Why Cybersecurity Can’t Go Unsupervised
As firms adopt a work-from-anywhere model, security continues to be top-of-mind. We've previously talked about how business communications can’t go unsupervised in a hybrid or remote setting, but the same goes for cybersecurity practices.
Many home offices are not equipped with the same defenses as an office network, and firms continue to implement new technologies to help their increasingly widespread workforce collaborate more effectively. But with new technologies comes a greater opportunity for cyber incidents that can cause reputational and financial damage — particularly for companies in the financial services industry.
Watch the full webinar: Why Cyber & Hybrid Work Can’t Go Unsupervised.
Regulators are emphasizing cybersecurity — even if rules lack nuance
In its recent Cybersecurity Conference, FINRA shared how its Cybersecurity Specialist Team has been handling an increasing number of cyber incidents. In 2019, there were approximately 20 attacks, while 2021 saw 200. That's a 900% increase in attacks in just two years — possibly due to the following:
- Increased trading volume
- Increased number of imposter websites
- More ransomware infections
- Greater number of customer and firm account takeovers
- More digital currency/asset fraud schemes
This year, the SEC proposed cybersecurity risk rules for registered investment advisers and registered investment companies. The rules were prescriptive, detailed, and included disclosures that need to be made on SEC registration forms (e.g., Form ADV, Registration Statement) as well as additional governance requirements. This suggests that securities regulators are cyber-ready and cyber-focused — perhaps to an extreme.
In a dissenting opinion, SEC Commissioner Hester Peirce writes:
"We have an important role to play in ensuring that investors get the information they need to understand issuers' cybersecurity risks if they are material. This proposal, however, flirts with casting us as the nation’s cybersecurity command center, a role Congress did not give us."
"Some argued that these rules were perhaps overly prescriptive," notes Melissa MacGregor, AGC and Managing Director from SIFMA. "The rules seemed to take a more one-size-fits-all approach. Form ADV amendments are challenging for firms, and obviously there's always risk there, so we don't necessarily think that the commission is perhaps the best body for collecting cyber incident disclosures."
Further, public companies would have to report material cybersecurity incidents no later than four business days after they occur. Completing these disclosures may take focus away from mitigating the actual incident that's occurring.
While investors must comply with various rules that may have implications for their cybersecurity practices (e.g., books-and-records, compliance), the proposal builds upon those requirements by requiring:
- Investment advisers and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks and incidents
- Related recordkeeping obligations for advisers and funds
- Confidential reporting to the Commission by investment advisers if the adviser (or a fund they advise) is subject to certain cybersecurity incidents
- Disclosure by advisers on brochures and registered funds on registration statements regarding certain cybersecurity incidents
"But overall, the securities industry is very cyber ready," says MacGregor. "We conduct tests. We certainly have had rules in place for a very long time that apply, since Gramm-Leach-Bliley was adopted. So, this is not a new area for us."
Having cybersecurity oversight is not just about securing remote employee devices. It's also recognizing third-party access to sensitive data. More than ever, firms are turning to partner vendors or third-party applications to maximize the value of their data. However, having more access points means more cyber risks.
Third-party risk management is an important part of a firm’s larger cybersecurity strategy. As firms add more vendors, they need to consider:
- How does the vendor approach cybersecurity?
- Does the vendor have risk remediation strategies?
- Does the vendor have an existing risk management process?
Firms need to have standards and systems in place to manage third-party security risks. New risks are always emerging, so it's important to regularly assess vendors to ensure they're evolving their controls over time.
Where do we go from here?
Firms can't sit around and wait for clarity from regulators. Fortunately, cybersecurity best practices are tried and true in keeping sensitive data from falling into the wrong hands. When properly implemented into written supervisory procedures, firms can minimize cybersecurity risks whether their workforce goes completely remote, hybrid or returns to the office.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.