SEC proposes new cybersecurity rules for financial services

New policies proposed by the Securities and Exchange Commission (SEC) could lead to changes in the way financial services firms handle cybersecurity.

On February 9, the SEC voted to propose cybersecurity risk management policies for registered investment advisers, registered investment companies, and business development companies (funds). Then, the proposal will go through a public comment period until May 9.

The importance of cybersecurity in finance

The Crazy X-Force 2021 Threat Ratingnd that financial services was the most targeted industry. Mthe manufacturing industry beat financial services in the X-Force Threat Index 2022. However, financial services held a solid second place with 22.4% of attacks. Moreover, the threat across the industry is not even. 70% of the attacks targeted banks, 16% insurance organizations and 14% other financial organizations.

The drop in ranking shows the progress of the industry. The new rules will also bring about a major change in the processes of many financial institutions. The 2022 threat index indicates the increase Security standards that many financial institutions have adopted in recent years as key factors for improvement. Additionally, the report indicates that the increase in hybrid cloud adoption is another reason for the reduction in attacks.

However, when considering the current state of cybersecurity in financial institutions, there is something else to remember as well. Many financial institutions have accelerated their digital transformations over the past two years due to the pandemic. They put new processes online, both internal and customer-oriented. Thus, the risk of attacks has become greater with more vulnerabilities. But the study shows that the direction of the industry is having an impact and is probably on the right track. However, based on the industry’s reaction and concern to the new rules, there is still much to be done.

What do these rules mean for financial services?

If the rules are adoptedmany financial institutions will need to significantly change their approach to cybersecurity. The objectives of the new rules are twofold. They aim to reduce risk for customers and investors. They also aim to allow investors to have more information about past issues when making decisions. Previously, the majority, if not all, of financial institutions had no cybersecurity regulations.

The rules contain the following key requirements:

  • Advisors and funds should have written cybersecurity policies and procedures designed to address risks that could harm advising clients and fund investors
  • Advisors must report significant cybersecurity incidents affecting the advisor or their fund or private fund clients to the Commission on a new confidential form within 48 hours
  • Advisors and funds must publicly disclose cybersecurity risks and significant cybersecurity incidents that have occurred over the past two years in their registration brochures and statements
  • Advisors and funds must follow new record-keeping processes. These are designed to improve the availability of cybersecurity-related information and strengthen the Commission’s inspection and enforcement capabilities.

While previous attacks have occasionally been reported in the media, the level of accountability the new rules give is much higher than previous standards. The SEC sends the message that cybersecurity is a major concern for the industry. Businesses need to make it a priority.

How these rules can affect budgeting

Even more than most industries, the financial services industry is profit margin driven and driven. As financial services companies work through their budgets for the next fiscal year, they need to consider the impact the new rules will have on their IT department if passed. What budget changes might they need? Otherwise, they might not have the resources to comply with the new guidelines.

From a budgetary point of view, the rules have several important impacts. Financial services institutions that do not have written cybersecurity policies will need to spend significant time creating and deploying new policies. Additionally, many institutions will need to invest in new cybersecurity technologies. They may want to hire more cybersecurity professionals to follow the processes properly.

Financial services institutions using hybrid cloud solutions will have an easier transition to the new rules than other businesses. Since the cloud provider is securing the cloud for the enterprise, these companies are likely already compliant. Additionally, the documentation process is much simpler because cloud service providers already have the documentation required for customers in other industries who have already been subject to similar rules.

How can financial services companies comply with the new rules?

The types of attacks launched against financial services institutions provide insight into the need for targeted cybersecurity training for institution employees. The 2022 X-Force Threat Index found that the most common attack was phishing, which accounted for 46% of attacks. The second leading cause was the exploitation of the 31% vulnerability. Other main types of attacks include password spraying, brute force, and virtual private network access.

However, the biggest change is that the industry as a whole, as well as business leaders, must place a higher priority on cybersecurity. While companies need to invest in more technology and resources, the most important change is that companies must also strive to create a culture of cybersecurity.

With the increased reporting requirements, customers will now have access to much more information about cybersecurity risks and practices. This will then likely become more of a consideration for clients when making financial service decisions. Companies that are slow to adopt safe practices risk losing customers to less risky competitors. Customers and potential customers will now have access to attack information that was previously unavailable.

Risk reduction does not happen overnight. Neither is creating a culture of cybersecurity. Financial firms need to start taking an honest look at their mindset and processes before the law becomes mandatory. By beginning the journey towards a culture of cybersecurity, companies can reduce damage to their reputation and maintain the trust of their customers.

Leave a Comment