Imminent: Cybersecurity Regulations For US Financial Services

As the financial services industry awaits the U.S. Securities and Exchange Commission’s (SEC) new cybersecurity regulations expected later this year there are still unknowns regarding what firms will be required to do.

But that doesn’t mean alternative investment firms can’t take proactive action now so they won’t be forced to scramble to be compliant during the expected grace period - which could be anywhere from 12 to 24 months. 

As C-suite leaders and IT managers begin to examine their companies’ cyber programs, there are a few proactive measures that can be taken straightaway in line with previous guidance from the SEC that will very likely be included in any new rules.

Interestingly, investors have been matching regulators in terms of what they are seeking, so particularly if a firm is preparing to go through fundraising, these measures will help immensely. 

Ongoing, thorough risk assessments should be implemented immediately. User security and access - including a comprehensive onboarding and offboarding checklist, robust policies and strict access permissions - should also be evaluated today.

Firms can test their vulnerability management programs and quickly introduce a formal patch program, network vulnerability scanning and penetration testing.

For those companies that are fundraising, they must be prepared for intense questioning around their cybersecurity practices from investors. Businesses must also dive into their data and information protection and ensure they have comprehensive data loss prevention policies for things such as email systems that may be at risk for leaking sensitive information like addresses and financial transactions. 

Perhaps most importantly, firms must have robust incident report plans in place, particularly if they may be forced to report any breaches within the SEC’s proposed 48-hour window.

This should be a clearly written plan that also incorporates broader business continuity and operational resilience components in case of a breach. This cannot be a document that is simply written in a vacuum and placed on a shelf - it must be reviewed regularly to account for new threat vectors, systems, third parties and more. Prepare for it as you would a pop quiz: What if the SEC asks on any given day, how can your business quickly access and share your current and historical plans? This will be key as the proposed regulations require firms to maintain five years of historical documents and make the most immediate two years easily accessible. 

Other pieces of the proposed rules are still unclear. For example, the SEC has indicated it wants some form of board oversight, such as an approval process for cybersecurity policies, but details won’t be well-defined until the official requirements are published. It also remains to be seen exactly how much information will be necessary to disclose about past cyber incidents in prospectus and brochure updates - which could present an issue as this type of information could be used against a firm in future attacks if it is publicly available.  

The bottom line: it’s not just a waiting game. If your company can begin to evaluate your cyber posture today and takes proactive steps to ensure ongoing risk and vulnerability assessments, it will be a simple matter of fine-tuning once the new rules are published to ensure your firm’s cybersecurity strength and compliance. 

Simon Eyre is CISO at Drawbridge

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« The Cybersecurity Report Threat To Railways
Ransomware: A Security Guide  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Korea Internet & Security Agency (KISA)

Korea Internet & Security Agency (KISA)

KISA is committed to improving the competitiveness, reliability and security of Internet information and knowledge in Korea.

Uniscon

Uniscon

Uniscon is a leading provider of cloud security solutions in Europe.

Cybercrowd

Cybercrowd

Cybercrowd is a cyber security specialist offering technical services, cyber security assessments, guidance and security thought leadership.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

ESNC

ESNC

ESNC’s vulnerability management and real-time SAP security monitoring solutions help largest corporations in the world to effectively prioritize SAP security tasks and secure their business.

Secude

Secude

SECUDE is an established global security solutions provider offering innovative data protection for SAP users.

Acorus Networks

Acorus Networks

Acorus Networks provides a Cloud infrastructure service to protect against increasingly sophisticated denial of service attacks.

Fugue

Fugue

Fugue ensures cloud infrastructure stays in continuous compliance with enterprise security policies.

Keynetic Technologies

Keynetic Technologies

Keynetic focuses on developing cybersecurity solutions for Industry 4.0.

OpenZeppelin

OpenZeppelin

OpenZeppelin builds developer tools and performs security audits for distributed systems that power multimillion-dollar economies.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

Quintillion Consulting

Quintillion Consulting

Quintillion Consulting is a strategic risk based consulting firm. We help companies safeguard the core business and IT capabilities that deliver competitive advantage.

Global Resources

Global Resources

Global Resources' planning and management capabilities support city, regional, and national utility and infrastructure management, and information systems and cyber security service delivery.

South West Cyber Resilience Centre (SWCRC)

South West Cyber Resilience Centre (SWCRC)

The South West Cyber Resilience Centre (SWCRC) is led by serving police officers, as part of a not-for-profit partnership with business and academia.

Ransom Recovery

Ransom Recovery

Ransom Recovery provide a complete one-stop ransomware recovery, cyber attack prevention and consultancy service to a diverse range of customers worldwide.

xdr.global

xdr.global

Xdr.global is a cybersecurity consulting firm, focused on promoting and aligning Extended Detection and Response (XDR) security solutions.