Financial managers: Get ready for a change to SEC requirements for cyber security testing.
The U.S. Security and Exchange Commission is the government entity tasked with maintaining the U.S. markets by issuing regulations designed to protect investors and facilitate the free flow of capital growth. So, what does the SEC, financial services, and IT have in common?
Hackers. They have hackers in common. In fact, a report by McAfee says financial crime boasts the second highest loss rate of all segments of cyber security breaches.
SEC Ruling Changes Sparked by Increase in Cyber Crime
The SEC issues periodic updates on investing. As you might imagine, wealth managers pay particular attention to these updates. In April this year, the SEC issued the first one we’ve seen in almost two years. Interestingly, the most recent Investment Management Guidance Update has more to do with cyber security in financial firms, than wealth management.
It isn’t surprising when you think about it; hacking a bunch of numbers from Target credit card holders is big news – and big money. The McAfee report said these attacks typically cost the victim corporation over $100 million as they seek to shore up their systems and recover the lost information. So, it makes sense that the SEC is seeking to shore up their cybersecurity rules. The biggest change to their 2015 guidelines states that certain registrants (financial institutions) are now required to utilize independent contractors when conducting security tests that:
In light of these changes, and the increasing risk of cyber threats, what should a wealth management team do to protect their firm?
How to Prevent Cyber Threats
According to the SEC guidelines, reviewing your cyber security plan is crucial. There are four key areas to consider:
The first step in any IT cyber security plan is to conduct an assessment of the type of data you’re collecting. Look at everything from where it is housed to what technology it touches. Your written IT security policy should include:
The SEC states, “funds and advisers should identify their respective compliance obligations under federal law and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.” When it comes to determining the division of responsibilities between compliance and IT the following steps will meet SEC suggestions:
Engaging every employee in the successful prevention of hacking is crucial. But if your C-suite and Trustees aren’t on board, your initiatives will fail. Involvement of your C-suite and Board of Trustees should include:
As a final piece in your process of determining a cyber security plan, what is your risk of litigation involvement or exposure? The SEC suggests financial institutions should:
The final measure of your preparedness should include a review of cyber security training. Consider these points:
Cyber crime takes many forms in the financial sector, and thieves are constantly adapting their methods to stay ahead of technology managers. Detecting cyber crime is just as difficult as protecting sensitive data. Following SEC compliance should be just the beginning of efforts to protect your organization and the stakeholders you serve.