Imminent: Cybersecurity Regulations For US Financial Services

As the financial services industry awaits the U.S. Securities and Exchange Commission’s (SEC) new cybersecurity regulations expected later this year there are still unknowns regarding what firms will be required to do.

But that doesn’t mean alternative investment firms can’t take proactive action now so they won’t be forced to scramble to be compliant during the expected grace period - which could be anywhere from 12 to 24 months. 

As C-suite leaders and IT managers begin to examine their companies’ cyber programs, there are a few proactive measures that can be taken straightaway in line with previous guidance from the SEC that will very likely be included in any new rules.

Interestingly, investors have been matching regulators in terms of what they are seeking, so particularly if a firm is preparing to go through fundraising, these measures will help immensely. 

Ongoing, thorough risk assessments should be implemented immediately. User security and access - including a comprehensive onboarding and offboarding checklist, robust policies and strict access permissions - should also be evaluated today.

Firms can test their vulnerability management programs and quickly introduce a formal patch program, network vulnerability scanning and penetration testing.

For those companies that are fundraising, they must be prepared for intense questioning around their cybersecurity practices from investors. Businesses must also dive into their data and information protection and ensure they have comprehensive data loss prevention policies for things such as email systems that may be at risk for leaking sensitive information like addresses and financial transactions. 

Perhaps most importantly, firms must have robust incident report plans in place, particularly if they may be forced to report any breaches within the SEC’s proposed 48-hour window.

This should be a clearly written plan that also incorporates broader business continuity and operational resilience components in case of a breach. This cannot be a document that is simply written in a vacuum and placed on a shelf - it must be reviewed regularly to account for new threat vectors, systems, third parties and more. Prepare for it as you would a pop quiz: What if the SEC asks on any given day, how can your business quickly access and share your current and historical plans? This will be key as the proposed regulations require firms to maintain five years of historical documents and make the most immediate two years easily accessible. 

Other pieces of the proposed rules are still unclear. For example, the SEC has indicated it wants some form of board oversight, such as an approval process for cybersecurity policies, but details won’t be well-defined until the official requirements are published. It also remains to be seen exactly how much information will be necessary to disclose about past cyber incidents in prospectus and brochure updates - which could present an issue as this type of information could be used against a firm in future attacks if it is publicly available.  

The bottom line: it’s not just a waiting game. If your company can begin to evaluate your cyber posture today and takes proactive steps to ensure ongoing risk and vulnerability assessments, it will be a simple matter of fine-tuning once the new rules are published to ensure your firm’s cybersecurity strength and compliance. 

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The Cybersecurity Threat To Railways
Ransomware: A Security Guide  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Digital Shadows

Digital Shadows

Digital Shadows is a cyber threat intelligence company that helps clients discover sensitive data exposed through social media, cloud services and mobile devices

A-SIT Secure Information Technology Center

A-SIT Secure Information Technology Center

A-SIT was founded in 1999 as a registered nonprofit association and is established as a competence center for IT-Security.

IT Security House

IT Security House

IT Security House is a leading European supplier of Cyber Security Intelligence and eCrime services.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

RevenueStream

RevenueStream

RevenueStream uses an innovative algorithmic approach to intercept and prevent payment fraud before it even happens.

NAVEX Global

NAVEX Global

NAVEX Global’s compliance management system consolidates your entire GRC program onto a scalable cloud-based platform.

Eseye

Eseye

Eseye is a global specialist supplier of cellular internet connectivity for intelligent IoT (Internet of Things) devices.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

National Initiative for Cybersecurity Education (NICE) - USA

National Initiative for Cybersecurity Education (NICE) - USA

NICE is a partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development.

Dice

Dice

Dice is a leading recruitment platform, helping technology professionals manage their careers and employers connect with highly skilled tech talent in specialist areas including cybersecurity.

Hassans International Law Firm

Hassans International Law Firm

Hassans is the largest law firm in Gibraltar, providing a full range of legal services across corporate and commercial law including Data Protection and GDPR compliance.

Toothpic

Toothpic

ToothPic has invented, designed, developed and patented a solution to enable companies to turn every smartphone into a secure key for a user-friendly online authentication.

IN4 Group

IN4 Group

IN4 Group is a skills, innovation and start-up services provider that specialises in supporting businesses with the training, communities, networks and advice they need to scale.

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

Bright Data

Bright Data

Bright Data Inc is the world’s #1 web data platform, enabling organizations to research, monitor, analyze data, and make better decisions.

IONOS

IONOS

IONOS is a leading provider of cloud infrastructure, cloud services, and hosting with more than 8.5 million customers contracts.