New SEC guidelines are focused on cyber security in the financial sector. Here’s what you need to know.
Financial managers: Get ready for a change to SEC requirements for cyber security testing.
The U.S. Security and Exchange Commission is the government entity tasked with maintaining the U.S. markets by issuing regulations designed to protect investors and facilitate the free flow of capital growth. So, what does the SEC, financial services, and IT have in common?
Hackers. They have hackers in common. In fact, a report by McAfee says financial crime boasts the second highest loss rate of all segments of cyber security breaches.
SEC Ruling Changes Sparked by Increase in Cyber Crime
The SEC issues periodic updates on investing. As you might imagine, wealth managers pay particular attention to these updates. In April this year, the SEC issued the first one we’ve seen in almost two years. Interestingly, the most recent Investment Management Guidance Update has more to do with cyber security in financial firms, than wealth management.
It isn’t surprising when you think about it; hacking a bunch of numbers from Target credit card holders is big news – and big money. The McAfee report said these attacks typically cost the victim corporation over $100 million as they seek to shore up their systems and recover the lost information. So, it makes sense that the SEC is seeking to shore up their cybersecurity rules. The biggest change to their 2015 guidelines states that certain registrants (financial institutions) are now required to utilize independent contractors when conducting security tests that:
- Assess, mitigate, and monitor security risks;
- Engage in capital planning and investment in the cyber security or technology sector;
- Director, trustee, and management level oversight of cyber security;
- IT audit and control evaluations;
- Cyber security-related remediation.
In light of these changes, and the increasing risk of cyber threats, what should a wealth management team do to protect their firm?
How to Prevent Cyber Threats
According to the SEC guidelines, reviewing your cyber security plan is crucial. There are four key areas to consider:
- Written IT security policies
- Compliance and IT division of responsibilities
- Involvement of your C-suite and Board
- Litigation exposure
The first step in any IT cyber security plan is to conduct an assessment of the type of data you’re collecting. Look at everything from where it is housed to what technology it touches. Your written IT security policy should include:
- The governance of the data including what is your deletion policy.
- Asset management and who has information access.
- Escalation procedures in the event of a breech, including a PR process.
- Vendor or third-party guidelines.
The SEC states, “funds and advisers should identify their respective compliance obligations under federal law and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.” When it comes to determining the division of responsibilities between compliance and IT the following steps will meet SEC suggestions:
- Appoint a Chief Information Security Officer (CISO).
- Who is the security liaison between management and the Board?
- Is there a plan for having IT and compliance work together on security?
- What and where is your highest data security risk?
Engaging every employee in the successful prevention of hacking is crucial. But if your C-suite and Trustees aren’t on board, your initiatives will fail. Involvement of your C-suite and Board of Trustees should include:
- An assessment of stakeholders supporting your efforts.
- Is this initiative a priority for the Board and C-suite? Does the CISO report on these policies?
- Who helps with planning cyber security policies, training, infrastructure, or other efforts?
- What are the budget and priorities for these efforts?
As a final piece in your process of determining a cyber security plan, what is your risk of litigation involvement or exposure? The SEC suggests financial institutions should:
- Mitigate risk by auditing compliance policies and procedures.
- Consider the effect of a breech on your ability to process shareholder transactions – and plan for that possibility.
The final measure of your preparedness should include a review of cyber security training. Consider these points:
- Who conducts IT security training, and how often?
- How are you tracking participation and compliance with the training and cyber security policies?
- Are your policies tested?
- Does your training encompass: Encryption; portable device policies; phishing; and passwords?
Cyber crime takes many forms in the financial sector, and thieves are constantly adapting their methods to stay ahead of technology managers. Detecting cyber crime is just as difficult as protecting sensitive data. Following SEC compliance should be just the beginning of efforts to protect your organization and the stakeholders you serve.
To find out more about cyber security in Boise, contact Aurora Technical Consulting at email@example.com or (208) 936-7616.