This post continues our recap of a recent webinar ECI hosted on new Cybersecurity Risk Management Rules that the U.S. Securities and Exchange Commission (SEC) is developing and on track to release this Spring. In Part 1, we explored the likely impact of the rules on financial firms and the challenges these firms may face in adapting to a higher regulatory bar.
Now let’s examine some insights from the panelists – ECI CIO Rich Itri and CTO Steve Schoener, together with Regulatory Counsel Founder Scott Pomfret and Seward & Kissel LLP’s Daniel Bresler – on a few strategies organizations can follow to implement better cybersecurity and satisfy the upcoming rules.
GAINING VISIBILITY AND CONTROL OF DATA
As we learned in Part 1, the SEC will be requiring financial firms to have more accountability, programmatic rigor and business-specific customization baked into their cybersecurity protections. To meet these requirements, the webinar panelists underscored the importance of gaining more visibility and control of data across the enterprise. Even before the new rules are finalized and released, IT teams should be proactive with baselining and mapping out which data is running on which systems; who has access; which data sets are subject to which regulations; and how data is encrypted.
From there, teams can develop a Data Loss Prevention (DLP) strategy that is customized to their firm. For instance, a company that employs internal developers rapidly deploying technology for bespoke systems will likely require robust vulnerability management and penetration testing. By contrast, a firm that relies mostly on SaaS providers will have a different DLP – one that includes a strong vendor risk management program to keep any third-party security gaps from compromising the firm’s own cybersecurity posture.
The panelists emphasized that this process of gaining visibility and tailored insight into a firm's data and cybersecurity profile requires a coordinated effort across the org chart. The cross-disciplinary team should include technologists, legal counsel, compliance officers and other key stakeholders – all working together to combine their respective expertise for a program that is effective in strengthening security and documenting compliance to regulators.
COORDINATING CYBERSECURITY IMPLEMENTATIONS FOR BETTER COMPLIANCE
It’s one thing for financial organizations to plan for better cybersecurity, it’s another to effectively execute that plan. That’s why the panelists shared takeaways and recommendations for orchestrating the implementation of cybersecurity tools to comply with the SEC’s enhanced rules. They emphasized the need for a coherent framework for deploying multiple cybersecurity capabilities, rather than looking at each tool in isolation.
A well-designed cybersecurity program also requires more than simply sharing information across the organization; it’s crucial to contextualize information and render it in accessible ways for the multiple stakeholders who need to convene around any security gaps or issues. The panelists stressed how this is especially critical for decision support at the board level. For instance, board members need not take part in every tabletop exercise, but they should understand how these exercises are designed and what the performance outcomes of these exercises mean for the firm’s readiness to prevent or respond to a cybersecurity incident.
Ultimately, the webinar panelists summarized how a holistic framework for better cybersecurity can be developed with the help of the right IT partner. An MSP can help deploy a powerful and accessible cybersecurity plan across the organization – from the server room to the board room – so that multiple stakeholders with varying levels of expertise can seamlessly orchestrate their efforts around any challenges or risks. That brings new levels of agility to flag security gaps and pinpoint the risks they pose in performance, revenue, compliance and more as organizations work to satisfy the stronger rules on the way from the SEC.
