By ECI | Tuesday, March 21, 2023
The U.S. Securities and Exchange Commission (SEC) has moved a step closer to adoption of its proposed Cybersecurity Risk Management Rules. Originally proposed in February 2022, the regulations recently advanced to the final rule stage on the agency’s Regulatory Flexibility Agenda and opened for an additional period of commentary –likely signaling action to come this Spring. There is a lot to unpack in the proposed rules and what they mean for financial firms. That’s why we’re devoting the next two blog posts to highlighting key insights and takeaways from a recent webinar ECI hosted on the topic.
ECI CIO Rich Itri and CTO Steve Schoener were joined by Regulatory Counsel Founder Scott Pomfret and by Daniel Bresler, a partner in the Investment Management Group at Seward & Kissel LLP, for a wide-ranging discussion on the cybersecurity, legal, technological and compliance implications of the new SEC rules. Here in Part 1 of the webinar recap, we take a closer look at the panelists’ views on what the new rules will cover, and the likely challenges organizations will face in adapting to them.
ANTICIPATING NEW SEC RULES AND IMPACTS
While the SEC rules are still being finalized, some hints are already emerging about what regulators want and expect from financial industry players, especially in the investment sector. The webinar panelists aligned on three themes in particular that will shape the SEC rulebook: accountability, programmatic rigor and alignment of protections to the nature of business activities.
On accountability, federal regulators are looking to clarify current ambiguities around what the SEC expects investment firms and advisers to be doing and reporting on when it comes to cybersecurity protections. The logic is that more specificity on the rules translates into more accountability for the organizations that must comply with those rules.
The panelists also discussed how the SEC is emphasizing the need to take a programmatic approach to cybersecurity that goes beyond just buying products and checking boxes. The SEC will require firms to better orchestrate cybersecurity tools and processes to achieve a more holistic level of visibility and control – understanding of where risks reside in the organization; measuring the potential impacts; closing security gaps; and monitoring security posture on an ongoing basis.
Throughout, the panelists emphasized how the SEC rules will require organizations to better tailor their cybersecurity programs to the nature of the business. Adequate cyber protections for a boutique investment business, for instance, will likely be different than what a large firm that’s doing algorithmic trading might require in order to remain secure. This need for organizations to right size their cybersecurity programs to the rest of the organization will be a key tenet of the SEC rules.
LIKELY IMPLEMENTATION CHALLENGES
Even as the industry waits for the SEC to finalize its new Cybersecurity Risk Management Rules, it’s clear that taking the IT modernization steps to comply with them will be a challenge for most organizations. The webinar panelists emphasized that many firms will face significant barriers to entry because every new compliance rule, no matter how well founded, requires time and money to implement. Emerging asset managers in particular may not have the personnel or the budgets to set up the technologies and reporting systems on their own to comply with the new rules.
Immediate reporting requirements that will likely be part of the new SEC rules will also cause a strain on businesses – distracting from the time-sensitive research and remediation steps that go into managing a cybersecurity incident. The webinar panelists stressed how smaller advisory firms will especially struggle to satisfy forensics and reporting steps in the first 48 hours of an incident while concurrently trying to deal with the immediate operational fallout.
In addition, the new SEC rules will pose fresh challenges to board-level decision makers who are typically not cybersecurity experts but will nonetheless be responsible for ensuring the firms they oversee have enhanced protections and reporting systems in place. These decision makers will be looking for IT partners who can manage the complexities while summarizing security issues and communicating risk to them so they can carry out their fiduciary duty to the organization.
The need for strategic IT partnerships was a major theme more broadly as the webinar discussion devoted significant time to the steps financial firms can take to modernize their cybersecurity protections and evolve their day-to-day operations to comply with the enhanced SEC rules. We’ll focus on these themes in Part 2 of our webinar recap blog. To listen in on the full discussion, catch the webinar replay HERE