Imminent: Cybersecurity Regulations For US Financial Services

Uploaded on 2023-03-31 in GOVERNMENT-National, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Financial

As the financial services industry awaits the U.S. Securities and Exchange Commission’s (SEC) new cybersecurity regulations expected later this year there are still unknowns regarding what firms will be required to do.

But that doesn’t mean alternative investment firms can’t take proactive action now so they won’t be forced to scramble to be compliant during the expected grace period - which could be anywhere from 12 to 24 months. 

As C-suite leaders and IT managers begin to examine their companies’ cyber programs, there are a few proactive measures that can be taken straightaway in line with previous guidance from the SEC that will very likely be included in any new rules.

Interestingly, investors have been matching regulators in terms of what they are seeking, so particularly if a firm is preparing to go through fundraising, these measures will help immensely. 

Ongoing, thorough risk assessments should be implemented immediately. User security and access - including a comprehensive onboarding and offboarding checklist, robust policies and strict access permissions - should also be evaluated today.

Firms can test their vulnerability management programs and quickly introduce a formal patch program, network vulnerability scanning and penetration testing.

For those companies that are fundraising, they must be prepared for intense questioning around their cybersecurity practices from investors. Businesses must also dive into their data and information protection and ensure they have comprehensive data loss prevention policies for things such as email systems that may be at risk for leaking sensitive information like addresses and financial transactions. 

Perhaps most importantly, firms must have robust incident report plans in place, particularly if they may be forced to report any breaches within the SEC’s proposed 48-hour window.

This should be a clearly written plan that also incorporates broader business continuity and operational resilience components in case of a breach. This cannot be a document that is simply written in a vacuum and placed on a shelf - it must be reviewed regularly to account for new threat vectors, systems, third parties and more. Prepare for it as you would a pop quiz: What if the SEC asks on any given day, how can your business quickly access and share your current and historical plans? This will be key as the proposed regulations require firms to maintain five years of historical documents and make the most immediate two years easily accessible. 

Other pieces of the proposed rules are still unclear. For example, the SEC has indicated it wants some form of board oversight, such as an approval process for cybersecurity policies, but details won’t be well-defined until the official requirements are published. It also remains to be seen exactly how much information will be necessary to disclose about past cyber incidents in prospectus and brochure updates - which could present an issue as this type of information could be used against a firm in future attacks if it is publicly available.  

The bottom line: it’s not just a waiting game. If your company can begin to evaluate your cyber posture today and takes proactive steps to ensure ongoing risk and vulnerability assessments, it will be a simple matter of fine-tuning once the new rules are published to ensure your firm’s cybersecurity strength and compliance. 

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Cybersecurity Threat To Railways
Ransomware: A Security Guide  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

Cynet

Cynet

Cynet simplifies security by providing a rapidly deployed, comprehensive platform for detection, prevention and automated response to advanced threats with near-zero false positives.

Zayo

Zayo

Zayo is a leading global bandwidth infrastructure services provider for high-performance connectivity, secure colocation and flexible cloud services.

Cyber Security Capital (CS^)

Cyber Security Capital (CS^)

Cyber Security Capital is a consultancy helping to mobilise and empower individuals, corporate leaders and entrepreneurs in cyber security.

ThirdWatch

ThirdWatch

ThirdWatch is a Data Science company with real-time automated fraud prevention solutions.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

BTblock

BTblock

Blockchain and cybersecurity is a vital combination for Enterprise success. BTblock is a Force Multiplier for its clients.

CyGlass

CyGlass

CyGlass simply and effectively identifies, detects, and responds to threats to your network without requiring any additional hardware, software, or people.

Auvik Networks

Auvik Networks

Auvik is easy-to-use cloud-based networking management and monitoring software - true network visibility and control without the hassle.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Alpha Mountain AI (alphaMountain)

Alpha Mountain AI (alphaMountain)

alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.

NXM Labs

NXM Labs

NXM is a leader in a leader in advanced cybersecurity software for connected devices.

Socura

Socura

Socura helps make the digital world a safer place; changing the way organisations think about cyber security through a dynamic, innovative, and human approach.

Stacklok

Stacklok

Stacklok are an Open Source first security company enabling safe Open Source Software consumption.

Highen Fintech

Highen Fintech

Highen is a blockchain software development company with offices in the United States and development centers in India.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.