agency’s areas of responsibility is information security.

Legal regulation of financial services security

1

Concept of the cyber security “Cyber Shield Kazakhstan” was issued in 2017. Purpose of the Concept is achievement and maintenance of security level of electronic information resources, information systems, information and communication infrastructure from external and internal threats providing sustainable development of the Republic of Kazakhstan under the conditions of global competitiveness

2

Law of the Republic of Kazakhstan dated 24 November 2015 № 418-V on informatization regulates public relations in the field of informatization arising in the territory of the Republic of Kazakhstan between state bodies, individuals and legal entities in creation, development and operation of informatization facilities, as well as with state support for the development of information and communication technologies industry.

3

Law of the Republic of Kazakhstan dated 4 July, 2003 No. 474 on the State Regulation, Control and Supervision of the Financial Market and Financial Organizations regulates the public relations, related with carrying out of the state regulation, control and supervision of financial market and financial organizations, and directs to increasing of stability of financial system of the Republic of Kazakhstan and creation conditions on prevention of violation of rights and legal interests of consumers of financial services.

4

Law of the Republic of Kazakhstan dated 21 May, 2013 No. 94-V on Personal Data and their Protection regulates the public relations in the scope of personal data, as well as determines the purpose, principles and legal bases of activity, related with collection, processing and protection of personal data.

Uniform requirements in the field of information and communication technologies and information security, task of Uniform Requirements:

a) the establishment of requirements for the structuring of the information and communication infrastructure and the organization of server rooms;

b) establishment of the obligation to apply the recommendations of standards in the field of information and communication technologies and information security at all stages of the life cycle of objects of informatization;

c) increasing the level of security of state and non-state electronic information resources, software, information systems and the information and communication infrastructure supporting them.

5

Appendix 1 to the decision of the Board National Bank Republic of Kazakhstan dated March 27, 2018 No. 48 “Requirements for ensuring information security of banks, branches of non-resident banks of the Republic of Kazakhstan and organizations engaged in certain types of banking operations”

The following requirements are imposed on ensuring the information security of banks and organizations:

      1) requirements for the organization of the information security management system;

      2) requirements for the categorization of information assets;

      3) requirements for organizing access to information assets;

 

      4) requirements for ensuring the security of information infrastructure;

      5) requirements for monitoring activities to ensure information security and measures to identify and analyze threats, counter attacks and investigate information security incidents;

6) requirements for the analysis of information about information security incidents, including information about violations, failures in information systems;

      7) requirements for the means of cryptographic protection of information;

      8) requirements for ensuring information security when third parties access information assets;

      9) requirements for conducting internal audits of the state of information security;

     10) requirements for the processes of the information security management system.

6

Appendix 2 to the decision of the Board National Bank Republic of Kazakhstan dated March 27, 2018 No. 48 “Rules and terms for providing information about information security incidents, including information about violations, failures in information systems”

According to the Rules the bank, the organization analyzes the identified information security incidents in accordance with internal documents, based on the results of which quarterly, no later than the 30th (thirtieth) day of the month following the reporting quarter, submit to the authorized body in any form information on processed information security incidents, including the following intelligence:

   1) date and time of registration of the information security incident;

   2) the date and time when the information security incident occurred;

   3) description of the information security incident;

   4) category of information security incident;

   5) the amount of damage (in tenge);

   6) last name, first name and patronymic (if any) of the person responsible for processing (collecting, analyzing, taking corrective measures) an information security incident;

  7) a brief description of the actions taken on the information security incident;

  8) status of the information security incident (date and time when the information security incident was closed).

US regulation of financial services security

Safeguards Rule

The Safeguards Rule (Code of Federal Regulations – PART 314 – STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION) requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Covered entities:

• accountants
• ATM operators
• car rental companies
• courier services
• credit reporting companies
• credit unions
• debt collectors
• financial advisory firms
• hedge funds
• non-bank mortgage lenders
• payday lenders
• property appraisers
• real estate firms
• retailers
• stockbrokers
• tax preparers
• universities
• Others…

Covered data:

• addresses;
• bank account and financial data;
• biometric and related data;
• birth dates;
• car dealers;
• credit history (including property
records or purchasing history);
• education level and academic
performance;
• employment data;
• inferences drawn from other data;
• internet and other electronic
information;
• geolocation data;
• names;
• personal income;
• Social Security data; and
• tax information.

The Bureau of Consumer Financial Protection (CFPB) is an independent bureau within the Federal Reserve System that empowers consumers with the information they need to make financial decisions in the best interests of them and their families. The CFPB was created under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The purpose of the CFPB is to promote fairness and transparency for mortgages, credit cards, and other consumer financial products and services. The CFPB will set and enforce clear, consistent rules that allow banks and other consumer financial services providers to compete on a level playing field and that let consumers see clearly the costs and features of products and services.
The functions of the CFPB to assist people in borrowing money or using other financial services include: implementing and enforcing Federal consumer financial laws; reviewing business practices to ensure that financial services providers are following the law; monitoring the marketplace and taking appropriate action to make sure markets work as transparently as they can for consumers; and establishing a toll-free consumer hotline and website for complaints and questions about consumer financial products and services.

The Sarbanes-Oxley (SOX) act of 2002 is a law passed by U.S Congress to protect investors from financial scams.

The SOX framework outlines best security practices for avoiding fraudulent financial transactions through a system of internal checks.

Recently, SOX has evolved into more than just a framework for ensuring financial record accuracy. It now includes cybersecurity components to ensure financial institutions address common cybersecurity risks that could impact financial activity.