As cyberattacks on financial and securities firms grow more sophisticated, countless organizations and their clients are unprepared for these evolving threats. Their vulnerabilities have implications for the entire industry. “Tight financial and technological interconnections within the financial sector can facilitate the quick spread of attacks through the entire system, potentially causing widespread disruption and loss of confidence,” The International Monetary Fund reports.
In 2022, the U.S. Security and Exchange Commission (SEC) updated its cybersecurity rules to impose new, significant reporting and transparency requirements for U.S. hedge funds and other securities firms to protect against these events. But now, the SEC has attempted to expand on its 2022 cybersecurity requirements with proposals featuring new rules for customer transparency, regulatory reporting, and maturity in terms of cybersecurity capabilities.
As of early June 2023, these rules are only proposals. But regardless of their outcome, “they represent a revolutionary shift in how the SEC will conduct due diligence in the future,” as Cyber Defense Magazine describes. Hedge funds, securities firms, and other financial institutions must prepare now to ensure they are compliant with any new regulations. Most critically, they must ensure their security capabilities are mature enough to face down increasingly complex threats.
In this article, we provide guidance on how firms can adapt to emerging SEC cybersecurity rules and create best practices with future regulations in mind. We share insights into the threat landscape and opportunities for building cybersecurity maturity and compliance as well. Finally, we outline six steps business leaders can take to ensure their firms’ ongoing success in these areas, including the use of managed extended detection and response (XDR) technology.
Defining the SEC’s Cybersecurity Changes and Proposals
The proposed regulatory changes are available to the public on the SEC website. They are a direct response to new threats and the need for a broad, industry-wide approach to defeating them. In addition to “[addressing] concerns about advisers’ and funds’ cybersecurity preparedness and [reducing] cybersecurity-related risks to clients and investors,” they would “enhance the Commission’s ability to assess systemic risks and its oversight of advisers and funds,” the SEC shared in a March 2023 fact sheet.
Specifically, the changes require firms to prioritize transformation in three areas:
- Transparency: firms must be open with their customers about both real and potential incidents; they must provide detailed reports to the SEC as well.
- Accuracy: firms must maintain accurate records, classifications, and backups of sensitive data and records.
- Maturity: firms must implement cybersecurity capabilities that protect against newer threats; they must consider their responsibility to the broader industry, lest their shortcomings result in damages to other entities.
The most notable changes in the SEC’s requirements are that firms must notify their customers within 30 days of an incident, or even a likely incident. They must have written procedures for carrying out this reporting as well. This transparency alone demands greater cybersecurity maturity and data accuracy within firms, who otherwise could lose the trust of their customers.
The proposed 2023 changes also require firms to evolve with the threat landscape. They establish requirements for annual reviews and improvements to cybersecurity capabilities. Every year, each firm must “review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review,” according to a March 2023 SEC press release. Albeit with their best interests in mind, this places an added burden on financial firms who often lack sufficient internal cybersecurity resources.
6 Ways Financial Firms Can Adapt to Upcoming SEC Rules
Regardless of how these proposals turn out, the SEC’s push is a wakeup call for financial firms who are often one breach away from disaster—for themselves and their customers. The following six steps provide firms with a roadmap to adapt to the SEC’s 2023 proposals. Consider these opportunities as you develop your own cybersecurity program and best practices, and as you explore new cybersecurity capabilities and partnerships.
1. Establish Oversight of Cybersecurity Risks and Capabilities
CEOs, CISOs, and other business and security leaders must create and implement an oversight system that includes measures for security monitoring, risk assessment, incident response, and other critical areas. Establishing clear roles and responsibilities to cover these areas will help ensure the firm remains compliant with the proposed SEC regulations.
Business leaders should consider forming an interdepartmental committee to coordinate security priorities among their teams and study their impact on the organization. In addition to other department leaders, the committee should include members from the IT, risk management, and legal departments to ensure visibility into all areas of a firm’s cybersecurity landscape. The committee should routinely report its findings to the board with recommendations on how to proceed in terms of actions required under SEC regulations and proposals.
2. Conduct an In-Depth Risk Assessment
With the support of internal cybersecurity experts, consultants, or both, firms should conduct an in-depth risk assessment that identifies their current risks and weaknesses. The assessment should evaluate all areas of the organization’s cybersecurity posture, including current processes, policies, technologies, and personnel. It should also factor in the firm’s risk appetite, business goals, and associated security needs over time.
The risk assessment will provide an up-to-date picture of security capabilities and inform decisions on where to invest in improvements. Cybersecurity professionals may wish to “put new programs in place to deepen board members’ understanding of cybersecurity and, conversely, cybersecurity practitioners’ understanding of core business concepts” with this in mind, Security Info Watch recommends. These results can serve as a foundation and help guide future security investments.
3. Adapt Recordkeeping to Meet New SEC requirements
If approved, the 2023 SEC proposals would amend the commission’s recordkeeping requirements from 2022. In addition to “requirements for maintaining, making, and retaining books and records relating to [firms’] investment advisory business,” the SEC would require that firms “maintain copies of its cybersecurity policies and procedures and other related records specified under the proposed rule,” according to the fact sheet.
To adapt, business leaders and their committees can assess current recordkeeping systems for security and accuracy, then determine if any changes are necessary to meet the SEC’s requirements. In addition, they must review existing policies on data retention and develop new procedures for ongoing maintenance of records. They can enforce appropriate recordkeeping and amend issues as part of the committee’s regular reviews.
4. Create Protocols for Faster, Better Incident Reporting
The SEC requires that firms report to both their customers and the SEC any time a material or potential cyber incident occurs—even if individual customers’ data were not immediately impacted. For the SEC, the reports help create a broader picture of the threat landscape facing financial firms, enabling a more robust response industrywide. Incident reports for customers and shareholders ensure firms’ cybersecurity activities are above board and protect the interests of those entrusting them with their assets.
Business leaders and their committees can begin by developing a playbook of best practices for incident response, which should include policies and procedures for:
- establishing alert systems for new threats
- notifying customers and shareholders in a timely manner
- conducting timely compliance reviews
- testing all security measures regularly
They may also consider setting up an incident response team to immediately respond to any threat. This team should include a leader with cybersecurity expertise as well as representatives from IT, legal, and other departments to coordinate their response.
5. Invest in Leading Security Partnerships and Technologies
Security firms must invest in the latest technology solutions to protect themselves against emerging threats and stay compliant with SEC regulations. As part of their risk assessment, firms can identify weak points or gaps in their systems—such as outdated hardware or software—and develop a plan for upgrades and investments.
To begin, each firm should conduct a detailed review of its security stack to ensure it meets the highest standards for privacy, compliance, and data protection. This includes researching solutions such as encryption methods, identity management systems, and more. They must also configure all systems with appropriate access controls and monitor them for any suspicious activity. These steps may be challenging without expert guidance and ongoing support.
6. Create a Strong Cybersecurity Program with MXR Technology
Financial firms can strengthen their security posture even further with managed extended detection and response (XDR) technology. MXR goes beyond traditional protection solutions, offering a comprehensive managed security service to continuously monitor for potential threats.
This includes real-time threat detection that leverages multiple integrated technologies, such as machine learning algorithms and artificial intelligence (AI), to identify suspicious behavior and help quickly respond to incidents. In addition, advanced incident response capabilities allow organizations to quickly investigate any detected threats and take action to contain them before major damage is done.
Choose a Partner That Puts Your Security and Compliance First
Adapting to new regulations takes time. The most difficult aspects are keeping up with new requirements through regular reporting, reviews, improvements, and training. Partnering with a trusted, experienced security provider can help you quickly build out the infrastructure and processes necessary for lasting compliance.
Start Your Journey with Option One Technologies
The cybersecurity team at Option One Technologies specializes in data security and compliance within the financial services sector. In addition to providing specialized protection for your critical data and infrastructure, the experts at Option One provide exceptional cloud and network security, penetration testing, and security awareness and training services to hedge funds, asset managers, and other financial institutions.