Often, financial institutions seem caught between directing more resources toward compliance and cybersecurity protection, however.

"Financial institutions can easily fall into the trap that 'compliance is security' and nothing is further from the truth," Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based KnowBe4, said.

Keeping up with compliance is even more difficult when the guidance changes or conflicts with other regulations.

For example, the Federal Financial Institutions Examination Council recently reopened the comment period for its six-month-old Cybersecurity Assessment Tool. The tool's original intention was to allow financial institutions of all sizes to perform self-assessments and update risk management strategies using it along with other methodologies.

"There is no indication when the Assessment Tool 2.0 will come out. It could take more than a year," Ross Shameski, chief privacy officer and general counsel for the Vancouver-based NuData Security, said.

Shameski added the anticipated changes to the FFIEC assessment tool will be a step in the right direction, and some have begun speculating what the changes might be.

"The community is pushing the FFIEC to move away from the yes/no checkbox compliance [method] because we all know that doesn't result in security," Robert Capps, vice president of business development for NuData Security, said. "You can comply with the regulatory requirements and still not be secure. What is positive in the FFIEC tool and guidelines that came out last year is the inclusion of the financial institution boards in the decision making and approval process for information security and technology risks."

NAFCU Regulatory Affairs Counsel Kavitha Subramanian submitted a letter to the FFIEC requesting that the assessment tool utilization remain voluntary.

"This voluntary Self-Assessment Tool will be helpful for credit unions of all asset sizes to measure and assess their individual cybersecurity maturity and determine what changes should be implemented based on their internal risk appetite," Subramanian wrote. "We caution the Agencies against any future action to explicitly require financial institutions complete this Assessment as a supervisory or regulatory expectation."

The number of organizations providing security guidance has added confusion for financial institutions. Some security experts were concerned certain recommendations in the Cybersecurity Assessment Tool conflicted with the National Institute of Standards and Technology's cybersecurity framework, which also provides structure that organizations, regulators and consumers use to create, guide, assess or improve cybersecurity programs.

Guidance has also been released through the Financial Services Roundtable's BITS, the Sarbanes-Oxley Act of 2002, the Gramm-Leach-Bliley Act, the Financial Services Information Sharing and Analysis Center, and the International Organization for Standardization.

Of course, regulatory changes are nothing new for financial institutions.

"The financial industry is accustomed to adapting to new regulations as they deal with such occurrences quite frequently and have throughout history," Neil Stelzer, general counsel for the New York City-based Identity Finder, explained. "Nearly 80 years ago, sectors of the financial industry had to change to deal with the Securities Act of 1933."

One shift that has occurred is organizations no longer protect their data just to safeguard their trade secrets.

"Modern cybersecurity regulatory guidelines shift the focus to the private sensitive data of others, and specifically individuals who have a relative lack of power and resources," Stelzer said. "Regulatory guidelines are valuable in that they raise awareness and encourage internal corporate discussion, action and sector-wide best practices cooperation."

But are regulatory guidelines improving the level of security for organizations? Not necessarily, some experts said.

"It creates a regulatory burden without any certainty that IT security actually is improving," Sjouwerman pointed out. "Organizations focus on compliance instead of the things that really need to get done to protect the network. The positive side is that the organization's attention gets focused on the IT security aspect, which is very, very necessary."

It is also difficult to apply strict directives to all cyber environments because every financial institution is unique, according to Jackie Marshall, director of IT regulatory compliance for Gladiator Technology, a part of the Dallas-based ProfitStars, a Jack Henry Company.

"Resilience to cyberattacks is dependent on many factors," Marshall said. "An organization's governance structure and culture, electronic banking service offerings and defense in depth control strategy are significant components."

She further explained the new FFIEC cybersecurity initiatives require interpretation based on the size, complexity, nature and scope (in other words, the inherent risk) for each financial institution.

"Most community financial institutions don't have the internal infrastructure, bandwidth and expertise to devote to current FFIEC cybersecurity initiatives," she said. "Therefore, it's quite challenging and is creating more anxiety than action."

Stelzer added, "Regulations must allow for fluidity in an ever changing cybersecurity environment."

Regulations have forced financial institutions to focus on security and led the industry to utilize more secure software, Drew Kilbourne, managing director at the Dulles, Va.-based Cigital, emphasized. Nevertheless, he said he is not a big fan of compliance regulation.

"It gives us a false sense of security and lowers our expectations, which is a real problem," he said.

Kilbourne added he is frustrated by governing bodies' strict focus on compliance.

"Although these financial institutions are more secure, still their software is riddled with defects, and probably 75% to 80% of the defects in all industries are [the result of] two core attacks: SQL injections and cross-site scripting attacks."

SQL injections insert malicious code into data-driven applications, while cross-site scripting tricks web browsers into believing a script, or a block of computer code, came from a trusted source.

"These are extremely fixable, but too much of the industry's focus is on compliance and regulations and not solving these two defects," Kilbourne stressed.

Marshall added, "Cybercrime will continue to evolve in spite of financial institutions' best efforts to meet guidance objectives," Marshall said. "Financial institutions' future cybersecurity efforts should be focused on quickly identifying attacks and limiting damage versus just focusing on preventing attacks from occurring."

Ross explained regulators are trying to identify which credit unions are the weakest at this time and implore them to improve their systems to protect member information.

"Credit unions that have strong leadership will always have strong systems," Ross said, adding those that are trying to cut costs or budget-constrained are more vulnerable. "What we've seen in our business all the time are cybercriminals trying to test systems to identify weaknesses."

Financial institutions are also in danger of having their focus on compliance overshadow actual threat protection.

"To date, security, especially in regulated businesses, has been very much focused on compliance regulation." Ross warned. "That is a dangerous thing. At the end of the day it does not result in measurable security."

Many financial institutions have even begun hiring compliance experts instead of security professionals, Ondrej Krehel, founder/CEO of the New York City-based LIFARS, noted. He said this is because they do not want to risk paying penalties for non-compliance.

"A lot of resources go to compliance now so they can digest all these laws and regulations, including state laws, and translate them into the business," Krehel said.

Francis Tam, a partner for the Seattle-based advisory firm Moss Adams, noted while numbers matter a lot in the finance sector, they certainly aren't the only factor in an organization's success.

"You also need to maintain compliance with an ever-evolving set of regulations, achieve profitability for your organization and any shareholders, closely monitor economic shifts and provide relevant guidance to your boards and committees – all while protecting your organization from new risks and threats, such as cybercrime," Tam said.

Capp warned of the consequences of an unfocused security strategy, stating, "When you collect a bunch of data and are not necessarily taking the steps to protect it, that is where you see these really impactful, really devastating, breaches occur. The level of attention paid to security and privacy varies on the institution. Some operate on the minimal requirements to be in business, but that is not limited to the financial institutions market. I have found credit unions to be some of the best businesses that I have worked with."

Marshall added, "It is fair to say that the financial industry is paying attention to both the rules and the root causes of cybercrime because they tend to be targeted more than other verticals and are also challenged by some of the strictest regulation."

The bottom line is, financial institutions have a stake in addressing the root causes of cybercrime, Marshall pointed out.

"The loss of sensitive data due to cybercrime causes a loss in consumer confidence, which can cause financial harm far greater than government penalties," Marshall said. "The combination of loss of consumer confidence, government penalties, litigation and repair costs can cost significant money, jobs and in the case of publicly traded companies, stockholder discomfort."

Krehel likened cybersecurity regulation to the Wild West, with many different organizations fighting for attention.

"Yet with all the guidance and regulations, there is not one federal data breach notification law," he noted. "What really needs to happen is regulatory consolidation with teeth."