Managing the regulatory risks of cybersecurity: An evolving regulatory landscape

Financial institutions in the U.S. are well aware of the business risks related to cybersecurity but there are an increasing number of related regulatory risks that also need to be addressed. The combined and increased focus of the Securities Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) and the Commodity Futures Trading Commission (CFTC) on cybersecurity issues are indicative of U.S. regulators’ state of mind. 

This was made clear last September when an American investment advisor was charged by the SEC with failing to adopt proper cybersecurity policies and procedures prior to a breach. The case is a clear signal that the SEC is taking cybersecurity seriously, and most compliance professionals expect more enforcement actions this year.

Impacted areas

Overlapping SEC and FINRA cybersecurity-related requirements target the following areas:

• Governance and risk assessment
• Access rights, controls and confidentiality
• Data loss prevention
• Vendor management
• Training
• Incident response
• Technical controls and trading system accessibility

The CFTC approach to cybersecurity is noteworthy because it is the first attempt to mitigate the risks of cybersecurity directly through regulation. The CFTC has issued regulations for the following types of security testing:

• Vulnerability testing
• Penetration testing
• Controls testing
• Security incident response plan testing
• Enterprise technology risk assessment

While these are U.S. examples, the trend of increasing regulation to mitigate cybersecurity risks can be found within other countries as well.

Taking action

In this environment, financial institutions are advised to set up and maintain a cybersecurity program that will hold up to regulators’ expectations. While there are no clear standards to conform to yet, there are enough signals and communications by regulatory bodies to warrant producing a plan that ensures both operational effectiveness and regulatory compliance.

To this end, the National Institute of Standards and Technology’s Cybersecurity Framework provides a solid basis against which firms can evaluate their own cybersecurity postures. The NIST Framework reflects the recommendations of hundreds of businesses and government organizations. It identifies common best practices, terminology, strategies, principles and technologies for security and privacy in information systems.  

Years of testing have afforded financial institutions a certain level of confidence that their staff would know how to react in the event of a disaster. But, how confident are you in your staff’s capabilities to respond to a cybersecurity breach? And, is your organization prepared to comply with the increasing number of cybersecurity regulations on the horizon?

CGI specializes in both financial services and cybersecurity, advising financial institutions across the globe on how to best address cybersecurity threats and regulations and build effective cybersecurity programs. As a trusted partner to the Canadian Payments Association, for example, we help ensure that $170 billion+ dollars a day are cleared through CPA systems safely and securely. In addition, insurers are increasingly partnering with us to help manage the cyber risks of their policy holders. Contact us to learn more about the trend toward increased cybersecurity regulation and how we can help.