As the number of cybersecurity threats increases, government and regulatory bodies continue to tighten the security requirements for financial institutions. In a webinar that took place on May 1, 2024, Silver’s CEO, Fizza Khan, sat down with Kyle Blair, Director of Financial Services at Egnyte, to discuss how the new regulations aim to fortify defenses, improve response times and make financial services institutions more proactive in protecting sensitive information and customer data.**
A video of the full webinar is below, as well as key takeaways from the discussion:
- The following three key regulatory amendments will usher in a fairly sizeable shift in the way cybersecurity is managed:
-
- Cybersecurity risk management amendment – This was originally proposed in February 2022 and centers on the SEC providing new cybersecurity risk management rules to those firms that are governed by both the Investment Advisers act and the Investment Company Act. The key takeaway with respect to this proposal is that everyone in the financial services community – investment advisers and registered funds – will need to adopt comprehensive cybersecurity policies and procedures, as well as report significant cybersecurity incidents directly to the SEC.
- Regulation SCI – also known as regulation systems compliance and integrity – goes to the heart of technological and operational resiliency and is currently being amended. The amendments would allow for an expansion of this regulation and broaden the scope of the entities covered under it, which would include security-based SWAP repositories, certain broker dealers, and all exempt clearing agencies. As a result, those institutions that normally wouldn’t be under the purview of the SEC as it relates to their cybersecurity and data protection requirements, now by way of this amendment would be. If you are covered by Reg SCI, you need to ensure that you enhance your existing requirements by way of mandating comprehensive policies and procedures, which are meant to capture the entire lifecycle of the management of the firm and what they do in terms of their data and what they are doing in respect to cybersecurity. All of the elements of cybersecurity and data protection need to be interwoven.
- Regulation S-P – This regulation focuses on the privacy of customer and client personally identifiable information (PII). The proposed amendments would require that customers’ and clients’ PII is not only protected, but the firm would need to notify its customers and clients if a breach of their PII has occurred. [UPDATE: On May 16, 2024, the SEC announced that it adopted amendments to Regulation S-P that require broker-dealers, registered investment companies and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer and client PII, including procedures for notifying persons affected by the incident within 30 days. The amendments are substantially identical to the proposals in the 2023 proposing release. This webinar took place before these amendments were adopted.]
- Communication is vital – You also want to ensure you can convey to your client and customer base the type of protections you have in place and, most importantly, that you aren’t just superficially adding policies and procedures – it actually has to be implemented and not just on paper.
- Awareness and training are key. This is a firm wide exercise. Look at where your risks are – this will help you figure out how to implement a program across your firm and navigate the space.
- Be prepared. The idea is not to disrupt day-to-day business – we want to ensure you are as efficient as possible. But not having some sort of plan in place to address the potential risks associated with cyber-attacks is, in this day and age, akin to walking around without insurance. Hopefully you never need it, but if you do, you will be very grateful you have access to it.
If you have any questions about navigating comprehensive cybersecurity procedures and protocols, or your firm’s compliance program, please reach out to a member of Silver’s Compliance Team at [email protected].
** NOTE – On May 16, 2024, the SEC announced that it adopted amendments to Regulation S-P that require broker-dealers, registered investment companies and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer and client personally identifiable information, including procedures for notifying persons affected by the incident within 30 days. The amendments are substantially identical to the proposals in the 2023 proposing release. This webinar took place before these amendments were adopted.