A year after the U.S. Securities and Exchange Commission (SEC) proposed amendments to its cybersecurity regulations, the industry is waiting to see the final rules.
Once the rules are put in place, funds of every size will need to comply as regulations will be tightened in areas such as risk assessment, vulnerability management and board oversight. There is likely to be a large focus on incident reporting – giving organizations a 48-hour reporting window – and a mandate that all incidents be recorded in a firm’s prospectus or brochure. Our December 2022 webinar explores the detail of these new requirements – and how they will impact your firms.
Failure to comply could have hefty consequences as the SEC continues to come down strongly on firms that don’t meet their security standards. In November 2022, the SEC released its enforcement results for that fiscal year and announced it had “brought significant enforcement actions” against major firms for non-compliance with cybersecurity regulations. It highlighted charges against giants such as Morgan Stanley Smith Barney, J.P. Morgan Securities and UBS Financial Services, resulting in penalties as high as $35 million.
There are several steps your business can take today to stay ahead of the pending regulations, as discussed in our February webinar. But if firms are to escape SEC penalties, they need more than sophisticated cybersecurity technology – they also require a knowledgeable, prepared workforce. These new regulations hinge on every employee understanding their role and following best practices, and this means firms must put renewed energy into training and guiding their teams. Inadequately preparing employees is a major oversight in the SEC’s book: in its July 2022 announcement of identity theft protection fines, it specifically cited failure to train staff.
So how should you train your employees to avoid potential SEC penalties?
First, confirm you have a clear picture of your data landscape; what data you collect, where it’s held and who has access to it. Not only will this information assist in risk assessment compliance, it can help you determine the specific types of security training your individual teams need.
Then, ensure all teams are up to date with the latest regulatory requirements, as well as due diligence procedures and individual company policies. All employees and stakeholders need to be clear on the steps they should take in the event of an incident – and understand why they’re taking them. Embedding this knowledge in employees will be crucial to remaining compliant with the SEC’s new 48-hour deadline, which doesn’t leave time for internal confusion. Part of this process may involve updating your incident response plans so incidents can be contained and resolved as quickly as possible.
You must also arm your employees with the knowledge and skills to proactively block breaches and cyberattacks. Phishing attacks and other forms of social engineering are designed to manipulate employees into giving hackers access, so it’s critical that employees learn how to spot and stop them. A simple call to a known contact to confirm an unexpected “urgent” email can save much misery down the line.
Finally, such training must be regarded as an ever-evolving process rather than a one-time session. Cybersecurity education should form a core part of employee onboarding, but continuous education is critical to keeping up with changing risks and amended regulations. Regularly refreshing training also helps keep knowledge fresh so teams can confidently and capably respond to cyber threats.
Businesses must be proactive about employee training, but they don’t need to go it alone. Outsourcing cybersecurity training to industry professionals like Drawbridge gives firms assurance that their employees are receiving rigorous training from experts in financial services cybersecurity and SEC regulations. Drawbridge also runs tabletop exercises and simulated cyberattacks to test employees on incident response and ensure security knowledge is deeply ingrained.
The industry may be waiting for the SEC’s final rules, but you shouldn’t wait to sharpen up your cybersecurity program. Get a head start on the new regulations today by honestly assessing your current company policies and training programs and working to fill the gaps. After all, no firm wants to see its name on a future SEC fine.