The SEC released a new proposal on March 15 to protect investors by shoring up capital markets cybersecurity policies and procedures. This was in response to heightened cybersecurity risks, wider use of cloud service providers and the increasing interconnectedness of market systems.
The new rule would call for financial institutions (FI) to disclose security incidents within 48 hours and to alert customers of any compromised data within 30 days, among other things.
Finance/insurance was the second most victimized sector around the world for cyberattacks in 2022, following manufacturing. This package of proposed policies is designed to help harden the financial system against hacking, data theft and systems failure -- an important step in combating the mounting threats to public companies and investors.
As we move through the 60-day public comment period, what does the SEC’s move mean for broker-dealers, clearing agencies, asset managers, securities exchanges and other capital market participants? Will the new standards be effective in bolstering investor confidence and financial market cyber resiliency – in a moment when we badly need it?
A phased approach
Given the obvious reasons that hackers prioritize the banking, financial services and insurance sectors, it might seem surprising the SEC has waited until now to introduce such requirements, as well as requiring firms to generate annual official written cybersecurity policies and procedures assessments.
Naturally, policymakers seek to strike the right balance between protecting consumers and enabling innovation. But as the pandemic accelerated digitization, and cloud migration and blockchain produced expanded attack surfaces, the markets have become intricately interconnected.
Policymakers have embarked on a phased approach to erecting regulatory frameworks, prioritizing more sensitive sectors. They have strived to carefully prepare companies for enhanced cybersecurity transparency, while not presenting overly prescriptive guardrails for companies in the areas of reporting, disclosure, and governance.
We already see governments around the world introducing new cybersecurity regulations that apply to a wide range of industries. A few examples of this include the U.S. Department of Defense’s phased rules for its contractor supply chain, the EU’s GDPR regulations and the “Essential Eight” guidelines set out by the Australian government.
Is 48 hours a reasonable amount of time?
Some CISOs and critics, like SEC dissenting commissioners Mark Uyeda and Hestor Peirce, may find fault in the SEC proposal, perhaps seeing the 48-hour and 30-day deadlines too stringent and prescriptive.
Uyeda said that filing requirements “demand immediate attention from management all in the midst of responding to a breach.” However, International Monetary Fund (IMF) global research revealed that information sharing and reporting represents the top cybersecurity gap in the oversight of financial markets infrastructures.
The initial 48-hour reporting is not the final assessment of an incident, and thus FIs should not be overly fixated on this timeline nor the need to have full oversight of the situation before reporting.
As with any crisis, incident reporting is essential to stop the initial bleed or take remedial action. Thirty days as the maximum time allotted to notify users of a data breach is a reasonable benchmark.
Firms do need ample time to assess the situation and ensure their communications are accurate and do not cause undue panic. At the same time, firms must avoid the premature or unnecessary notification of users or flooding them with updates that could cause panic.
Transparency, communication, and accountability
The scale of the perceived burden is a reflection of the scale of cybersecurity risks in today’s operating environment. Threats still largely loom in the form of ransomware, phishing and malware attacks -- whether by individual, ransomware as a service or state sponsored actors. FIs should also be wary of insider threats and, of course, poor employee cyber hygiene.
Given the sensitive nature of the data and information FIs handle, the proposal sets a standard that strengthens transparency, trust, and accountability between FIs and the parties with which they do business. Further, timely incident reporting helps establish a stronger defense across organizations against a host of cyberthreats in the long-term.
Private sector insights into the whereabouts and actions of bad actors from across the internet can effectively complement regulatory capabilities in this aspect – enabling an invaluable two-way flow of information between private and public sectors.
A call to build cyber resilience
SEC requirements will also act as a motivator for FIs to shore up their level of cybersecurity preparedness.
Financial institutions should look at the new rules as a cyber resilience call to arms, and a chance to get it right before the rules kick in.
Department heads should break out of their silos and collaborate with CISOs in a review of their current cybersecurity posture by conducting a thorough risk assessment to find the vulnerabilities. Proactive measures like regular penetration testing, red teaming and compromise assessments are essential. Based upon this meticulous assessment, they should actively plug existing gaps.
No matter if an FI is ahead of the curve or behind the nine on reporting attacks to stakeholders, it is inadvisable to wait until the SEC’s rules kick in to begin a path to compliance. Leadership can immediately educate themselves on the new requirements and pre-empt the SEC by codifying and fortifying their attack incident reporting process, customer notification process and written cybersecurity policies and procedures.
Since the new framework will require annual assessments and policy reviews that must reflect changes in cybersecurity risks over time, institutions should use the preparation to inform how they budget for cybersecurity solutions moving forward.
While the rules are aimed at remedial action to encourage FIs to step up their cybersecurity standards, strengthening cybersecurity within each organization lies in their own hands.
Following the installation of reporting and policy mechanisms and the completion of a threat assessment, FIs should then look beyond traditional cybersecurity solutions towards new methods that provide stronger data protection more in line with escalating threats.
Winning a battle of attrition
Financial firms are doing business in a golden age for cyber criminals. Reports of ransomware attacks ballooned by 62% in 2021 over 2020, with remitted ransoms estimated to cost $20 billion worldwide. In 2022, web application and API attacks against financial services firms grew by 257% year-on-year.
Aside from the ransom, data, and business interruption loss, firms also suffer from damaging losses of brand equity. Organizations across sectors involved in curbing the spread of cybercrime are engaged in a long-term and ongoing battle of attrition.
Adopting a pragmatic view of the cybercrime landscape and acknowledging the ingenuity of cybercrime networks is a prerequisite to rising to their challenge.
Many still fail to recognize that cyber criminals are far more sophisticated and acutely aware of firms’ weaknesses than they can imagine. This inaccurate mindset is often why many organizations balk at spending resources to strengthen their cybersecurity defenses in the first place.
Play to win instead of playing not to lose
Criminals have increasingly targeted managed service providers, the software supply chain and the cloud, expanding the surface to defend. Deloitte found that the complexity from the increased data defense perimeter is the #1 challenge is managing cybersecurity across banking, insurance, investment management, and other financial services.
In the last two years, cybersecurity strategies continued to be reactive, and thus allowed hackers to conduct their activities largely unchecked.
As software cybersecurity solutions continued to struggle to address countless threat variables in the open environment, CISOs need to adopt zero-trust frameworks and leave no deficiencies in their cybersecurity postures, such as the oft-overlooked physical computing layer that supports the six other layers.
The next stage of holistic cybersecurity defense should incorporate hardware and embedded solutions into the overall infrastructure to stop hackers in their tracks in a small, sealed, and fully engineered environment at the data storage level.
The SEC has stepped up cybersecurity rulemaking recently for registered investment advisors, public companies, and now market entities. However, cyber risk reporting policies alone are not enough to protect investors, markets, and the entire US economy.
To truly remain safe and compliant, the industry needs frameworks such as these combined with security tech stacks robust enough to protect themselves at every level – from the cloud down to hardware.
Camellia Chan is the CEO and co-founder of X-PHY, a Flexxon brand. Since its inception in 2007, Camellia has grown Flexxon into an international business with a presence in over 50 cities. With Camellia’s passion for innovation and tech for good, Flexxon continues to expand its essential suite of cybersecurity services through its flagship X-PHY brand.