The U.S. government is expanding security requirements for yet another sector.
In the last few months, the U.S. federal government has implemented new cybersecurity regulations for several sectors, from banks to transportation. U.S. President Biden, too, has emphasized the urgency for addressing cybersecurity in various areas by issuing several memorandums and executive orders.
And now, the focus is on investment firms.
In February, the Securities and Exchange Commission (SEC) proposed new rules that, for the first time, would require specific cybersecurity risk management actions and preparations for registered investment advisers and funds. When the proposal moves forward, your investment firm may need to make some big changes.
What the rules mean in the short term
Titled “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies,” the proposed rules recognize that financial investment firms increasingly rely on technology for business-critical operations. The interconnected systems and networks, as well as the digital tools used for client interaction, have opened up these organizations to new cybersecurity risks.
The SEC noted that not only can advisers and firms suffer significant financial, operational, legal, and reputational damage, but that cybersecurity incidents can also “cause substantial harm to their clients and investors.”
To ensure the firms are managing these risks, proposed requirements are fairly detailed and get granular in some areas. Here are five examples of what your firm would need to do:
- Implement cybersecurity hygiene and protection measures to help reduce the likelihood of incidents, and tailor these measures to your business operations and environment
- Review, evaluate, and document in a written report the effectiveness of these policies at least annually, and update them to ensure they remain effective as the threat landscape and technology change
- Periodically assess, categorize, and prioritize cybersecurity risks related to information systems and the data that resides in them—as well as the risks associated with using service providers that have access to the systems and data
- Implement controls that prevent unauthorized user access to systems and data, including procedures for identifying and authenticating users, as well as for timely distribution, replacement, and revocation of passwords and other authentication methods
- Document not only your risk assessments, policies, procedures, and incident response plans, but also your response and recovery activities during each incident
In addition, you would need to report significant cybersecurity incidents to the SEC within 48 hours.
If your company doesn’t already have a strong cybersecurity plan and effective measures in place, this rule will result in quite a bit of work to make you fully compliant. Don’t wait until the SEC finalizes the rules. You can start taking steps now, such as:
- Conducting a security audit to identify risks—this will help you prioritize areas to focus on
- Reviewing your current cybersecurity plan to understand what areas fall short of the new requirements and will need updating
- Exploring your options for specific requirements, such as prevention of unauthorized user access—for example, you can start evaluating password managers
The regulatory landscape will keep evolving
The number of data compromises escalated 68% in 2021 and hit a new all-time high, according to the latest annual report from the Identity Theft Resource Center. Considering the growing number of breaches, as well as the escalation of ransomware attacks and other incidents, the increased government interest in cybersecurity across all sectors is not unexpected.
The governments’ scrutiny over companies’ cybersecurity and privacy will continue to grow globally. Last year, for example, China became the latest nation to enact stringent privacy rules aimed at protecting its citizens’ data.
The best way to prepare for the ever-evolving regulatory environment is by implementing fundamental practices. While each regulation is different, you’ll be in a better position to respond if you’re already following best practices and have a robust security plan that you’re continuously updating.
Dashlane can help you meet regulatory mandates and prevent unauthorized access to your critical data and systems. Want to learn how? Sign up for a free trial.