Smarsh Advance Recap: Cyber Compliance for Wealth Management — Who Owns It?
In this article series, we relive some of the most insightful Smarsh Advance 2022 conversations about the evolving compliance, communication and technological landscapes affecting regulated industries.
Listen to the article:
As regulatory scrutiny evolves from cybersecurity to cyber compliance, firms need to enhance their cybersecurity posture and integrate cyber compliance processes and procedures to help mitigate risks.
The stakes are even higher for firms engaging third-party vendors. In our Smarsh Advance Session, Cyber Compliance for Wealth Management: Who Owns It?, we explore how traditional compliance and IT departments must share compliance responsibilities.
Cyber compliance for a remote workforce
One of the most significant contributing factors to the increase in cybersecurity risk has been the recent move from in-office to home-office work. Offices tend to have robust infrastructure and controls in place, but that hasn’t translated into the home office environment.
Firms must ensure their cybersecurity programs have caught up to the new remote work environment. This includes the challenges of understanding the most vulnerable data and how to protect it. Resources should be prioritized for the gaps and vulnerabilities that have the most potential impacts to the firm.
Bridging the gap
As cybersecurity regulation has grown over the last several years, so has the need for a dedicated CTO or CIO who can work with compliance teams to maintain cybersecurity in a regulated industry.
Cyber compliance at smaller firms is typically a shared role between the compliance and IT departments. Educating senior management on the potential fallout a cybersecurity breach may have on a firm, including regulatory fines, reputation risk, and the firm’s ability to attract talent, is vital.
Taking a proactive approach to cybersecurity and cyber compliance can help mitigate the risk of a breach, reduce regulatory risk, and potentially save the company money in the long term.
Identifying vendors that can assist with cybersecurity and cyber compliance is important in the current regulatory environment. It shows management where the enforcement actions are coming from and how vendors can bridge that gap and help us manage risks.
“The owners of my firm aren't cyber people — that's not their specialty. They're running a firm,” says Steven Trigili, Chief Compliance Officer at Garden State Securities. “I break it down to the most elementary levels. Here are the areas that the regulators are looking for. Here's where we see enforcement actions from a cybersecurity perspective. And here's the three vendors that will specifically be able to help us in this regard.”
Vendor due diligence
However, vendor risk management is lacking regarding cybersecurity. When conducting vendor due diligence, firms must understand how the technology will work and how it is designed to help protect customers and the business.
“Not only do firms need to include questions regarding data protection in their initial due diligence efforts, but also to re-evaluate the vendor at least annually as the cybersecurity landscape is constantly evolving,” says Sander Ressler, Managing Director at Essential Edge Compliance Outsourcing Services, LLC.
"They may be protecting you well today. But two years from now, their cybersecurity could be obsolete and much more vulnerable."
Impacts of the SEC’s proposed cybersecurity risk management rule
Trigili stated that one of his firm’s top concerns is preparing for the SEC’s cybersecurity risk management rule next year. He emphasized going beyond what is reasonable to protect customers’ confidential personal information by building more robust procedures.
It’s crucial that IT and compliance teams can work together when translating cybersecurity into cyber compliance, especially with speaking to regulators.
“My CTO will never be in a room alone with a regulator,” says Trigili. “I will always be there with him, and it's going to be a dialogue with both of us. While he can speak the cybersecurity vernacular, I will then translate that for the regulators into how it's incorporated into our compliance program.”
Share this post!
Tiffany Magri
Latest posts by Tiffany Magri (see all)
- From Hypothetical Performance to Real Consequences: SEC’s Message to Advisers - April 15, 2024
- Navigating the SEC’s Expanded Dealer Definition - March 6, 2024
- Digital Communication Preservation: Highlights of the DOJ and FTC’s Imperative Guidance - February 27, 2024
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Watch it Work
Contact Us
Chat
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US