No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Don’t Wait for the New SEC Cybersecurity Rule to Become Better Stewards of Data

Financial institutions must get ready to report on assessing, monitoring, mitigating and remediating cyber risks

by Sean Wilke
July 25, 2023
in Cybersecurity, Financial Services
concept of big data: green data points on black background

New cybersecurity requirements are coming for financial advisers and others in the financial services sector. While enforcement isn’t here yet, as Sean Wilke of IQ-EQ explains, the tools to put effective compliance in place are already within reach.

Financial firms are doing business in a golden age for cybercriminals. In 2022, web application and API attacks against financial services firms grew by 257%. Policymakers are amplifying the call for financial institutions (FIs) to become better stewards of investor data. 

The White House released its National Cybersecurity Strategy in March, toward the ultimate objective of protecting investors and the integrity of the financial markets. Shortly after, the SEC reopened the comment period on the 2022 proposed Cybersecurity Rule 206(4)-9, which provides registered investment advisers, asset managers and funds with a set of rules governing cybersecurity reporting, disclosure and governance.

Whether an FI is ahead of the curve or behind the pack on reporting cyber risk to stakeholders, it is inadvisable to wait until the SEC’s rules kick in to begin a path to compliance. Asset managers can immediately educate themselves on the new requirements and pre-empt the SEC by codifying and fortifying their attack incident reporting processes, customer notification processes and written cybersecurity policies and procedures. 

Now that the public comment period is closed, what are the top elements compliance leaders at broker-dealers, clearing agencies and other market entities should be looking at when considering cybersecurity compliance?

Assess cyber risk to build cyber resilience

The SEC rules are a call-to-arms for asset managers to bolster cyber risk resilience. Compliance leaders will be asked to provide written proof that they understand and address all cyber risks, including categorizing and prioritizing cybersecurity risks associated with their information systems. And these risk assessments are not merely a one-off action. 

Advisers and funds will be required to conduct yearly assessments that take into account info sensitivity, where and how data is accessed, stored and transmitted, system access controls, malware protection and more. Financial advisers will be required to clearly document and communicate any cybersecurity risks that could affect their advisory clients and fund investors. Risk is not an immutable metric, so FIs must subsequently prioritize and address evolving risks. The attack surface will only broaden with new technologies, continued cloud migration and the proliferation of digital assets on blockchains.

For good measure, the rule will also ask for records documenting the FIs’ cybersecurity risk assessment from the past five years. Deloitte found that FI organizations around the world agree that their number one challenge is the increasingly large and complex attack perimeter to defend. As such, CEOs and boards are “increasingly calling for more sophisticated risk quantification techniques that tie into broader business risks.” Department heads should break out of their silos and collaborate with CISOs to review their current cybersecurity posture by conducting a thorough risk assessment to find vulnerabilities.

castle pixel art
Cybersecurity

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack, particularly the human ones, as they’re the most vulnerable. KnowBe4’s Perry Carpenter talks about establishing a defense-in-depth strategy and how it starts with your culture.

Read more

Manning the cybersecurity watchtowers

The SEC is asking that fund managers document how they detect, mitigate and remediate cybersecurity threats to, and vulnerabilities of, their information and systems. This should motivate IT leaders and CISOs to update and create official company policies for identifying suspicious behavior, including generating and reviewing activity logs, identifying potential anomalous activity, and escalating issues to senior officers whenever appropriate. Advisers and funds should develop methodical plans for monitoring, tracking and patching vulnerabilities. Proactive measures like regular penetration testing, red-teaming and compromise assessments are essential. Based upon these meticulous assessments, they should actively plug existing gaps. Further, they should also monitor industry and government sources for new threats and vulnerability information to stay on top of threat trends.

In the event of an attack

Not only must advisers and funds install policies and procedures to detect improper activity, but they will also need to document their cybersecurity incident response and recovery procedures. The SEC hopes that investors, issuers and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. The new rule would call for FIs to disclose security incidents via the proposed Form ADV-C within 48 hours and to alert customers of any compromised data within 30 days. 

Swift, accurate incident reporting is essential to stop the initial bleeding or take remedial action. Advisers and funds would also be required to describe any cybersecurity incidents that occurred over the past two fiscal years that caused substantial harm to the adviser or their clients. The SEC is seeking to motivate firms to constantly improve data security postures, as the annual assessment report will include whether any control tests were performed, document any cybersecurity incidents that occurred since the previous report and discuss any material changes to the policies and procedures since the last report.

Third-party cyber risk management

The proliferation of fintech partnerships and APIs, as well as increasing automation in general, has muddled already complicated cyber defense paradigms. Now, advisers not only worry about their own system security but also the security postures of the numerous software integrations essential for daily business. Criminals have increasingly targeted managed service providers, the software supply chain and the cloud. Under the SEC rules, compliance officers have to identify any service providers that receive, maintain, or process adviser or fund information, or that otherwise have access to their systems, and identify any cybersecurity risks associated with their access. Advisers and funds can ensure their service providers are capable of protecting important information and data systems, conducting due diligence procedures and periodic contract review processes. Robust access and identity management controls are a must-have to minimize unauthorized access to information systems.

The scale of the perceived burden is a reflection of the scale of cybersecurity risks in today’s operating environment. The current timeline for finalizing the rule continues to be pushed into the future, offering FI compliance leaders and CISOs time to adapt. Given the sensitive nature of the data and information FIs handle, the proposed new Rule 10 sets a standard that strengthens transparency, trust, and accountability between FIs and the parties with which they do business. International Monetary Fund (IMF) global research revealed that information sharing and reporting represents the top cybersecurity gap in the oversight of financial markets infrastructures. This new level of transparency will help the public and private sectors share critical information on threats to marshal collective forces to protect the securities markets.


Tags: Cyber RiskSEC
Previous Post

Google Cloud Perspectives on Security for the Board

Next Post

EU Product Safety Regulations Can Serve as Guideposts for Sustainability

Sean Wilke

Sean Wilke

Sean Wilke is a senior managing director at IQ-EQ U.S., which he joined as part of the acquisition of Greyline, where he was a partner and the head of strategic growth. Before joining Greyline, he was a director in the governance, risk, investigations and disputes group at Duff & Phelps (now Kroll).

Related Posts

megaphone digital art collage

Building or Enhancing Your Whistleblower Program? Do These 5 Things.

by Susan Divers
October 2, 2023

In the wake of SEC-record award, now’s the time to beef up your reporting channels

sec headquarters in washington dc

SEC Adopts Sweeping New Private Fund Adviser Rules

by Eversheds Sutherland
October 2, 2023

Some requirements take effect immediately, and if they hold up in court, compliance will require extensive planning

department of justice building

Keeping Track of US Efforts to Stem Corruption at Home & Abroad

by Susana Sierra
September 25, 2023

Susana Sierra of BH Compliance explores why shifted priorities should cause all U.S. companies with Latin American connections to take...

collage of hands texting

From Inquiry to Response: What to Do When Regulators Come Knocking for Text Messages

by Lauren Tringali and Brian Corbin
September 20, 2023

Financial institutions have been hit with billions of dollars’ worth of fines in the past couple of years for failing...

Next Post
guideposts

EU Product Safety Regulations Can Serve as Guideposts for Sustainability

Available SQ
New call-to-action

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2023 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe

© 2023 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT