We're at mile zero for cyber regulation. Buckle up for the road ahead.
Media mention
Forbes: Finding the silver lining in cyber regulations
Many people get into their cars and buckle their seat belts without giving it a second thought. When the first seat belt regulation in the U.S. was introduced in the late 1960s, it was initially met with strong opposition from some. Today, however, it's become commonplace—a likely future for cybersecurity regulations.
The SEC implemented a cybersecurity rule in December 2023 requiring large companies to report material cybersecurity incidents within four days. A related SEC proposal would require registered investment advisors and investment companies to establish written policies and procedures to address cybersecurity threats, among other requirements. This regulatory oversight may cause many to feel overburdened, but there's a silver lining.
Cyber risk cannot be solved. It's a business risk that needs to be continually managed. According to the FBI, potential cybercrime losses in the U.S. cost businesses more than $6.9 billion in 2021, and an UpCity survey found that only 43% of businesses felt financially prepared to face a cyberattack in 2022. While physical lives aren't primarily at risk in cyberspace, livelihoods are.
Although incoming cyber regulation may create near-term frustration for financial firms, regulators view the current environment as a seat belt moment. Business leaders are at a precipice—maintain the status quo and let cybercrime continue its bull run to a projected $10.5 trillion industry by 2025, or take proactive steps to better protect their businesses and clients in 2024.
As cyberattacks increase in sophistication, it's imperative to take these threats seriously as part of the duty to protect client data. Imagine having to defend potential negligence after a cyber incident that resulted in the exfiltration of custodied client data records. Many may not be able to prove they met their fiduciary responsibility to maintain the confidentiality of this data.
Financial services firms have a fiduciary responsibility to their business, stakeholders and clients—and that extends to cyberspace. While it may seem counterintuitive at first, cybersecurity regulations will help advisors maintain their fiduciary duty.
Just as families seek an advisor's expertise for financial planning and wealth management, businesses don't need to face cybersecurity regulation alone. The cost of a cyberattack and reputational damage—along with the compliance implications—on a business can be sizable.
Let's face it: cybersecurity sucks, and spending time with clients likely outweighs the desire to manage cyber vulnerabilities. For smaller or medium-sized advisory firms, it's critical to find a strategic partner that provides enterprise-grade security to fortify the business before experiencing a cyber crisis.
Managed security services providers frequently operate like general practitioners and provide a range of generic cyber services to multiple industries. Small or medium-sized advisory organizations often lack sufficient cyber expertise in house, which makes it critical to find a strategic security partner that can provide the same quality of service it would provide to a large enterprise client.
Organizations should avoid partnering with providers that don't have knowledge of their industry or that use outdated tools and products. Other red flags include partners that don't take the time to understand your business's capabilities and complexities or offer complex pricing models that complicate your organization's cost control measures. There is no one-size-fits-all approach to cybersecurity, and a good partner will offer a tailored approach that enables organizations to approach their cybersecurity management holistically—regardless of size.
The need for security with credentialed talent and the right tools to evolve with the threat is paramount. This expertise often extends beyond the skill set of IT contractors. Cyber defense demands commitment, and approaching security as an IT add-on to a technology implementation isn't necessarily effective. Businesses need to invest in dedicated expertise.
Change is inevitable, and businesses should expect nothing less when it comes to regulation. The SEC's focus on cybersecurity is a starting point, and these regulations will need to keep up with ever-evolving threats.
Investors need to stay the course, remain invested and keep focused on long-term goals—particularly in market ups and downs. Cybersecurity is like the stock market. On any given day, a cyber event is nothing—until it's everything. Predicting when a breach will happen isn't possible, but remaining invested in protecting the business is crucial for advisors and their clients.
Just as the seat belt was the beginning of a control system to protect life on the roads, we're arguably at mile zero for cyber regulation. It's time to buckle up for the road ahead.