Financial services firms operating in the US will need to familiarise themselves with new guidance from the Securities and Exchange Commission (SEC) if they are to avoid the threat of regulatory action as a result of a cyber attack.
The organisation's Division of Investment Management has published a series of new recommendations that set out cybersecurity concerns and advice for the registered investment companies and investment advisers it regulates. It noted that attacks targeting a "wide range of financial services firms" have highlighted the need for companies in this sector to review their procedures for combating these threats.
Investment funds and advisers may be particularly vulnerable to data breaches due to the prevalent use of third-party vendors and service providers in this industry, which include fund managers, administrators, transfer agents and prime brokers.
The guidance emphasises the importance of frequently reviewing a company's defences, taking into account both the internal and external cybersecurity threats it may face, the security controls and processes that are currently in place, and the impact that may occur should information or technology systems become compromised.
When this has been accomplished, the SEC urged firms to develop a strategy that is "designed to prevent, detect and respond to cybersecurity threats". Such solutions may involve steps including toughening access controls, encrypting data, backing up key information and restricting the use of removable storage media to guard against the loss or exfiltration of sensitive materials.
It also emphasised the importance of drafting an incident response plan, while routine testing is also vital for ensuring the effectiveness of any strategy.
Strategies need to be implemented via written policies and effective training that ensures all employees understand what their responsibilities are. "Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts," the guidance notes.
Companies will also be better prepared if they consider the measures identified in the guidance based on their particular circumstances when planning to address cybersecurity and a rapid response capability.
"The staff also recognises that is it not possible for a fund or adviser to anticipate and prevent every cyber attack," the SEC stated. "Appropriate planning to address cybersecurity and a rapid response capability may, nevertheless, assist funds and advisers in mitigating the impact of any such attacks and any related effects on fund investors and advisory clients, as well as complying with the federal securities laws."
In order for businesses to effectively defend themselves against cyber attacks and meet these requirements, it will be vital for them to have strong defences in place. Innovations from Encode, supported by IBM QRadar, can greatly help with this and ensure companies in the financial services sector are prepared for whatever threats may arise.
Click here to read the SEC guidelines in full