By James Hampshire
LONDON – In April the US Securities and Exchange Commission’s Division of Investment Management released cybersecurity guidance for registered investment firms and advisors. It was hardly a surprise. The SEC has shown increasing interest in cybersecurity in recent years, urging publicly traded companies to discuss cyber risks and disclose data breaches in public filings. And last year the SEC’s Office of Compliance Inspections and Examinations conducted a survey of registered broker-dealers investment advisers to establish a baseline of their cybersecurity standards.
The SEC’s actions form part of a wider, worldwide trend of financial of regulators recognizing the potential impact cyber risk could have on markets and encouraging investment firms to up their game on security. This approach implies that if the sector does not raise its standards voluntarily, then new legislation or regulation may force it to. Despite pressure from regulators, firms should not see cybersecurity as a regulatory compliance exercise; cyber risk can have huge operational, financial and reputational impacts, so it is in firms’ best interest to critically examine their security posture.
The new SEC guidelines are thankfully simple and clear, and firms can implement them by taking a four-step approach.
Step 1: Understand the threat
No organization can protect itself without understanding what it is protecting itself from. The first activity any firm should undertake is developing an understanding the specific cyber threat it faces.
Malicious actors in cyberspace broadly fall into three categories: nation states, criminals and activists. Although the majority of threat to the financial sector comes from criminals, activists are increasingly targeting financial institutions given global economic and political trends. Nation states also target the financial sector, as evidenced by attacks on major banks, stock exchanges, and the theft of information pertaining to M&A transactions. However, a broad, sectoral threat assessment does not allow good defense design, as the specific threat a firm faces will be determined by factors such as its operational footprint, the nature of its business and its public profile. Therefore, a bespoke threat assessment should be the first step toward any effective cybersecurity program.
Step 2: Identify critical assets
Firms must also develop an understanding what assets malicious actors want to target, as these are the most important things to defend. This will vary by firm depending on the exact nature of the business, but key assets for organizations in this sector usually include financial assets held in digital form (e.g., money or stocks), customer data, trading data and business strategy information (e.g., trading algorithms or strategic business plans).
Step 3: Understand the strengths and weaknesses of current cybersecurity arrangements
Once a firm understands threat and what it needs to defend, it can start to assess how well defended its key assets are against the specific threat it faces. At this stage many organizations fall into the trap of thinking about defenses as purely an IT issue. Although technical controls are important, they are only one element of an effective cybersecurity program. Cyber attacks are not computers attacking computers, but humans with malicious intent attacking your business though computers, often using human vulnerabilities as a weak link. A holistic cybersecurity healthcheck needs to consider a range of factors in addition to technical controls.
Step 4: Develop a cybersecurity roadmap
An honest and impartial assessment of current strengths and weaknesses will allow a firm to develop a roadmap, which should identify and prioritize improvements. These will range from short-term, low cost quick wins, to longer term program that require investment. Turning these plans into action require two key elements: having senior ownership to drive the plans forward and secure the necessary investment, and having wider organizational buy-in.
The SEC guidance goes on to say that since funds and advisors vary greatly in their structure and operations, their cybersecurity programs should be tailored to their unique circumstances. This emphasizes the need for bespoke programs over compliance audits. For example, although the international information security standard ISO27001 is a useful benchmark, it does not take into account the specific nature of an organization’s business, nor the specific threat it faces.
Cybersecurity is increasingly one of the key risks facing the financial sector today. Firms that consider cybersecurity as a business risk, rather than a regulatory compliance exercise, will be more likely to manage those risks successfully.
James Hampshire is a senior consultant at Control Risks, the global risk consultancy. For more information, request a demonstration of our Cyber Threat Intelligence service.
