SEC Proposes New Cyber ​​Security Rules for Financial Services

SEC Proposes New Cyber ​​Security Rules for Financial Services

Proposed new policies from the Securities and Exchange Commission (SEC) could mean changes in the way financial services companies handle cybersecurity.

On February 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies, and business development companies (funds). The proposal will then go through a public comment period. until May 9.

The importance of cybersecurity in finance

The X-Force Threat Index 2021 Fourand that financial services was the most attacked industry. METERmanufacturing overtook financial services in the 2022 X-Force Threat Index. However, financial services came in solid second with 22.4% of attacks. Also, youThe threat across the industry is not uniform. 70% of the attacks were directed at banks, 16% at insurance organizations and 14% at other financial organizations.

The drop in the ranking shows the progress in the industry. The new rules will also result in a major change in processes for many financial institutions. 2022 Threat Index Points to Rise security standards that many financial institutions have adopted in recent years as key factors for improvement. Additionally, the report points to the rise in hybrid cloud adoption as another reason for the reduction in attacks.

However, when considering the current state of cybersecurity in financial institutions, you should also remember something else. Many financial institutions accelerated their digital transformations in the last two years due to the pandemic. They brought new processes, both internal and customer-facing, online. So the risk of attacks became higher with more vulnerabilities. But the study shows that the industry’s approach is having an impact and is likely to be on the right track. However, based on industry reaction and concern over the new rules, there is still a lot of room for improvement.

What do these rules mean for financial services?

Iif the rules are adoptedmany financial institutions will have to significantly change their approach to cybersecurity. The goals of the new rules are twofold. Its objective is to reduce the risk for clients and investors. They also aim to allow investors to have more information about past issues when making decisions. Previously, most financial institutions, if not all, did not have any regulations regarding cybersecurity.

The rules contain the following key requirements:

  • Advisors and funds must have written cybersecurity policies and procedures designed to address risks that could harm advisory clients and fund investors.
  • Advisers must report significant cybersecurity incidents affecting the adviser or its private fund(s) or fund clients to the Commission on a new and confidential form within 48 hours.
  • Advisors and funds are required to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their prospectuses and registration statements.
  • Advisors and funds must follow new record-keeping processes. These are designed to improve the availability of cybersecurity-related information and assist the Commission’s inspection and enforcement capabilities.

While previous attacks were sometimes reported in the media, the level of accountability provided by the new rules is much higher than previous standards. The SEC is sending a message that cybersecurity is a key concern for the industry. Companies must make it a high priority.

How these rules can affect the budget

Even more than most industries, the financial services industry is focused and driven by profit margins. As financial services companies are working on their budgets for the next fiscal year, they need to consider the impact the new rules if approved will have on their IT department. What budget changes might they need? Otherwise, they may not have the resources to comply with the new guidelines.

From a budget perspective, the rules have several important impacts. Financial services institutions that do not have written cybersecurity policies will need to spend significant time creating and implementing the new policies. Additionally, many institutions will need to invest in new cybersecurity technology. They may want to hire more cybersecurity professionals to follow the processes correctly.

Financial services institutions using hybrid cloud solutions will have an easier transition to the new rules than other businesses. Because the cloud provider secures the cloud for the business, these businesses are likely already in compliance. Additionally, the documentation process is much simpler because cloud service providers already have the documentation required for customers in other industries that have already been subject to similar rules.

How can financial services companies comply with the new rules?

The types of attacks launched against financial services institutions provide some insight into the need for focused cybersecurity training for institution employees. The 2022 X-Force Threat Index found that the most common attack was phishing, accounting for 46% of attacks. The second leading cause was exploiting vulnerabilities at 31%. Other main types of attacks include password spraying, brute force, and virtual private network access.

The biggest change, however, is that the industry as a whole, as well as leadership in companies, needs to make cybersecurity a higher priority. While companies need to invest in more technology and resources, the most important change is that companies must also work to create a culture of cybersecurity.

With increased reporting requirements, customers will now have access to much more information about cybersecurity risks and practices. This is likely to become more of a consideration for clients when making financial services decisions. Firms that lag behind in adopting safe practices are likely to lose customers to rivals that are less risky. Customers and potential customers will now have access to attack information that was previously unavailable.

Reducing risk does not happen overnight. Neither does creating a culture of cybersecurity. Financial firms need to start taking an honest look at both their mindset and processes before the law becomes mandatory. By beginning the journey to a culture of cybersecurity, companies can reduce damage to their reputation and maintain the trust of their customers.

Leave a Comment