Prepare for the Changing Landscape in Cybersecurity
Membership required
Membership is now required to use this feature. To learn more:
View Membership BenefitsAdvisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
The U.S. Securities and Exchange Commission (SEC) issued a Notice of Proposed Rulemaking on April 5, 2023, outlining a proposed cybersecurity risk management rule1. Additionally, the SEC issued a Notice of Proposed Rulemaking on April 6, 2023, outlining proposed changes to Regulation S-P2. The SEC has good reason to propose new regulations given the significant rise in cybersecurity issues each year, the costs borne by companies who experience successful attacks, and the need for investors to understand the risks to their investments associated with attacks.
Proposed rules by the SEC and other self-regulatory bodies and proposed and enacted legislation have significant effects for any company, particularly for financial services firms. This rule, or a form of it, will pass. Firms need to prepare for this rule and similar regulations now to avoid disruptions to their business and additional costs associated with implementing solutions in haste.
This article examines the challenges associated with the SEC’s proposed rule, the expected effect on financial services firms, and how firms can prepare now for the new rule.
A successful attack results in a breach of a company’s cybersecurity program. Companies typically report these cybersecurity breaches when any data is lost or copied by the bad actor. The Identity Theft Resource Center estimated a record-breaking 1,862 data breaches occurred in 2021.3 This represents a 68% increase compared to 2020 and is 23% over the previous all-time high of 1,506 breaches set in 2017. The 2022 IBM Data Breach Report revealed that 83% of organizations experienced more than one data breach during 2022.
Bad actors are becoming more successful in their attacks.
A small business is classified as any company with fewer than 500 employees. Many financial services firms, particularly in the wealth management space, are classified as small businesses. Research shows that 40% of cyberattacks are aimed at small businesses.4 Small businesses should be alarmed by this threat because over 60% that experience a successful attack close their doors within six months5. Therefore, the threat to financial services firms is very real.
Proposed cybersecurity disclosure rules
The proposed SEC rule changes to the Regulation S-P NPRM includes the timeframe for a firm to disclose a cybersecurity incident. Covered entities will need to provide immediate written notice to the SEC of a significant cybersecurity incident if they have a reasonable basis to conclude that an incident has occurred or is occurring. Covered entities would also file Part I of new Form SCIR confidentially on EDGAR within 48 hours, which would contain detailed information about the incident and would need to be continually updated if material developments occur.
This proposal follows the European Union's requirement of three days. Congress has charged the U.S. Department of Homeland Security to create rules that would require reporting within three days of an incident and reporting in one day for ransomware payments. The New York State Department of Financial Services is asking for a report in three days. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. have required notification no later than 36 hours after a banking organization determines that an incident has occurred.
Why these rules are needed
Global regulatory entities are driving for fast and comprehensive disclosures of cybersecurity incidents for good reason. Investors need to know about cybersecurity incidents. A cybersecurity incident can cause an average decline of 7.5% in the company’s stock values after a data breach6. It took an average of 46 days for companies to recover their stock prices to pre-breach levels. Clearly this information is material to investors.
The decline in stock price is only measured after the company reports the cybersecurity incident. IBM reported in their 2022 Data Security Report that it took an average of 277 days – roughly 9 months – for businesses to identify and report a data breach. Stolen or compromised credentials were the most common cause of a data breach in 2022, and these types of attacks took around 327 days to identify.
The regulatory agencies are prompting companies to more effectively identify and report data breaches and to protect investors with prompt disclosures. The number of regulatory agencies proposing disclosure rules means that a form of these rules will pass.
How to prepare
Risk assessment
Many firms expect their information technology team or provider to mitigate their cybersecurity risks. Information technology teams and providers can secure your IT infrastructure and can provide monitoring of your infrastructure. But the proposed rules go beyond the capabilities of most IT providers.
A covered entity would be required to categorize and prioritize cybersecurity risks based on an inventory of its information systems and the information residing therein, as well as the potential effect of a cybersecurity incident on the covered entity. Covered entities would also need to assess the cybersecurity risks associated with their use of these service providers. Risk assessments would need to be documented in writing.
Social engineering attacks target your team members using a variety of attack vectors, including phishing and spear-phishing emails. An average employee of a small business with fewer than 100 employees will receive 350% more social engineering attacks than an employee of a larger enterprise7. These emails cannot be eliminated through technology solutions and your team members must be trained to recognize these attacks.
Satisfying the risk assessment requires firms to review their:
- People to protect against Social Engineering attacks;
- Processes to evaluate third-party risk from software providers and cloud services; and
- Technology that is supported by their information technology teams.
I recommend that firms conduct an independent cybersecurity assessment that evaluates your cybersecurity posture beyond simply technology and includes your people and processes.
Incident response
Many firms are not clear on the steps that they should take when they uncover an incident. A well-defined incident response plan enables the firm to have a coordinated response and provides their only chance to achieve the timeframes outlined in the proposed rules and regulations.
The incident response plan includes several key components:
- You need a clear understanding of the key stakeholders in your organization to effectively respond to a cyber security incident. These individuals or groups are responsible for making critical decisions and taking specific actions in response to an event.
○ Incident manager who leads the response, manage communication flows, update stakeholders, and delegate tasks. This includes updates to the compliance and legal teams.
○ Technical manager who acts as the subject matter expert. Firms may look externally for this resource if they do not have the resource in the firm.
- Developed containment, eradication and recovery procedures.
○ Containment procedures involve isolating the affected system or network to prevent the spread of an attack.
○ Eradication procedures involve removing the attacker’s presence from the network and infected systems.
○ Recovery procedures involve restoring normal operations after an incident is contained and eradicated.
- Incident analysis and investigation are critical components of an effective incident response plan. The purpose of incident analysis and investigation is to:
○ Understand the root cause of the incident.
○ The extent of the damage.
○ The effectiveness of the response procedures.
Develop your incident response plan now to prepare for the coming rules. This plan will prepare your organization not only for the proposed rules but also for potential threats. You can seek outside assistance to develop your incident response plan if you don’t have experienced resources in your firm.
John O’Connell, founder and chief executive officer for The Oasis Group, specializes in helping wealth management and technology firms solve their most complex challenges. His newest online training courses serve as a leading source of education for financial professionals at all levels in their careers. With modules ranging from cybersecurity to custodian markets and more, these courses enable firms and enterprises to upskill, learn at their own pace and rewatch lessons to reinforce specific learning objectives. Get an additional 20% off any course with coupon
1 CYBERSECURITY RISK MANAGEMENT RULE, S7-06-23, 88 FED. REG. 20,212 (APR. 5, 2022), HTTPS://WWW.FEDERALREGISTER.GOV/DOCUMENTS/2023/04/05/2023-05767/CYBERSECURITY-RISK-MANAGEMENT-RULE-FOR-BROKER-DEALERS-CLEARING-AGENCIES-MAJOR-SECURITY-BASED-SWAP.
2 REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION AND SAFEGUARDING CUSTOMER INFORMATION, S7-05-23, 88 FED. REG. 20,616 (APR. 6, 2022), HTTPS://WWW.FEDERALREGISTER.GOV/DOCUMENTS/2023/04/06/2023-05774/REGULATION-S-P-PRIVACY-OF-CONSUMER-FINANCIAL-INFORMATION-AND-SAFEGUARDING-CUSTOMER-INFORMATION.
3 IDENTITY THEFT RESOURCE CENTER’S 2021 ANNUAL DATA BREACH REPORT SETS NEW RECORD FOR NUMBER OF COMPROMISES, (JAN 24, 2022), HTTPS://WWW.IDTHEFTCENTER.ORG/POST/IDENTITY-THEFT-RESOURCE-CENTER-2021-ANNUAL-DATA-BREACH-REPORT-SETS-NEW-RECORD-FOR-NUMBER-OF-COMPROMISES/.
4 SMALL BUSINESS TRENDS, “43 SMALL BUSINESS CYBERSECURITY STATISTICS” (MAY 29, 2023), HTTPS://SMALLBIZTRENDS.COM/2023/05/SMALL-BUSINESS-CYBERSECURITY.HTML
5 TRUEFORT, “30 SOBERING CYBERSECURITY STATISTICS FOR 2023” (MAY 10, 2023), HTTPS://TRUEFORT.COM/2023-CYBERSECURITY-STATISTICS/.
6 HARVARD BUSINESS REVIEW, “THE DEVASTATING BUSINESS IMPACTS OF A CYBER BREACH” (MAY 4, 2023), HTTPS://HBR.ORG/2023/05/THE-DEVASTATING-BUSINESS-IMPACTS-OF-A-CYBER-BREACH.
7 BARRACUDA NETWORKS, INC., “SPEAR PHISHING - TOP THREATS AND TRENDS” (2023), HTTPS://WWW.BARRACUDAMSP.COM/RESOURCES/REPORTS/SPEAR-PHISHING-THREATS-AND-TRENDS.
A message from Advisor Perspectives and VettaFi: To learn more about this and other topics, check out our podcasts.
Membership required
Membership is now required to use this feature. To learn more:
View Membership Benefits