Continuous Compliance: 7 Tips to Help Investment Firms Stay Ahead of Cybersecurity and Privacy Regulations
Regulations affect every industry, but alternative investment firms face more than their share. And when regulatory bodies make changes, your firm has no choice but to respond.
In an era of skyrocketing cybersecurity attacks and increasing investor awareness of cyber threats, many regulatory updates address privacy and cyber protections. Failure to comply with these changes in a timely manner puts your firm at financial, legal, and reputational risk.
Here are seven vital actions to protect your firm from regulatory lapses and assure regulators and investors that you’re continuously compliant:
1. Don’t assume you’re too small.
Many startup or niche firms assume they’re too small for regulations to apply or for regulators to take notice. That’s a dangerous mistake. Investors are paying more attention to cyber issues, and governments are under more pressure to set and enforce rigorous requirements. Remediating and paying penalties for a lapse is far more costly than investing in solid compliance.
The good news is that effective cyber solutions and services are available. Strategies and technologies that previously were costly to obtain and challenging to maintain are now affordable, simple, and ubiquitous enough to benefit even the smallest firms.
2. It’s never “one and done.”
Many firms assume they can get compliant and never worry again. But cyber issues move fast. The threats against your data and systems, the technologies to safeguard those resources, and the protections regulatory bodies require change regularly. Firms that were on the cutting edge five years ago might find themselves far behind the game today. Approach compliance as an ongoing investment in your firm’s success.
3. Know which regs to watch.
It’s important to stay up-to-date on all relevant rulemaking that applies to jurisdictions in which you have offices or conduct business. Also pay attention to guidance such as the EU’s General Data Protection Regulation (GDPR) that affects multiple jurisdictions and is likely to influence other regulatory bodies. GDPR in particular has significantly evolved – and seriously ramped up penalties – since it was introduced in 2018.
The U.S. Securities and Exchange Commission (SEC) is another rulemaking body that frequently amends its guidance. The agency’s latest proposed rules have consequential implications for cybersecurity policy, vulnerability management, data protections, incident response and disclosure, and board accountability.
Other jurisdictions that investment firms should currently be keeping an eye on include the United Kingdom, Hong Kong, and Singapore, all of which have been updating financial services regulations.
4. Train staff regularly.
Policy, process, and technology are vital, but people are often the weakest link in the cybersecurity and compliance chain. Consistent staff training can help.
Make sure you provide learning content that specifically conforms with regulatory requirements. Also address known issues such as email phishing schemes designed to trick team members into sharing credentials or confidential data. More broadly, encourage all employees to take personal responsibility for protecting data and contributing to compliance.
Cover training from both a cybersecurity and a risk-and-compliance perspective. Get input from both your IT and governance teams. And keep careful documentation in case you’re audited.
5. Look to your peers.
Keep current with what your competitors are doing to protect data and maintain compliance. A good gauge is to stay at least on par with industry norms. You don’t necessarily have to remain in the 99th percentile for cyber sophistication. But if you’re in the bottom quartile, you know you have work to do.
Peer groups and conferences can be valuable resources for understanding industry trends and sharing best practices. Take the time to participate and benefit from lessons learned by others.
6. Get help where you need it.
Peer groups aren’t the only source of experience and expertise. Every investment firm should have trusted relationships with technology, legal, and governance, risk and compliance (GRC) advisors.
Few alternative investment firms are set up to field a large IT department that has command of the latest cloud technologies. They likewise might struggle to attract and retain cybersecurity experts who are up-to-date on the latest threats and solutions.
Consider a managed service provider (MSP) for IT systems and a managed security service provider (MSSP) for cyber protections. Even better, look to a single partner with the breadth and depth of capability to act as both. You’ll benefit from tighter integrations and better accountability to ensure your IT infrastructure optimally contributes to compliance.
7. Plan for cloud-native and agility.
In many financial services firms, IT systems were designed around a bespoke, on-prem data center. The result is an IT landscape that’s costly and slow to update in response to changing regulatory needs.
A cloud-based infrastructure is far more agile. Technology and cybersecurity updates are faster and more cost-effective, with lower risk of operational disruptions.
Even more effective is a cloud-native approach in which older applications aren’t merely “lifted and shifted” to the cloud but are replaced with cloud-optimized solutions. A cloud-native environment better positions you to quickly adopt the latest cyber protections. It also enables you to easily switch on new capabilities such as advanced analytics and artificial intelligence (AI). Ultimately, it equips you with the technology tools to not only ensure regulatory compliance but also enable business growth.