Cyberattacks against financial services companies are on the rise. In 2021, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised the cyber threat level for U.S. financial institutions from “guarded” to “elevated” three times (it typically happens just once). With global tensions continuing to rise, cyber threats and sophistication of attacks are expected to worsen.
In the face of the current cyber threat landscape, the Securities and Exchange Commission (SEC) is doubling down on efforts to improve cyber resilience among SEC-registered investment advisers and funds. In February 2022, the commission voted to propose new cybersecurity rules that require the investment sector to enhance cyber preparedness and report any significant incidents to the SEC within 48 hours. However, in March 2022, the commission voted to extend the reporting requirement to four days. The rules will likely take effect later this year.
If your company services organizations in this sector, because of the breadth of the proposed SEC rules changes, you have a critical role to play and must expertly direct and support your clients in updating their cybersecurity practices. Let’s look at critical areas where they will need your expertise.
Understand your clients’ current cyber hygiene
To best support your clients’ adaptations to the incoming SEC requirements, you must first understand the state of their current cyber hygiene. As an MSP you must work directly with clients to identify digital assets throughout their ecosystem, how they’re managed, and most importantly, how they’re secured.
Determine whether your client has written policies and procedures in place for responding to vulnerabilities or potential cyber incidents. As an MSP, you likely have teams dedicated to monitoring operations and responding to cyber incidents when they strike your clients. You should look to offer advice on best practices for auditing compromised assets and responding to vulnerabilities as they arise to help your clients best position themselves for recovery.
Help your clients adopt a layered approach to cyber resilience
A key requirement of the SEC proposal is that advisers and funds adopt and implement additional cybersecurity policies and procedures that include risk assessments and controls to detect, mitigate, and remediate threats and vulnerabilities.
These measures are key pillars of basic cybersecurity hygiene, yet vulnerability management remains one of the biggest challenges for IT. As companies continue to shift operations to the cloud, across geographies, and remote locations, identifying hidden risks across this ever-expanding digital ecosystem becomes more challenging.
With the additional SEC transparency requirements, it’s imperative your company offers the right balance of managed services that guide proactive threat detection and resolution. You’ll want to identify every data and digital asset in your clients’ ecosystems and determine how they are secured and managed. You should also recommend that your clients’ cybersecurity strategies include vulnerability management, assessment, and remediation services (including ongoing patching, configuration management, firewalls, and antivirus) – on-premises, in the cloud, and across remote endpoints.
Depending on your clients’ business complexity and cybersecurity risk, additional measures may be layered in. These solutions could include access control, multi-factor authentication, and a least privilege, zero trust model (an approach that is sorely lacking in the financial services sector).
It’s also important to focus not just on the technology, but on the processes and people involved so that your clients can take a holistic approach to their cyber program and threat response.
Establish audit and reporting procedures
The proposed SEC rules also require registered investment advisers and funds to establish audit and reporting procedures to track cyber incidents. Specifically, they must:
- Report significant cybersecurity incidents affecting the adviser, its fund or private fund clients to the SEC.
- Publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
- Establish recordkeeping procedures and improve the availability of cybersecurity-related information.
Adapting to each of these requirements may be a heavy lift for firms in this sector. For instance, while you may find that your clients have good security frameworks in place, they may lack maturity, particularly when it comes to auditing their security programs and policies.
Now is an opportune time to show your value by helping your clients adhere to the SEC reporting requirements without causing friction or additional work for already-busy security teams. Expect them to look to you for help creating a governance program and providing oversight to ensure that risks are adequately mitigated and that their security strategy aligns with SEC requirements.
Because the SEC proposal stresses accountability, your clients will likely lean on you to help them establish auditing procedures, governance metrics, and generate timely performance reports to evidence the health of their security program and track cyber incidents.
Time is of the essence
While the proposed SEC cybersecurity risk management rules await public comment, you must consult with your clients now, so they aren’t left scrambling when they go into effect.
Stress that the rules are “requirements,” not “recommendations” – an important distinction that mandates improvements in cyber hygiene and expedites the adoption of sophisticated reporting capabilities. The rules also align with industry best practices and getting ahead now will strengthen your clients’ security posture in today’s heightened risk environment.
Above all, act a strategic partner for them and explain that the best path to compliance is a combination of layered protection and proactive security governance, where cybersecurity is fully integrated into both IT and business operations.
Photo: g0d4ather / Shutterstock