Understanding the SEC’s Proposed Cybersecurity Standards
Cybersecurity represents an ongoing challenge for alternative investment firms and the financial industry. And this challenge continues to grow in scope, complexity, and cost. According to IBM and the Ponemon Institute, the 2021 average cost of a data breach in the financial sector was $5.72 million.
In response, the U.S. Securities and Exchange Commission (SEC) has recently proposed new standards for cybersecurity management. According to the SEC’s February 2022 press release, “the proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
While greeted favorably among cybersecurity professionals and the financial community, the news represents a significant course change for the SEC. To date, there have been no SEC rules or regulations that require financial firms to implement cybersecurity programs. However, the wide-ranging SEC proposal addresses advisor and fund cybersecurity risk, establishes new required elements of policies and procedures for advisors and funds (including disclosure of risks and reporting of cybersecurity incidents), and concludes with a detailed economic analysis.
Read more: How CXOs View Cybersecurity
Breaking Down the Proposed SEC Cybersecurity Compliance Requirements
The recommendations of the SEC compliance proposal can be divided into five areas:
- User security and access
- Information protection
- Incident response and recovery for cybersecurity
- Threat and vulnerability management
- Risk assessment for cybersecurity
Here is a brief description of each area and how the prescribed changes could impact your organization:
User Security, Access & Information Protection. Pandemic-driven remote working and the resulting extended security perimeter have driven significant changes to security requirements, including an increase in multi-factor authentication use. The SEC’s recommendations will require organizations to employ updated security technology and vulnerability management capabilities. These include additional controls for data loss prevention and known registered devices. Many financial organizations have already begun adopting these measures.
Incident Response & Recovery. The SEC’s proposal will require the reporting of threats and other security events (like a vendor breach or a cyber incident). These are similar to GDPR privacy breach reporting requirements but go further. The SEC will also require an activity paper trail and detailed record-keeping around cybersecurity due diligence. If adopted, the SEC proposal will mandate advisors and fund owners to publicly disclose cybersecurity risks and incidents that have occurred in the last two fiscal years.
Vulnerability Management & Risk Assessment. According to the SEC, “Advisers and funds of every type and size rely on technology systems and networks and face increasing cybersecurity risks. The rules would therefore require all of these advisers and funds to consider and mitigate cybersecurity risk.” The SEC’s proposal mandates the categorization, documentation, and prioritization of cybersecurity risks based on a comprehensive information systems inventory.
Effective and Flexible — Striking the Appropriate Balance
The proposed rules and amendments seek to deliver short-term effectiveness while acknowledging the need for flexibility as requirements and capabilities evolve. “The balance is achieved in recognition of the speed of technology change,” explains Ian Bowell, EMEA Information Security Manager. “Being too specific or restrictive and referring to a particular technology standard would be like requiring 4G, and not permitting 5G.”
In short, the SEC is working hard to avoid getting tied up in regulations that could quickly become outdated. Changes in cyber threats and the discovery of new vulnerabilities must also be addressed promptly, and even for the most prepared organizations, continuous change will require ongoing improvements and adjustments.
As a leading Managed Service Provider for the alternative investment industry (including hedge funds, private equity, and family offices), Thrive is well-versed in the industry’s demanding cybersecurity requirements. Thrive’s capabilities, existing framework, and certifications (like NIST and ISO 27001) will help simplify and expedite your firm’s adoption and compliance with the new SEC standards.