As firms adopt a work-from-anywhere model, security continues to be top-of-mind. We’ve previously talked about how business communications can’t go unsupervised in a hybrid or remote setting, but the same goes for cybersecurity practices.
Many home offices are not equipped with the same defenses as an office network, and firms continue to implement new technologies to help their increasingly widespread workforce collaborate more effectively. But with new technologies comes a greater opportunity for cyber incidents that can cause reputational and financial damage — particularly for companies in the financial services industry.
Watch the full webinar: Why Cyber & Hybrid Work Can’t Go Unsupervised.
- Regulators are emphasizing cybersecurity — even if rules lack nuance
In its recent Cybersecurity Conference, FINRA shared how its Cybersecurity Specialist Team has been handling an increasing number of cyber incidents. In 2019, there were approximately 20 attacks, while 2021 saw 200. That’s a 900% increase in attacks in just two years — possibly due to the following:
- Increased trading volume
- Increased number of imposter websites
- More ransomware infections
- Greater number of customer and firm account takeovers
- More digital currency/asset fraud schemes
This year, the SEC proposed cybersecurity risk rules for registered investment advisers and registered investment companies. The rules were prescriptive, detailed, and included disclosures that need to be made on SEC registration forms (e.g., Form ADV, Registration Statement) as well as additional governance requirements. This suggests that securities regulators are cyber-ready and cyber-focused — perhaps to an extreme.
In a dissenting opinion, SEC Commissioner Hester Peirce writes: “We have an important role to play in ensuring that investors get the information they need to understand issuers’ cybersecurity risks if they are material. This proposal, however, flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us.”
“Some argued that these rules were perhaps overly prescriptive,” notes Melissa MacGregor, AGC and Managing Director from SIFMA. “The rules seemed to take a more one-size-fits-all approach. Form ADV amendments are challenging for firms, and obviously there’s always risk there, so we don’t necessarily think that the commission is perhaps the best body for collecting cyber incident disclosures.”
Further, public companies would have to report material cybersecurity incidents no later than four business days after they occur. Completing these disclosures may take focus away from mitigating the actual incident that’s occurring.
While investors must comply with various rules that may have implications for their cybersecurity practices (e.g., books-and-records, compliance), the proposal builds upon those requirements by requiring:
- Investment advisers and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks and incidents
- Related recordkeeping obligations for advisers and funds
- Confidential reporting to the Commission by investment advisers if the adviser (or a fund they advise) is subject to certain cybersecurity incidents
- Disclosure by advisers on brochures and registered funds on registration statements regarding certain cybersecurity incidents
“But overall, the securities industry is very cyber ready,” says MacGregor. “We conduct tests. We certainly have had rules in place for a very long time that apply, since Gramm-Leach-Bliley was adopted. So, this is not a new area for us.”
- Vendor cybersecurity
Having cybersecurity oversight is not just about securing remote employee devices. It’s also recognizing third-party access to sensitive data. More than ever, firms are turning to partner vendors or third-party applications to maximize the value of their data. However, having more access points means more cyber risks.
Third-party risk management is an important part of a firm’s larger cybersecurity strategy. As firms add more vendors, they need to consider:
- How does the vendor approach cybersecurity?
- Does the vendor have risk remediation strategies?
- Does the vendor have an existing risk management process?
Firms need to have standards and systems in place to manage third-party security risks. New risks are always emerging, so it’s important to regularly assess vendors to ensure they’re evolving their controls over time.
- Where do we go from here?
Firms can’t sit around and wait for clarity from regulators. Fortunately, cybersecurity best practices are tried and true in keeping sensitive data from falling into the wrong hands. When properly implemented into written supervisory procedures, firms can minimize cybersecurity risks whether their workforce goes completely remote, hybrid or returns to the office.
Watch the full webinar on BrightTALK.
Smarsh® is the recognized global leader in electronic communications archiving solutions for regulated organizations. Smarsh provides innovative capture, archiving, e-discovery, and supervision solutions across the industry’s widest breadth of communication channels.
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
LS Consultancy offer a complete solution with a range of cost effective, regulatory compliance and marketing products and solutions including copy advice and copy development which are uniquely suited to supporting firms.
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.
You can see our Google reviews here.
We’re looking for guest writers with business know-how and experience to create outstanding articles to feature on our website. Sound like you? Then find out more…