Imminent: Cybersecurity Regulations For US Financial Services

As the financial services industry awaits the U.S. Securities and Exchange Commission’s (SEC) new cybersecurity regulations expected later this year there are still unknowns regarding what firms will be required to do.

But that doesn’t mean alternative investment firms can’t take proactive action now so they won’t be forced to scramble to be compliant during the expected grace period - which could be anywhere from 12 to 24 months. 

As C-suite leaders and IT managers begin to examine their companies’ cyber programs, there are a few proactive measures that can be taken straightaway in line with previous guidance from the SEC that will very likely be included in any new rules.

Interestingly, investors have been matching regulators in terms of what they are seeking, so particularly if a firm is preparing to go through fundraising, these measures will help immensely. 

Ongoing, thorough risk assessments should be implemented immediately. User security and access - including a comprehensive onboarding and offboarding checklist, robust policies and strict access permissions - should also be evaluated today.

Firms can test their vulnerability management programs and quickly introduce a formal patch program, network vulnerability scanning and penetration testing.

For those companies that are fundraising, they must be prepared for intense questioning around their cybersecurity practices from investors. Businesses must also dive into their data and information protection and ensure they have comprehensive data loss prevention policies for things such as email systems that may be at risk for leaking sensitive information like addresses and financial transactions. 

Perhaps most importantly, firms must have robust incident report plans in place, particularly if they may be forced to report any breaches within the SEC’s proposed 48-hour window.

This should be a clearly written plan that also incorporates broader business continuity and operational resilience components in case of a breach. This cannot be a document that is simply written in a vacuum and placed on a shelf - it must be reviewed regularly to account for new threat vectors, systems, third parties and more. Prepare for it as you would a pop quiz: What if the SEC asks on any given day, how can your business quickly access and share your current and historical plans? This will be key as the proposed regulations require firms to maintain five years of historical documents and make the most immediate two years easily accessible. 

Other pieces of the proposed rules are still unclear. For example, the SEC has indicated it wants some form of board oversight, such as an approval process for cybersecurity policies, but details won’t be well-defined until the official requirements are published. It also remains to be seen exactly how much information will be necessary to disclose about past cyber incidents in prospectus and brochure updates - which could present an issue as this type of information could be used against a firm in future attacks if it is publicly available.  

The bottom line: it’s not just a waiting game. If your company can begin to evaluate your cyber posture today and takes proactive steps to ensure ongoing risk and vulnerability assessments, it will be a simple matter of fine-tuning once the new rules are published to ensure your firm’s cybersecurity strength and compliance. 

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The Cybersecurity Threat To Railways
Ransomware: A Security Guide  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

KZ-CERT

KZ-CERT

KZ-CERT is the national Computer Emergency Response Team for Kazakhstan.

Wolfpack Information Risk

Wolfpack Information Risk

Wolfpack specialise in information and cyber threat management covering the full spectrum of prevention, detection, incident response and business resilience capabilities.

Secude

Secude

SECUDE is an established global security solutions provider offering innovative data protection for SAP users.

Agesic

Agesic

Agesic is an institution that leads the development of the Digital Government and the Information and Knowledge Society in Uruguay.

Carbonite

Carbonite

Carbonite offers all the tools necessary for protecting data from the most common forms of data loss, including ransomware, accidental deletions, hardware failures and natural disasters.

CyCognito

CyCognito

CyCognito empowers companies to take full control over their attack surface by uncovering and eliminating the critical security risks they didn't even know existed.

SecuLetter

SecuLetter

SecuLetter is able to detect unknown attacks with hybrid approaches, static and dynamic analysis.

Lewis Brisbois

Lewis Brisbois

Lewis Brisbois offers legal practice in more than 40 specialties, and a multitude of sub-specialties including Data Privacy & Cybersecurity.

KDM Analytics

KDM Analytics

KDM Analytics software products automate the NIST risk management framework (RMF) assessment for operational technology (OT) systems.

IT Band Systems

IT Band Systems

IT Band Systems is an international provider of IT products and services including web server monitoring and web security consulting.

Cheops Technology

Cheops Technology

Cheops is a specialist in IT Business Technology Services. We help SMEs and large companies build, optimize and manage their IT so they can focus on their core business.

du

du

du is a telecommunications service provider providing UAE businesses with a vast range of ICT and managed services.

Vancord

Vancord

Vancord is an information and security technology company that works in collaboration with clients to support their infrastructure and data security needs for today and tomorrow.

Qevlar AI

Qevlar AI

Qevlar AI empowers SOC teams, to eliminate redundant tasks and refocus on what truly matters - making the most of every employee within the SecOps team.

Deepware

Deepware

Deepware is an emerging AI research company dedicated to exploring the potential of GenAI in both generation and detection.