Implementation of the Illinois Financial Institution Cyber Security Act


Learn more about the Illinios Financial Institution Cyber Security Act.

The financial service industry is the leading target of cyberattacks. According to Forbes, financial institutions experience 35% of all data breaches. These institutions depend heavily on information technology systems to process millions of transactions. What’s more, they’re privy to a large amount of high-value data and assets, making them particularly susceptible to cyberattacks, including distributed denial of service attacks, phishing attacks, browser-based attacks, payment card skimmers, and insider threats.

New regulations and controls are being put in place to address the growing threats to financial institutions. Illinois’ Financial Institution Cybersecurity Act, which became effective January 1, 2020, establishes a set of robust cybersecurity practices to protect consumers and the confidentiality of their information systems.

Below, we highlight the provisions of this act.

Cybersecurity Program

Each covered financial institution is required to maintain a cybersecurity program to protect the integrity, confidentiality, and availability of their information systems. The program is designed to identify and assess risks that may threaten the integrity of stored information and to use defensive infrastructure and policies to:

  • Detect cybersecurity events
  • Mitigate any negative effects of detected or identified cybersecurity events
  • Report from cybersecurity events and restore normal operations
  • Fulfill regulatory reporting obligations

In addition to having a cybersecurity program, financial institutions should implement and maintain a written policy that addresses information security, asset inventory management, data governance and classification, access controls, and business continuity, systems and network monitoring, risk assessment, customer data privacy, systems and network security, and incident response.

The cybersecurity program should also include written standards, procedures, and guidelines to ensure the use of secure development practices for applications used by the entity. This also covers procedures for assessing, evaluating, and testing of externally developed applications. For security compliance, all the processes and guidelines should be reviewed and updated as necessary.

Penetration Testing and Vulnerability Assessment

The cybersecurity program should include monitoring and testing based on the risk assessment and designed to assess the effectiveness of the program. The process must have continuous monitoring or vulnerability assessments and periodic penetration testing. If the system is not monitored on an ongoing basis or another system is not put in place to detect changes in information systems, the financial institution should conduct:

  • annual penetration testing of the systems based on relevant identified risks, and
  • bi-annual vulnerability assessments, which should include reviews or systematic scans of information systems to identify cybersecurity vulnerabilities.

Based on penetration testing and a risk assessment, covered entities should maintain systems that can reconstruct material financial transactions to support normal operations as well as audit trails to detect and respond to cybersecurity events that can affect normal operations.

Risk Assessment

A Risk assessment of information systems should be conducted to inform the design of the cybersecurity program as indicated in the Financial Institution Cybersecurity Act. The risk assessment should be updated as necessary in order to address the entity’s systems, business operations, and nonpublic information. What’s more, controls should be revised to keep up with evolving threats and technological developments, considering the company’s business operations related to cybersecurity, information systems, nonpublic information, as well as availability and effectiveness of controls to protect information systems and data.

Financial institutions are required to conduct a risk assessment based on written policies and procedures that provide:

  • Criteria for the evaluation and classification of cybersecurity threats or risks
  • Criteria for the assessment of integrity, security, confidentiality, and availability of information systems and data
  • Description of how risk mitigation will be done and how the cybersecurity program will address the risks

Cybersecurity Personnel and Third-Party Service Provider

To ensure the security of information systems and nonpublic data, the Financial Institutions Cybersecurity Act requires entities to hire qualified cybersecurity personnel or a third-party service provider to manage the risks and perform or oversee the performance of key cybersecurity functions. Also, the personnel should be provided with updates and training relevant to address risks and maintain current knowledge of evolving cybersecurity threats and countermeasures.

When it comes to third-party service providers, there’s a need to look into their company’s risk assessment, cybersecurity practices and whether they’re adequate, and the risk they present. It’s also a requirement to consider the third-party service provider’s policies for access controls, multi-factor authentication, encryption, and breach response.

Multi-Factor Authentication and Encryption of Nonpublic Information

Multifactor-authentication or risk-based authentication should be included to prevent unauthorized access to information systems or nonpublic information. All individuals accessing the internal networks must use the multi-factor authentication (2-factor MFA) unless more secure or equivalent controls are needed.

As part of information security compliance, encryption is necessary to protect nonpublic information stored or transmitted by the institution. And if encryption is not feasible, the financial institution may secure the information using effective alternative controls.

Incident Response Plan

As provided by the cybersecurity act, organizations should establish a written incident response plan to help them promptly respond to and recover from any cybersecurity event. Important aspects addressed in the incident response plan include:

  • The goal of the response plan
  • The definition of roles and levels of decision-making authority
  • Internal processes for responding to a breach
  • Communication and information sharing
  • Identification remediation processes of weakness in systems and controls
  • Documentation and reporting
  • Revision of the incident response plan after a cybersecurity threat

Contact SCA Security Today

Compliance with the Financial Institution Cybersecurity Act is critical, and it begins by understanding how these regulations affect your business and then developing a plan to stay compliant. SCA can help. Our sole focus is on safeguarding critical information and information security compliance.

If you have questions about the Financial Institution Cybersecurity Act or would like to schedule a no-cost appointment with a member of our team, please call us at 727-571-1141. Download our data breach response guide to learn more.