Financial services companies must comply with a wide range of cybersecurity- and privacy-related regulations. As regulators and the general public become more aware of cyber threats and privacy issues, the stakes are getting higher.
In August 2021, the SEC sanctioned eight investment firms for cybersecurity failures that exposed customer information. For some of those firms, penalties ran as high as $300,000. It was the first such action ever taken by the SEC, and it followed a first-ever cybersecurity enforcement by the New York Department of Financial Services a month earlier.
In this new regulatory landscape, investment firms should get up to speed with any cybersecurity regulations that are in flux. Here are several you should keep your eye on in 2023:
CPPA and CPRA – California was the first U.S. state to pass laws governing how organizations handle personal data of state residents. The California Privacy Protection Act (CPPA) was enacted in 2018. The California Privacy Rights Act (CPRA) was a ballot initiative that modified CPPA in 2020. The California Privacy Protection Agency – also known as CPPA – is now finalizing rulemaking for provisions that will go into effect in January 2023, with enforcement beginning in July 2023.
Other U.S. state privacy laws – A growing number of states are legislating how organizations handle the personal data of their residents. In addition to California, states with privacy laws now in effect include Colorado, Connecticut, and Utah. Jurisdictions with legislation under active consideration include Michigan, New Jersey, Ohio, Pennsylvania, and Washington, D.C.
UK-GDPR – After the United Kingdom withdrew from the European Union (EU) in 2020, it implemented its own version of the EU’s General Data Protection Regulation (GDPR), known as UK-GDPR. This legislation closely follows the EU’s GDPR, with minor variations that reflect domestic U.K. law. Any firm handling personal data of individuals in the United Kingdom must comply.
Artificial intelligence (AI) regulations – Investment firms are increasingly looking to AI for competitive advantage. AI can help firms generate alpha, improve operational efficiency, manage risk, and gain new customer insights. But AI that touches personal data will increasingly come under regulatory scrutiny. The EU’s AI Act, for instance, is a European law proposed in 2021 to regulate AI applications. Agreement on the legislation could come as early as mid-2023. Like GDPR, the AI Act could become a global standard.
SEC Rules for Cybersecurity Risk Management – In February 2022, the SEC proposed new cybersecurity rules for investment advisors and funds. The agency is shifting its focus from recommendations to a prescriptive ruleset and enforcement. While final rules won’t be issued till late 2022 or early 2023, expect them to require your firm to:
-
Establish written cybersecurity plans, policies, and procedures.
-
Review, document, and enforce access management best practices.
-
Deploy data protection policies and technologies.
-
Manage threats and vulnerabilities.
-
Implement cybersecurity incident response planning and recovery.
-
Report and disclose cybersecurity incidents.
-
Formalize cybersecurity responsibility and accountability.
Stronger Cybersecurity, Closer Compliance
Each of these regulations sets out specific rules for cybersecurity or data privacy. But baseline cybersecurity policies, procedures, and technologies can go a long way for ensuring compliance. The cybersecurity framework and privacy framework of the National Institute of Standards and Technology (NIST) are invaluable resources, as is the ISO/IEC 27001 cybersecurity standard.
In addition, every investment firm should consider these cybersecurity fundamentals:
SIEM – Security information and event management (SIEM) provides real-time analysis of data to proactively identify security risks. Machine learning (ML) and statistical analysis can recognize anomalies, patterns, and trends that indicate problems.
Dark web monitoring – Dark-web monitoring scours the internet’s criminal corners to discover stolen user credentials and prevent account takeovers (ATOs), helping to meet regulatory requirements for due diligence.
Tabletop exercises – Having an incident response plan is good. Regularly testing that plan is better. Tabletop exercises can help ensure you’re prepared – and significantly reduce the impact of a breach. The average cost of a data breach is now $9.44 million, according to IBM’s “Cost of a Data Breach 2022 Report” – a number slashed to $2.66 million for companies with a tested incident response plan.
Training – Employee training on cybersecurity basics, such as how to recognize a phishing attack, can significantly reduce your cyber risk. After all, 82% of data breaches involve human error, misuse, or social engineering, according to Verizon’s 2022 Data Breach Investigations Report.
MSSP – For firms that lack the internal resources to respond to proliferating security threats, a managed security service provider (MSSP) can be a worthwhile investment. An effective MSSP marries layered detection with a dedicated, 24x7 SOC to surface threats, analyze the risk in real time, and mobilize a response.
One certainty about cybersecurity and privacy regulations is that they’ll continue to proliferate and evolve. Staying apprised of the regulations that affect your enterprise and investing in a strong cybersecurity posture will help protect your business, assure regulators, and give customers confidence in your firm.
