Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity.

On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9

The importance of cybersecurity in finance

The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out financial services in the 2022 X-Force Threat Index. However, financial services were solidly in second place with 22.4% of the attacks. In addition, the threat across the industry is not even. 70% of the attacks targeted banks, 16% insurance organizations and 14% other financial organizations.

The drop in ranking shows progress in the industry. The new rules will also result in a major shift in processes for many financial institutions. The 2022 Threat Index points to the rising security standards that many financial institutions have adopted in recent years as key factors for improvement. In addition, the report points to the increase in the adoption of the hybrid cloud as another reason for reduced attacks.

However, when considering the current state of cybersecurity in financial institutions, you must also remember something else. Many financial institutions sped up their digital transformations over the past two years due to the pandemic. They put new processes – both internal and customer-facing – online. So, the risk of attacks became greater with more vulnerabilities. But the study shows the industry’s focus is making an impact and is likely on the right track. However, based on the reaction and concern in the industry about the new rules, there is still much room for improvement.

What do these rules mean for financial services?

If the rules are adopted, many financial institutions will have to significantly change their approach to cybersecurity. The goals of the new rules are two-fold. They aim to reduce the risk for customers and investors. They also aim to allow investors to have more information about past issues when making decisions. Previously, the majority of financial institutions, if not all, did not have any regulations regarding cybersecurity.

The rules contain the following key requirements:

  • Advisors and funds must have written cybersecurity policies and procedures designed to address risks that could harm advisory clients and fund investors
  • Advisors must report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new, confidential form within 48 hours
  • Advisers and funds must publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements
  • Advisors and funds must follow new record-keeping processes. These are designed to improve the availability of cybersecurity-related information and help the Commission’s inspection and enforcement capabilities.

While previous attacks were sometimes reported in the media, the level of accountability that the new rules give is much higher than the previous standards. The SEC is sending a message that cybersecurity is a key concern for the industry. Firms must make it a high priority.

How these rules may affect budgeting

Even more than most industries, the financial services industry is focused on and driven by profit margins. As financial services firms are working on their budgets for the next fiscal year, they should consider the impact that the new rules will have if passed on their IT department. What budget changes might they need? Otherwise, they may not have the resources to comply with the new guidelines.

From a budget perspective, the rules have several big impacts. Financial services institutions that do not have written cybersecurity policies will need to devote a lot of time to creating and rolling out the new policies. In addition, many institutions will need to invest in new cybersecurity technology. They may want to hire more cybersecurity professionals to correctly follow the processes.

Financial services institutions using hybrid cloud solutions will have an easier transition to the new rules than other firms. Because the cloud provider secures the cloud for the firm, these firms are likely already compliant. Plus, the documentation process is much simpler because cloud services providers already have the required documentation for customers in other industries that have already been subject to similar rules.

How can financial services firms fulfill the new rules?

The types of attacks launched on financial services institutions provide some insights into the need for focused cybersecurity training for employees at the institutions. The 2022 X-Force Threat Index found that the most common attack was phishing, which accounted for 46% of the attacks. The second leading cause was vulnerability exploitation at 31%. Other top types of attacks include password spraying, brute force and virtual private network access.

However, the biggest change is that the industry as a whole, as well as leadership at the firms, needs to move cybersecurity higher in priority. While the firms need to invest in more tech and resources, the most important change is that firms must also work to create a culture of cybersecurity.

With the increased requirements for reporting, customers will now have access to much more information about cybersecurity risks and practices. This will then likely become more of a consideration for customers when making financial services decisions. Firms that lag behind in adopting safe practices are likely to lose customers to rivals that have less risk. Customers and potential customers will now have access to information on attacks that was not available before.

Reducing risk doesn’t happen overnight. Neither does creating a culture of cybersecurity. Financial firms need to begin taking an honest look at both their mindset and processes before the law becomes mandated. By beginning the journey towards a cybersecurity culture, firms can reduce damage to their reputations and keep the trust of their customers.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today