Imminent: Cybersecurity Regulations For US Financial Services

Uploaded on 2023-03-31 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Financial

As the financial services industry awaits the U.S. Securities and Exchange Commission’s (SEC) new cybersecurity regulations expected later this year there are still unknowns regarding what firms will be required to do.

But that doesn’t mean alternative investment firms can’t take proactive action now so they won’t be forced to scramble to be compliant during the expected grace period - which could be anywhere from 12 to 24 months. 

As C-suite leaders and IT managers begin to examine their companies’ cyber programs, there are a few proactive measures that can be taken straightaway in line with previous guidance from the SEC that will very likely be included in any new rules.

Interestingly, investors have been matching regulators in terms of what they are seeking, so particularly if a firm is preparing to go through fundraising, these measures will help immensely. 

Ongoing, thorough risk assessments should be implemented immediately. User security and access - including a comprehensive onboarding and offboarding checklist, robust policies and strict access permissions - should also be evaluated today.

Firms can test their vulnerability management programs and quickly introduce a formal patch program, network vulnerability scanning and penetration testing.

For those companies that are fundraising, they must be prepared for intense questioning around their cybersecurity practices from investors. Businesses must also dive into their data and information protection and ensure they have comprehensive data loss prevention policies for things such as email systems that may be at risk for leaking sensitive information like addresses and financial transactions. 

Perhaps most importantly, firms must have robust incident report plans in place, particularly if they may be forced to report any breaches within the SEC’s proposed 48-hour window.

This should be a clearly written plan that also incorporates broader business continuity and operational resilience components in case of a breach. This cannot be a document that is simply written in a vacuum and placed on a shelf - it must be reviewed regularly to account for new threat vectors, systems, third parties and more. Prepare for it as you would a pop quiz: What if the SEC asks on any given day, how can your business quickly access and share your current and historical plans? This will be key as the proposed regulations require firms to maintain five years of historical documents and make the most immediate two years easily accessible. 

Other pieces of the proposed rules are still unclear. For example, the SEC has indicated it wants some form of board oversight, such as an approval process for cybersecurity policies, but details won’t be well-defined until the official requirements are published. It also remains to be seen exactly how much information will be necessary to disclose about past cyber incidents in prospectus and brochure updates - which could present an issue as this type of information could be used against a firm in future attacks if it is publicly available.  

The bottom line: it’s not just a waiting game. If your company can begin to evaluate your cyber posture today and takes proactive steps to ensure ongoing risk and vulnerability assessments, it will be a simple matter of fine-tuning once the new rules are published to ensure your firm’s cybersecurity strength and compliance. 

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Cybersecurity Threat To Railways
Ransomware: A Security Guide  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Avanan

Avanan

Avanan is The Cloud Security Platform. Protect all your SaaS applications using tools from over 60 industry-leading vendors in just one click.

CTERA Networks

CTERA Networks

CTERA provides cloud storage solutions that enable service providers and enterprises to launch managed storage, backup, file sharing and mobile collaboration services using a single platform.

Dathena

Dathena

Dathena is a company developing data governance software based on machine learning algorithms.

CipherBlade

CipherBlade

CipherBlade specializes in blockchain forensics, data science and transaction tracking.

Adlumin

Adlumin

Adlumin Inc. provides the enterprise-grade security operations platform and managed detection and response services that keep mid-market organizations secure.

AiCULUS

AiCULUS

AiCULUS is a global technology company that specializes in API security and Risk Management products.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

Softcat

Softcat

Softcat offer a broad portfolio of IT services and solutions covering Hybrid Infrastructure, Cyber Security, Digital Workspace and IT Intelligence.

World Cyber Security Summit

World Cyber Security Summit

World Cyber Security Summit, by Trescon, is a thought-leadership driven platform for CISOs who are looking to explore new-age threats and the technologies/strategies that can help mitigate them.

Contextual Security Solutions

Contextual Security Solutions

Contextual Security Solutions is a leading provider of penetration testing services and IT security & compliance audits.

Buchanan & Edwards

Buchanan & Edwards

Buchanan & Edwards delivers forward-focused technology solutions that help our clients transform the way they perform their missions.

Ward Solutions

Ward Solutions

Ward Solutions are an information security consultancy and managed services company. We help organisations protect their brand, people, assets, intellectual property and profits.

Techstep

Techstep

Techstep is a complete mobile technology enabler, making positive changes to the world of work; freeing people to work more effectively, securely and sustainably.

Mayer Brown

Mayer Brown

Mayer Brown is a global law firm. We have deep experience in high-stakes litigation and complex transactions across industry sectors including the global financial services industry.

5S Technologies

5S Technologies

5S Technologies is a regional IT solutions and services provider based in Cary, NC and serving the Carolinas.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.