SEC Cyber Regulations are Coming – Is Your Firm Ready?
The word “risk” is taking on a whole new meaning for the financial services sector in the coming months as the Security and Exchange Commission’s (SEC) burgeoning regulatory agenda has proposed a myriad of updates to existing regulation that will require enhanced cybersecurity and risk management capabilities. Hardly the Commission’s first foray into technology and cybersecurity, the landscape has long since shifted from “if” to “when” cybersecurity risk management will be formally codified in the federal register – and the time is now. Although the proposed language indicates that cybersecurity programs should be “tailored based on business operations”, many Registered Investment Advisers (RIA), Investment Companies (IC), and similar organizations lack the internal expertise to develop, implement, and administer cybersecurity risk management programs appropriate for their business size and complexity. Furthermore, the growing scarcity of information security resources (cyber workforce gap of 3.4 million globally / 436,000 in the US) has created challenges related to finding and retaining relevant talent. Now more than ever, firms need experienced partners capable of delivering managed technology, cybersecurity, and industry-specific advisory services in a cost-effective package that addresses business challenges while driving ROI.
Thou Shall Perform a Risk Assessment (and Other Requirements)
While there are distinct nuances between the requirements proposed in each of the rules, all of them are rooted in establishing robust cyber risk management programs. Firms need to first develop a foundation of written policies and procedures outlining risk analysis processes, risk detection capabilities, reporting, and risk treatment options. The program should combine both administrative and technical functions and must be overseen by a qualified information security practitioner. Typically, these requirements are achieved through risk assessment and incident response planning exercises. Conceptually, these requirements are not new, however, a majority of the regulated entity market has only some of the necessary components in place, and now must allocate resources to quickly mature their programs and capabilities.
The regulations also outline novel reporting requirements that further elevate the urgency for implementing robust programs. One of the most polarizing elements of the proposed Cybersecurity Risk Management rule is the mandatory 48-hour reporting threshold for submitting information regarding “significant” cybersecurity incidents to the SEC using a new form ADV-C. Proposed changes in Regulation S-P, which is more narrowly scoped to information systems and data sets pertaining to consumer financial information, also incorporates a 30 day requirement for notifying individuals of a cybersecurity incident or unauthorized access / use of their sensitive information. Although the timeframes may be adjusted as a result of industry review and feedback, the reporting requirements are expected to remain in finalized regulation.
With these requirements on the horizon, does your organization have the proper technical tools and processes to a) detect cybersecurity incidents and b) explicitly identify the information systems and/or data sets impacted by the incident? If not, you may be unable to limit your exposure when meeting the reporting requirements – if you don’t know which data was impacted, you’d have to notify all clients, for example.
A Checklist for Success – If Only It Were That Easy
For information security and IT compliance practitioners, a complete checklist of all things required to maintain continual compliance is the holy grail. Alas, one size does not fit all, especially with the modern dynamic threat landscape, ever-evolving regulatory cannon, and increasing globalization. Keeping in mind that each organization requires a bespoke blend of technology, doctrine, and personnel to fit their risk profile, the below list is a good starting point to begin evaluating your program maturity:
- Written Incident Response and Risk Management policies and procedures.
- Written Risk Management policy, processes, testing, and reporting procedures.
- Written Incident Response Plan (IRP).
- Third party cybersecurity risk management and incident response processes.
- Qualified professional administering the cybersecurity programs.
- Qualified professionals capable of responding to detected cybersecurity incidents.
- Formalized protocols for reporting incidents to the Commission and for notifying clients within the required timeframes.
- Data classification, critical systems classification, classification of personal data within business systems.
- Identity and Access Management (IAM) solution (configured to least privilege).
- Multifactor authentication on all remote access vectors at a minimum.
- Endpoint detection and response (EDR)
- Network detection and response (e.g., MDR, XDR)
- Security monitoring for all cloud environments (IaaS, SaaS, PaaS, etc.)
- File and folder auditing, monitoring, reporting.
- Encryption for data at rest and in transit.
- 24×7 Security Operations Center (SOC) monitoring and response.
- Security Incident and Event Management (SIEM) solution for log aggregation and preservation.
- Security testing – Penetration testing and Vulnerability Scanning.
- Vulnerability and patch management solution.
How Thrive Can Help
Whether your organization needs help developing policies and procedures, conducting risk assessments, managing your cyber program, or with beefing up your technical cyber defense capabilities, Thrive’s Compliance as a Service (CaaS) and financial services division is ready to deliver. Our 1300+ team has decades of experience supporting financial services clients and understands the industry-specific complexities.
Contact us today to learn more about our customizable solution packages and how we partner with our clients for the long term.
Links to Referenced Regulation and Source Material: 1 “Cybersecurity Risk management for Investment Advisers, Registered Investment Companies, and Business Development Companies” 2 “Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, Municipal Securities rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents” 3 “Regulation Compliance and Integrity (Reg-SCI)” 4 “Privacy of Consumer Financial Information and Safeguarding Customer Information (Reg S-P)" 5 (ISC)2 Cybersecurity Workforce Study 2022