Proposed new policies from the Securities and Exchange Commission (SEC) could spell changes for how financial services firms handle cybersecurity.
On Feb. 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies and business development companies (funds). Next, the proposal will go through a public comment period until May 9.
The Importance of Cybersecurity in Finance
The 2021 X-Force Threat Index found that financial services were the most targeted industry. Manufacturing beat out financial services in the 2022 X-Force Threat Index. However, financial services were solidly in second place with 22.4% of the attacks. In addition, the threat across the industry is not even. 70% of the attacks targeted banks, 16% insurance organizations and 14% other financial organizations.
The drop in ranking shows progress in the industry. The new rules will also result in a major shift in processes for many financial institutions. The 2022 Threat Index points to the rising security standards that many financial institutions have adopted in recent years as key factors for improvement. In addition, the report points to the increase in the adoption of the hybrid cloud as another reason for reduced attacks.
However, when considering the current state of cybersecurity in financial institutions, you must also remember something else. Many financial institutions sped up their digital transformations over the past two years due to the pandemic. They put new processes – both internal and customer-facing – online. So, the risk of attacks became greater with more vulnerabilities. But the study shows the industry’s focus is making an impact and is likely on the right track. However, based on the reaction and concern in the industry about the new rules, there is still much room for improvement.
What Do These Rules Mean for Financial Services?
If the rules are adopted, many financial institutions will have to significantly change their approach to cybersecurity. The goals of the new rules are two-fold. They aim to reduce the risk for customers and investors. They also aim to allow investors to have more information about past issues when making decisions. Previously, the majority of financial institutions, if not all, did not have any regulations regarding cybersecurity.
The rules contain the following key requirements:
- Advisors and funds must have written cybersecurity policies and procedures designed to address risks that could harm advisory clients and fund investors
- Advisors must report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new, confidential form within 48 hours
- Advisers and funds must publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements
- Advisors and funds must follow new record-keeping processes. These are designed to improve the availability of cybersecurity-related information and help the Commission’s inspection and enforcement capabilities.
While previous attacks were sometimes reported in the media, the level of accountability that the new rules give is much higher than the previous standards. The SEC is sending a message that cybersecurity is a key concern for the industry. Firms must make it a high priority.
How These Rules May Affect Budgeting
Even more than most industries, the financial services industry is focused on and driven by profit margins. As financial services firms are working on their budgets for the next fiscal year, they should consider the impact that the new rules will have if passed on their IT department. What budget changes might they need? Otherwise, they may not have the resources to comply with the new guidelines.
From a budget perspective, the rules have several big impacts. Financial services institutions that do not have written cybersecurity policies will need to devote a lot of time to creating and rolling out the new policies. In addition, many institutions will need to invest in new cybersecurity technology. They may want to hire more cybersecurity professionals to correctly follow the processes.
Financial services institutions using hybrid cloud solutions will have an easier transition to the new rules than other firms. Because the cloud provider secures the cloud for the firm, these firms are likely already compliant. Plus, the documentation process is much simpler because cloud services providers already have the required documentation for customers in other industries that have already been subject to similar rules.
How Can Financial Services Firms Fulfill the New Rules?
The types of attacks launched on financial services institutions provide some insights into the need for focused cybersecurity training for employees at the institutions. The 2022 X-Force Threat Index found that the most common attack was phishing, which accounted for 46% of the attacks. The second leading cause was vulnerability exploitation at 31%. Other top types of attacks include password spraying, brute force and virtual private network access.
However, the biggest change is that the industry as a whole, as well as leadership at the firms, needs to move cybersecurity higher in priority. While the firms need to invest in more tech and resources, the most important change is that firms must also work to create a culture of cybersecurity.
With the increased requirements for reporting, customers will now have access to much more information about cybersecurity risks and practices. This will then likely become more of a consideration for customers when making financial services decisions. Firms that lag behind in adopting safe practices are likely to lose customers to rivals that have less risk. Customers and potential customers will now have access to information on attacks that was not available before.
Reducing risk doesn’t happen overnight. Neither does creating a culture of cybersecurity. Financial firms need to begin taking an honest look at both their mindset and processes before the law becomes mandated. By beginning the journey towards a cybersecurity culture, firms can reduce damage to their reputations and keep the trust of their customers.