The cybersecurity risks faced by all organizations are increasing rapidly, and financial services are no exception. Reports of attacks, both successful and not, pepper the media, and bring credence to the claims that ignoring cyber risks can inhibit business growth. Legal prosecutions in all jurisdictions are becoming more commonplace, Board members are demanding action, and stakeholders including customers, investors, lenders and other partners now routinely expect evidence of cyber awareness and risk reduction.
What of regulators? There has been no shortage of circulars, guidance notes, requirements, standards and reports from regulatory bodies across the globe. FINRA announced deficiencies identified in routine exams and have recently announced cybersecurity to be a priority in 2018 and the SEC has formed a specialized Cyber Unit designed to respond to new and emerging cyber-enabled misconduct, so it’s no secret regulators are putting significant resource into this
They recognize the impact of cyber risk on their regulatory objectives in the broadest sense – market integrity, consumer protection, and competition. So their messages contain similar advice:
- Know your cybersecurity risks
- Recognise that people are a key point of weakness
- Strengthen security through new technical security measures, policies, procedures and training
- Have a formal cybersecurity response and recovery plan
- Consider network penetration, internal vulnerability and social engineering tests.
Can your company offer credible assurance about its cyber risk management?
Who needs to be concerned?
In short, everyone. From Board members to the most junior of employees, all of us are vulnerable and a potential source of risk. While many instances of cybercrime can be prevented by simple measures such as anti-virus software, firewalls, secure WiFi, stronger passwords and limiting the ability to transfer data to computers, there is now increasing acceptance that pure IT measures are not sufficient. Regulators are looking for a “security culture” in firms of all sizes, along with recognition that cyber is not just an IT issue but covers people and processes as well. The key is good governance and information sharing.
What should be your objectives?
First, you must meet regulator expectations. Wherever your firm is domiciled, and wherever it has business operations, it is critical that you understand what your regulators want and that you meet those expectations.
Second you must document your cyber risk profile, and then put in place actions to reduce the unwanted risks.
Last, you must be able to produce evidence for regulators, investors, clients and stakeholders of your reduced cybersecurity status, ideally through an independent report.
How can Bovill help?
Drawing on our wide ranging experience helping financial services firms implement regulatory requirements, we have developed a 14-point component plan to help you manage and reduce your cyber risk. Get in touch for more information or click here.