Content, Governance, Risk and Compliance, Breach

ASC X9 Presents New Financial Services Framework to Protect Data and Mitigate Security Breaches

Standards, whether trying to set technical, behavioral or compliance yardsticks, by nature are intended to provide a sense of stability and order. Along those lines, the Accredited Standards Committee X9 (ASC X9) has crafted a new global standard for the financial services industry designed to protect personal and financial data. What could be more beneficial than a platform to protect money?

This new framework, known as the X9.141 Financial and Personal Data Protection and Breach Notification Standard, has a heavy lift: The idea, in non-prescriptive language, is to establish management and security requirements not only to protect data but also to respond and mitigate data breaches across a wide range of financial functions.

(For context, X9 is a non-profit organization accredited by the American National Standards Institute (ANSI) to develop both domestic and international standards for the financial services industry. The outfit has 100 member companies and about 400 company representatives that develop and maintain 158 domestic standards and international standards.)

Officials said the initiative seeks to do better than current efforts to safeguard customer information, which are often stymied by disparate state, federal and international laws and regulations. In fact, X9 intends to support legislation to protect data and notify consumers of breaches already advocated by numerous financial organizations.

This new standard, anything but narrow in tone, aims to oblige all entities that transfer, process or store financial data (including customer personally identifiable information) to:

  • Identify, classify and protect this sensitive data to preserve its confidentiality, availability and integrity using consistent, standard security requirements developed in an open consensus environment.
  • Implement standard measures to detect, respond to and mitigate data breaches.
  • Provide uniform notification requirements for use when breaches occur.

While the standard is directed at cyber security within the financial services industry, X9 said the schematic could extend to any industry that needs to protect sensitive data. X9, which said it will also explore accreditation and certification opportunities, said it is actively seeking professionals in the financial sector, credit bureaus, product manufacturers, government agencies, university research departments and application developers to join the initiative.

"Having a standard that, without being prescriptive, would allow companies to achieve a level of protection, and additionally allow other companies and regulators to understand and be able to trust that level of protection based on a third-party assessment or other mechanisms, would increase overall data security, while reducing costs throughout the industry," said Richard Borden, editor for the X9.141 project.

X9’s financial services standards comes on the heels of New York’s Department of Financial Services' looming February 15th certification deadline for entities covered by its cyber security regulation to prove compliance for 2017. The governance requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with regulatory standards. New York has touted the cyber security regulation, which took effect on March 1, 2017 as the first in the U.S.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.