Posts

Cybersecurity for RIAs

Last year the Securities and Exchange Commission (SEC) voted to implement new and amended SEC RIA requirements to the Advisers Act of 1940 for cybersecurity risk management for registered investment advisers (RIAs) and funds.

Is your firm ready?

sec ria cybersecurity requirements

The proposed SEC rule changes would oblige RIA firms to develop and implement written policies and procedures to reduce cybersecurity risks that could harm clients and fund investors. The proposed regulations would also force advisers to report cybersecurity incidents like data breaches involving client information to the SEC.

Additionally, the proposed changes call for publicly disclosing cybersecurity risks and significant incidents from the last two fiscal years in their marketing materials and registration statements.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.

While comments initially closed in April 2022, comments were reopened on March 15, 2023. Once comments are fully closed, the finalized rules will most likely become effective later in 2023. We will be providing future updates once the final regulations are published.

What do the New SEC RIA Cybersecurity Requirements Entail?

The four significant proposed changes include the following:

  1. The proposal consists of new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. In addition, the proposed cybersecurity risk management rules require public companies to adopt and implement policies and procedures for identifying, assessing, and mitigating cyber risks.
  2. The proposal also includes a reporting requirement under new rule 204-6 mandating companies report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients.
  3. The updated rules include changes to Form ADV Part 2A requiring advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
  4. The proposal also includes new recordkeeping requirements under the Advisers Act and Investment Company Act Rule 204-2 to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.

RELATED CONTENT → Security vs. Compliance: Differences & Similarities


What Can You Do to Prepare for RIA Cybersecurity Enforcement?

Here are some expert tips on being ready for enforcement when the changes go into effect later this year.

  •  Develop and Implement Policies and Procedures

RIAs and funds must create comprehensive cybersecurity policies and procedures to mitigate cybersecurity risks per the proposed rules. Keep in mind that these policies and procedures must be both compliant and actionable.

  • Conduct a Risk Assessment

Evaluate cybersecurity risks by identifying, categorizing, and prioritizing cybersecurity risks related to your systems and operations. By conducting an effective risk assessment, you’ll have the necessary information to develop compliant policies and procedures to combat potential cybersecurity risks.

  • Prepare for Disclosure Obligations

When it comes to disclosures associated with cybersecurity risks or incidents, develop procedures for clear, accurate, and timely disclosures to the SEC, clients, investors, and other market participants.

  • Continuity Planning

In the event of a cybersecurity incident, you must be able to maintain system operations. So, test your incident response and business continuity plans through tabletop exercises to ensure compliance with the requirements.

  • Reporting and Documentation

Employing a governance, risk, and compliance (GRC) solution will ensure you have well-documented evidence that your cybersecurity program is compliant.

In addition to ensuring that your firm will align with the changes, these suggestions are also considered best practices for mitigating the risks from data breaches and other cyber attacks. Following these and other practices makes good sense whether your firm is required to or not.


To learn more about GRC, download our free guide →  Understanding Governance, Risk Management, and Compliance for Financial Services.


By employing these practices, you’ll be ready for any forthcoming changes to cybersecurity regulations and well-protected against potential security threats. One solution for preparing now or later is to work with an experienced and knowledgeable IT service provider. An IT partner experienced with RIA firms, and one employing robust cybersecurity and compliance solutions can reduce the time and resources it takes to comply with and implement these and other cybersecurity compliance standards.

security vs compliance

Security and compliance are often used interchangeably in IT, but that is actually a misnomer as they are not equivalent. So, just what are the differences between security vs. compliance?

security and compliance

Security Vs. Compliance

In understanding security vs. compliance, it’s important to recognize that they are both equally important but for varying reasons. Whereas security drivers are related to mitigating business risks, compliance drivers are regulatory or legal in nature. Compliance and security have similar objectives around managing risks and securing sensitive data and systems. However, they have different processes and workflows to accomplish these goals.

Compliance involves applying regulatory standards to meet contractual or third-party regulatory requirements.  In contrast, security constitutes the implementation of adequate technical controls to protect digital assets from cyber threats.

Still, again, they are similar but not equal. So why is the distinction between security and compliance important? It is significant because implementing one without the other could lead to devastating consequences for your company.

Cybersecurity

That’s the motivation behind implementing cybersecurity—the desire to protect the confidentiality, integrity, and availability of company assets through security controls and best practices.

IT security is unique to each organization—the measures set by one entity may be entirely different from those of another. Security focuses on comprehensively mitigating any risk that may threaten an organization’s data confidentiality, availability, and integrity—it relates to all the electronic and physical data of an organization and not just those covered by compliance.

We don’t walk around with our bank account or social security numbers on our foreheads—that would be reckless. Instead, we do our best to secure sensitive information from individuals who want to steal it because securing valuable data is a prudent action to reduce the associated risks of identity theft and drained bank accounts.

Cybersecurity acts the same way. Recognizing the risks, smart business leaders choose to secure assets to protect their business from harm and keep their business. The fallout from inadequately securing business assets can lead to loss of business revenue, costly lawsuits and settlements, theft of intellectual property and proprietary information, reputational loss, inability to operate, and business shutdown.


Related Content →  Evaluate your security readiness with our  Cybersecurity Checklist.


Compliance

The confusion between the two functions arises because the outcomes from implementing compliance measures often overlap with implementing security measures. However, the motivation behind organizational compliance is to ensure that obligations and requirements are satisfied to avoid negative consequences and ensure business viability.

These external compliance requirements and standards include a range of often intersecting and complicated networks of government, industry, financial, and even customer requirements. Cybersecurity is often a small part of a greater set of requirements. Examples include:

  • Self-regulatory organizations like PCI Security Council (PCI DSS) and Financial Industry Regulatory Authority (FINRA)
  • Governmental bodies like the U.S. Securities and Exchange Commission (SEC)
  • Government regulations, including Gramm-Leach-Bliley Act (GBLA), FTC Safeguard Rule, Sarbanes-Oxley (SOX)
  • Privacy standards, including HIPAA/HITECH, GDPR, CCPA
  • Technical Standards and Certifications, including ISO27001, SOC2
  • Control frameworks, including NIST CSF, CIS Critical Security Controls
  • Client SLAs
  • Due Diligence requests (DDQ)
  • And more depending on your industry and other factors.

Looking at the worst possible outcomes, the legal and financial ramifications of non-compliance with these and other standards would lead to your organization paying hefty fines and penalties, facing costly lawsuits, being blocked from working in certain locations and industries, not being able to take payments, loss of financing and investors, not being able to acquire insurance, and more.


Related Content → What is Governance, Risk, and Compliance?


Security vs. Compliance the Big Picture

The reality is that neither IT security nor compliance lives in a vacuum. Instead, they are complementary—symbiotic even. They successfully function from a mutually beneficial association that enhances and reinforces the benefits of each other. One without the other would be like trying to make water without oxygen or hydrogen.

Being compliant with a specific set of standards is not the same as having an effective and robust information security system. Compliance simply measures whether your security protocols meet a given set of one-size-fits-all security standards at a given point in time.

A robust security system makes it easier for an organization to meet compliance standards since most of the needed controls will already be in place. All that would remain to attain compliance would be documentation work and adherence to industry-specific policies.

It’s All About Managing Risk

The real question every business leader should be asking is how to leverage both security and compliance to reduce exposure and risk. Compliance establishes a comprehensive baseline for covering an organization’s overall posture. At the same time, security practices build on that baseline to ensure that the business is protected from every angle.

It’s all about risk. Or, more accurately, reducing risk. And security combined with compliance is the one-two punch every business needs to minimize risk and protect assets.

For companies of any size, Governance, Risk, and Compliance (GRC) is about aligning cyber and information technology with business objectives, while managing risk and meeting regulatory compliance requirements. Therefore, an effective GRC strategy is essential because it pulls together the complexity of various risk, compliance, and governance functions into a single strategy.

Successful companies address cyber risk in a business context. From that point of view, avoiding fines and data breaches are preferable. In establishing and implementing compliance and security, smart leaders treat them as a risk-management concern and not just an “IT problem.” Integrating your security and compliance teams into your risk assessment program will lead to mutually assured success.

Additionally, certain industries, like financial services and life sciences, have overlapping requirements originating from a variety of sources which can make fore a complicated matrix to follow. Working with an IT vendor who specializes in your particular industry is ideal to ensure compliance across all regulations.

Choosing the right security and compliance solutions is also critical. Operating with a “checkbox” approach to either compliance or security will lead your organization toward a rocky future. Instead, focus on developing and adhering to robust policies and choosing the right solutions based on your industry needs, risk assessment, and business goals to satisfy and streamline your compliance and security activities.

Data Breach Detection

With the increasing reliance on technology in today’s business world, the risk of data breaches is at an all-time high, making breach detection a crucial factor in protecting sensitive data.

Data Breach Detection

Detecting a data breach early on can help organizations limit the damages, preserve their reputation, and prevent further unauthorized access to their systems. Despite this importance, many businesses struggle to identify data breaches as they happen, only realizing something is wrong when it’s too late. We outline some helpful insights about the importance of breach detection and the strategies they can adopt to improve their breach detection capabilities to protect their business before, during, and after a data breach.

Causes of a Data Breach

A variety of factors can cause a data breach, including human error, malicious attacks, and software errors. Human error includes misconfiguring security settings or sending sensitive data to the wrong recipient. Malicious activities, such as ransomware attacks or phishing scams, are escalating and increasing in frequency and can lead to unauthorized access to sensitive information or data loss. Additionally, software system errors or vulnerabilities can provide entry points for attackers to exploit.

The growing reliance on third-party vendors and the complexity of supply chains have also increased the potential for supply chain attacks, where attackers target a third-party vendor’s systems to get access to valuable information. Therefore, understanding the causes of data breaches is vital for businesses to identify vulnerabilities and implement appropriate security measures to prevent them.

Data Breach Detection

The majority of data breaches are discovered by external sources, meaning that an external entity, rather than the affected business, was the first to recognize the breach. This makes it clear companies need to improve their data breach detection systems to monitor and detect potential breaches in real time.

With so many data breaches occurring every day, it’s critical for organizations to stay vigilant and invest in the latest technologies, and to detect potential breaches as soon as possible. By prioritizing breach detection and response, businesses can mitigate the damage caused by a breach, protect their customers’ data, and maintain their reputation.

Identifying High-Value Data

Identifying and securing high-value data is critical in protecting sensitive information from unauthorized access, loss, or theft. High-value data can include business trade secrets, intellectual property, financial information, personally identifiable information, and other sensitive information that could harm your business or customers if leaked or breached. To identify high-value data, a company must conduct a thorough inventory of data assets, categorize data based on sensitivity, and apply appropriate security controls to protect it from unauthorized access.

Effective security controls should include access controls, encryption, multi-factor authentication, and data loss prevention tools. Protecting high-value data may require additional resources and investment, but the potential cost of a data breach can be devastating. By prioritizing data protection for high-value data, businesses can minimize the risks associated with a data breach and build a trusted reputation with their customers.

Active Monitoring Processes

Active monitoring processes are essential for preventing data breaches and protecting sensitive information from unauthorized access. Active monitoring involves continuous monitoring of a system’s security posture to identify potential threats, suspicious activities, or vulnerabilities. By proactively monitoring networks, applications, and data usage, businesses can quickly detect and respond to security incidents before they become full-blown breaches.

Active monitoring processes can include but are not limited to, security information and event management (SIEM) solutions, intrusion detection and prevention systems, network and endpoint protection tools, and data analytics platforms. These tools provide a holistic view of the organization’s security posture and enable businesses to take timely action against probable security threats. Through active monitoring and timely response, organizations can prevent data breaches, protect sensitive information, ensure compliance, and maintain their reputation.

Rapid Remediation After a Data Breach

Rapid remediation is a crucial step in limiting the damage caused by a data breach. Once a breach has been detected, acting quickly and decisively to contain it and minimize the harm is essential. Rapid remediation strategies may include, among others, isolating affected systems, disabling breached accounts or systems, restoring from backups, identifying and removing malware or other malicious software, and conducting forensic analysis to determine the extent and root cause of the breach. The ultimate goal of rapid remediation is to lessen the severity of the breach and protect sensitive data from further exposure.

By responding to a breach quickly, businesses can reduce their financial and legal liabilities, safeguard their reputation, and mitigate operational disruptions. Effective remediation requires a well-defined incident response plan, including clear roles and responsibilities, thorough documentation, and continuous improvements in response to changing threat landscapes.

In conclusion, data breaches are becoming more sophisticated and prevalent, making breach detection an essential component of data protection strategies. Therefore, organizations must stay up to date with the latest technologies and adopt a multilayered approach to cybersecurity, including monitoring, training, and incident response planning.


Related Content

Looking to evaluate your organization’s current security coverage? Use our Cybersecurity Evaluation Checklist to help you appraise your firm’s cybersecurity readiness. This checklist is a jumping-off point to help your enterprise determine its ability to mitigate the risk of cyberattacks before it is too late.

 


Only by adopting a proactive, comprehensive approach can organizations hope to prevent significant breaches, mitigate their impact, and protect sensitive data. However, when it comes to data breaches, it’s not a matter of if but when. Therefore, businesses must continuously assess their IT security posture and adopt proactive measures to detect and respond to potential breaches. Only then can they safeguard sensitive data, ensure compliance, maintain operations, avoid liability, and avoid the headlines.

CPRA vs CCPA

Today’s businesses operate in a global landscape where data privacy and security compliance are more complex than ever. Case in point, there is a significant amount of uncertainty about the upcoming CPRA requirements and how it differs from the CCPA. Let’s look at CPRA vs. CCPA.

CPRA vs CCPA

CPRA Vs CCPA

The California Privacy Rights Act strengthens the consumer privacy rights outlined in the CCPA and establishes new data security requirements for businesses with enforcement beginning on July 1, 2023.

Businesses must protect the privacy of personal information, including taking steps to implement authentication procedures, updating policies, and securing user data. In addition, businesses must comply with CPRA by July 1, 2023, or face potential fines, lawsuits, and more.

In terms of CPRA vs. CCPA, it is important to note that the CPRA does not replace the CCPA. Instead, the CPRA amends CCPA by adding clarifications and strengthening provisions.

What is the California Consumer Privacy Act (CCPA)?

Enacted in 2018, the CCPA was the first significant privacy law in the US after the EU adopted the General Data Protection Regulation (GDPR).

The CCPA is a baseline law that created consumer privacy protections like the right to know what personal information a business collects and shares. It required companies to provide notice of their data practices and more. It applies to all businesses operating in California, whether they have a presence in the state or not.

The CCPA requires businesses to provide certain notices and disclosures, such as a dedicated privacy policy, to individuals before collecting their personal information.

What is the California Privacy Rights Act (CPRA)?

The CPRA builds upon the CCPA by further expanding consumer privacy rights and strengthening data protection requirements. For example, the CPRA grants consumers even more control over their personal information by requiring businesses to obtain explicit consent for data processing activities outside the scope of contractual necessity or legal obligation. It also adds more data security requirements and expands the scope of data security procedures covered by the law.

Key Differences Between CCPA and CPRA

Businesses should note that the main distinction between the CCPA and CPRA is the addition of strict consumer data privacy and security provisions. For example, the creation of a new category of sensitive personal information expands the data types that are subject to greater protection measures. Additionally, the mandatory cybersecurity and risk assessments and third-party audits required for some businesses will add additional layers of complexity to compliance programs.

 CPRA Data Security Updates

Here are some data security requirements outlined in the CPRA:

  1. Reasonable security measures: California privacy law expects businesses to implement “reasonable” security measures to protect the personal data they collect.
  2. Sensitive personal information protection: CPRA expands the categories of personal information, and businesses must employ reasonable security measures to protect this data, including encryption and access controls.
  3. Annual security audits: The CPRA requires that businesses performing higher-risk processing (as defined by the CPPA) conduct annual cybersecurity and risk assessments, as well as vulnerability assessments and penetration testing.
  4. Third-party vendor security: Companies must conduct due diligence on vendors that handle personal information, ensure they have adequate data protection measures in place, and only transfer data to vendors with confidentiality agreements in place.
  5. Training and education: Businesses must train their employees to manage personal data and ensure they understand how to protect it.
  6. Data breaches: The CPRA now considers email account leaks as data breaches, particularly if such leaks result in the exposure of personal details linked to people residing in California, as well as when security question leaks occur.
  7. Data minimization and retention: Companies must limit the data they collect, store, and retain to a reasonable amount necessary for their operations.

Potential Consequences of Non-Compliance

The potential outcomes of non-compliance are significant. The CPRA clarifies consumers’ rights to sue for violations and creates the California Privacy Protection Agency (CPPA) to enforce the CCPA and CPRA. Companies that violate the laws can face hefty fines and sanctions, including criminal penalties or suspension of the company’s ability to conduct business in the state. Additionally, organizations that fail to comply could become subject to costly and time-consuming lawsuits.

Announced in August 2022, the first enforcement action of the CCPA was a $1.2 million settlement against Sephora for neglecting to inform consumers about the sale of their data and to adequately process sale consumer opt-outs.

Enforcement actions are expected to increase after the full force of the CPRA goes into effect in July 2023.

How to Navigate a Changing Regulatory Landscape

It is critical to know what data your business collects and how it is secured to ensure compliance with the CCPA and the CPRA. Working with an IT partner that understands data privacy laws and regulations and data security requirements is essential for organizations looking to stay compliant in this increasingly regulated environment.

Your organization may also be required to follow additional requirements like the European GDPR or New Yorks’s Shield Act. By enlisting the services of a qualified IT services provider, organizations can make certain they are up to date on all the latest regulations and utilizing best practices for data protection. In addition, having an experienced IT partner means businesses can avoid disruptions and safeguard operations and focus on growing their bottom line.


Related Content → Read about how a GRC-enabled solution can streamline and simplify compliance  Understanding Governance, Risk Management, and Compliance for Financial Services.


 

NY SHIELD Act Data Privacy Laws

As data breaches increase in frequency and severity, regulators are implementing new data privacy laws to reduce consumer risk.

Currently, there are no comprehensive data security or privacy laws at the federal level. As a result, individual states are implementing laws to protect their residents. Unfortunately, this creates a complex maze of overlapping data privacy laws businesses must follow. The NY Shield Act is an example of one of these laws.

NY SHIELD Act Data Privacy Laws

What is the NY Shield Act?

The NY Shield Act, or Stop Hacks and Improve Electronic Data Security Act, is a set of laws that require businesses to take specific steps to ensure the security and privacy of sensitive customer data. Implemented in 2020, it amended the New York state’s existing data breach notification law to impose stricter data security requirements on companies to protect consumers’ personally identifiable information from misuse, breach, or unauthorized access.

Who Needs to Comply with the NY Shield Act?

The NY Shield Act applies to all companies operating in New York State or gathering information from residents of New York, even if they are not based in New York or the United States.

What’s Required of Businesses?

Businesses must implement a Data Security Program and reasonable safeguards to ensure private information is stored and erased safely. This prescription includes physical, technical, and administrative controls to protect sensitive information. Additionally, businesses must notify customers whose data has been compromised if a breach occurs.

What Are the Consequences of Non-Compliance?

Businesses must take “reasonable” steps to comply with the NY Shield Act. Companies that fail to take these steps or lack proper security measures could face fines and penalties. Fines for non-compliance start at $5,000 up to a maximum of $250,000, and the state Attorney General can also initiate a civil action case and levy penalties against violators.

Recent civil actions lawsuits for violations of the Shield Act include:

  • Wegman’s agreed to pay $400,000 in penalties in June 2022 after it was discovered that cloud storage containers hosted on Microsoft Azure were left unsecured and open to public access, potentially exposing consumers’ data.
  •  A 2020 agreement with EyeMed that resolved a 2020 data breach that compromised the personal information of approximately 2.1 million consumers nationwide required that the company pay $600,000 in penalties.
  • In 2022, the NY AG and 45 other Attorneys General received $1.25 million from Carnival Cruiseline as part of a multistate settlement after a 2019 data breach exposed the personal information of 180,000 Carnival employees and customers nationwide.

 

“In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers,” wrote NY Attorney General Letitia James regarding the Wegman’s settlement.

Is this like CCPA?

Yes and no. CCPA is a data privacy law, while the SHIELD Act is a security regulation. The California Consumer Privacy Act focuses on data privacy, and the NY SHIELD Act is a security law. The CPRA, a later update to the CCPA, includes data security provisions.

The main takeaway is that, just as with the CCPA, businesses must comply with the Shield Act if it conducts business in the state or collect information from residents, even if the company is located outside the state.

What Are the Key Requirements of the SHIELD Act?

The NY Shield Act requires companies to:

  • Implement security measures appropriate for the size, scope, and type of business.
  • Ensure their service providers maintain the same level of data security as you do.
  • Create a written Information Security Program to protect sensitive customer information from unauthorized access or use.
  • Regularly assess and test the security of your systems.
  • Provide training to your staff on security and privacy best practices.
  • Notify customers in a timely manner in the event of a data breach.

How Can I Comply with the NY Shield Act?

The best way to comply with the NY SHIELD Act is to create an Information Security Program that addresses the requirements of the law. The program should include policies and procedures for protecting sensitive information, such as multifactor authentication and access control measures, regularly testing your systems, training staff on data security best practices, and providing timely notification to customers in the event of a breach. You should also ensure that any third-party vendors you use are compliant.

Data Security vs. Data Privacy: What’s the Difference?

It’s essential to understand that data security and data privacy are not interchangeable terms. While both aim to protect data, they focus on different aspects. Data privacy focuses on individuals and their rights to protect their personal information from being used by companies and governments without consent. Data security protects against unauthorized access to sensitive information by employees, bad actors, or malicious software. Ultimately, the goal is to ensure that data remains safe so that organizations and consumers can trust that their data is being used as intended.

Next Steps for Compliance

The NY SHIELD Act is a vital law for protecting sensitive information and maintaining consumer trust in an organization. Business executives must ensure full compliance with the law, including implementing a data security program, performing routine assessments, and appropriately responding to security incidents. Working with an IT partner experienced with the Shield Act and other data privacy laws and regulations is ideal. Protecting customer data is essential in today’s digital world and can only be achieved through implementing effective security measures.

GDPR Requirements

Businesses today are in a race to become more connected and technologically advanced. With more data available than ever, organizations must implement measures to protect sensitive information from cyber threats and misuse.

This directive becomes even more vital considering the crisscrossing data privacy laws from various sources, including the General Data Protection Regulation (GDPR). While you are most likely familiar with this regulation, it is essential to understand what it entails and how it impacts your organization. Read on to learn more about the GDPR requirements impacting you and your business.

GDPR Requirements

What is GDPR?

The General Data Protection Regulation (GDPR) was enacted to protect consumer data privacy rights in the European Union. All organizations that manage customer data will be held responsible for its proper handling, regardless of location. Thus, any non-European organization that handles or collects the personal data of EU citizens is subject to GDPR.

GDPR compliance is vital for organizations seeking to protect their customers and business reputation. Non-compliance can result in personal liability, job loss, huge fines, administrative penalties, and more.

7 Must-Know GDPR Requirements

  1. Who does it apply to? GDPR applies to any business that collects, stores, or processes personal data from individuals in the EU, regardless of the company’s location.
  2. What types of data privacy does it cover? The GDPR protects a wide range of personal information, including names, addresses, email addresses, phone numbers, photos and videos, biometric information such as fingerprints and retinal scans, IP addresses, web cookies and browsing history, and more.
  3. What are the requirements of GDPR? GDPR requires companies to obtain explicit consent for data collection, protect personal data, provide access to data subject requests, and notify authorities about data breaches.
  4. What should companies do to comply? First, companies should appoint a Data Protection Officer, perform regular data protection impact assessments, and provide employee training.
  5. What about GDPR and third-party risk management? The GDPR requires companies to establish contractual agreements with third parties to ensure compliance with the GDPR’s data protection requirements. In other words, you are responsible for the activities and compliance of your third-party vendors regarding data from the EU.
  6. What are the consequences of non-compliance? The penalties for non-compliance with GDPR can be up to 4% of global revenue or €20 million, whichever is greater. Furthermore, failure to report a breach in time can cause fines as high as €10 million, which is on top of the cost of notification and any business losses caused by the breach. In addition, non-compliance may result in lawsuits from impacted consumers, business disruption, and reputational damage.
  7. What are GDPR’s implications for data breaches? GDPR requires companies to notify authorities and affected individuals about data breaches within 72 hours of discovery.

Next Steps for Ensuring GDPR Compliance?

The best way for business executives to ensure that their organizations comply with GDPR is to create a comprehensive data privacy and security plan.

  • Conduct a data audit: Identify the personal data your business processes, where it comes from, and who has access to it.
  • Update your privacy policy: Ensure your privacy policy is written in clear language and includes information on how personal data is collected, used, and processed.
  • Obtain appropriate consent: Obtain explicit consent from individuals for collecting, processing, and using their personal data.
  • Implement appropriate security measures: Implement technical and organizational measures, such as encryption and access controls, to protect personal data.
  • Train employees: Educate employees on GDPR compliance and appoint a data protection officer to oversee compliance efforts.

The Data Privacy and Security Landscape

Of course, GDPR is not the only set of regulations you need to worry about regarding data privacy and security. In response to the growing threats from data breaches, your firm must address a whole set of overlapping laws. From other regional regulations like the California Consumer Protection Act to industry-specific requirements, your firm must comply with a complicated compliance matrix.

Working with an IT partner can ensure that your firm utilizes the best practices for all the required regulations and reduce your risk exposure. Doing so will enable you to protect client data, streamline compliance obligations, create a secure online environment, and keep you and your firm out of the headlines.

GDPR compliance is essential for organizations that want to protect customer data and safeguard their business reputation. Therefore, companies should take the steps outlined above to ensure they comply with GDPR, such as conducting a data audit, updating privacy policies, obtaining appropriate consent from customers, implementing security measures, and training employees. Ultimately, these steps will help companies avoid any severe penalties or repercussions due to non-compliance with GDPR regulations.

As a C-level executive in the financial services industry, you are constantly looking for ways to optimize your firm’s operations, achieve strategic goals, and reduce risk. Governance, risk management, and compliance (GRC) can help you do just that.

GRC is a framework designed to help organizations align their objectives with risk management and compliance policies.

What is governance risk and compliance?

 

In today’s highly regulated business environment, organizations need to have a comprehensive GRC system that enables them to manage their risks effectively, comply with regulations and laws, and meet the needs of their stakeholders. Let’s explore why organizations need effective GRC and how it can help them achieve their strategic goals.

What is GRC?

GRC comprises three key components to align policies, reduce risk, and ensure compliance.

Governance is the process of developing and adhering to policies, procedures, and practices that support an organization in meeting its business objectives. An effective governance system helps ensure that the organization makes decisions aligned with business goals. In addition, by establishing effective governance, organizations can ensure that their plans are being implemented effectively and have the necessary structures, processes, and systems in place.

Risk Management is the process of identifying, assessing, and mitigating risks associated with operations within the firm or from external threats the firm faces. An effective risk management program will help identify potential risks early so that they can be addressed before they become significant issues.

Compliance is the adherence to mandated internal and external standards, regulations, and best practices that must be met for a firm to operate responsibly and fulfill legal obligations. Good compliance requires an effective combination of policies, procedures, training, monitoring, and corrective action.

Why Does My Firm Need a GRC Program?

Financial services firms are under tremendous pressure from increased regulations, heightened scrutiny from investors, clients, and other stakeholders, and rising security risks. However, according to Hyperproof, 65% of businesses still manage IT risks using an “ad-hoc, reactive approach, with siloed processes and disconnected tools.”

A robust GRC response can benefit these firms by helping them address expanding regulations, control risk across all business units, reduce the cost associated with audits and due diligence questions (DDQs), improve compliance processes, and streamline reporting requirements.


Related Content → IT Security and Compliance. What’s the Difference?


By combining these three components into one unified system—GRC—firms can benefit from a variety of outcomes, including:

  • Improved efficiency across departments
  • Increased visibility into compliance requirements
  • Reduced costs through streamlining processes
  • Better identification of potential risks
  • Streamlined reporting
  • Better decision making
  • Enhanced stakeholder confidence
  • Strengthened brand reputation
  • Improved organizational agility
  • Amplified data security and privacy protection

By bringing governance policies and procedures, risk management, and compliance programs together, firms can swiftly adapt and adjust as needed while remaining compliant with all applicable regulations and internal best practices. Moreover, with integrated GRC—it will become easier for executives to confidently navigate today’s complex world of risk analysis and regulatory compliance more successfully.

Solving GRC

In the past, GRC organizations implemented GRC as distinct activities. Processes and systems were created in silos and often in response to a specific trigger—like new regulations, security incidents, or audit findings – without integration throughout the company. The approach created a web of inefficiencies, redundancies, and inaccuracies that left businesses vulnerable to fines and penalties, lawsuits, reputational damage, and even loss of revenue.

In today’s world of increased risks and shifting compliance, it is of the utmost importance to implement a GRC solution that creates an effective foundation for recognizing, assessing, and controlling risks. In addition, organizations must remain continuously vigilant and responsive to the ever-evolving risk and compliance environments with ongoing monitoring, support, and guidance.

GRC tools should also reinforce and streamline your policies, procedures, and processes. Given the complexity of the financial services industry, many firms are choosing an IT partner with domain expertise and one that provides strategic guidance and know-how in addition to a technology platform.


DOWNLOAD → Read more about the must-have elements of a GRC platform and IT partner in Understanding Governance, Risk Management, and Compliance for Financial Services.


SOX Compliance Requirements

As cyberattacks increase and intensify, the hardening of security measures becomes even more of a necessity, as does compliance with a network of laws and regulations, including SOX compliance.

SOX Compliance Requirements

What Is SOX Compliance?

First passed in 2002, the Sarbanes Oxley Act (SOX) requires publicly-traded companies to maintain transparency in financial reporting, preventing fraudulent accounting activities, protecting investors, and improving investor confidence.

The Act includes compliance requirements about external auditors, corporate governance, internal control assessments, and financial disclosures.

SOX IT Compliance Requirements and Reporting

When it comes to IT, SOX compliance requires firms to have policies and procedures in place to prevent, detect, and disclose material cybersecurity risks and incidents. Companies also need to prove that they have data safeguards and procedures in place and that they are operational. This includes quality access management, preventative security measures, and redundant and secure backups.

Additionally, another requirement is that security systems must be able to detect data breaches, and the organization needs a communication plan for notifying leadership and investors of identified breaches. In reporting and during an annual SOX compliance audit, businesses must attest to and provide evidence that these internal controls exist.

One extremely challenging SOX cybersecurity requirement is that businesses are responsible for reporting material cybersecurity risks within four business days after the registrant determines that it has experienced a material cybersecurity incident. This can mean that an organization must disclose a risk or incident before regular reporting or a yearly SOX audit.


Related Content → IT Security and Compliance. What’s the Difference?


SOX in 2023

In both 2011 and 2018, the SEC published guidance for interpreting existing rules in connection with cybersecurity threats and incidents.

However, in 2022, the SEC recommended a proposed rule that would require registrants to provide enhanced disclosures about “cybersecurity incidents and cybersecurity risk management, strategy, and governance.” This rule is part of the Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions released by the Office of Information and Regulatory Affairs. SEC Chair Gary Gensler released a statement in early 2023 acknowledging the Commission’s support of the proposed agenda.

It is significant to note that SOX requires signing officer(s), typically an Executive Officer, to attest that the information in their internal control and financial reports is accurate. They cannot contain any false statements, nor can they omit material information. They also need documentation demonstrating that the organization is SOX compliant. Intentionally or inadvertently generating misleading compliance reports or falsifying information not only leads to noncompliance but can also result in upwards of $5 million in fines and 20 years in prison.

In 2022, the news that Uber’s CISO was convicted of federal charges for failing to disclose a 2016 data breach broke, demonstrating just how severe the consequences of non-compliance can be for individuals as well as companies.

Understanding Risks and Their Impact

How do you know what your material cybersecurity risks and incidents are? How do you know if your firm has experienced a breach?

If your IT team does not have the expertise to continuously analyze risks and understand SOX compliance requirements, they may not see correlations that signify a material risk. Without expert guidance, your firm may miss the context or severity of threats. Businesses may not report minor security incidents deeming them to be immaterial. But what if all these smaller threats and incidents turn out to be a much larger problem? Unable to see the connection between events, an organization could unintentionally omit a material cybersecurity risk in its reporting.

Even worse, failure to evaluate the risk appropriately can lead to security breaches, data loss, lawsuits, and other costly damages.

With such high penalties for failure to appropriately disclose material cybersecurity risks and incidents, it is critical for businesses to implement compliance processes and risk management practices to identify and assess threats across their network. Identified risks need to be assessed and treated appropriately and promptly. This process of assessing and implementing measures to modify risk is known as risk treatment.

To understand the risks in your firm’s environment, it needs continuous network monitoring and the expertise and systems for evaluating and conducting a risk assessment. Partnering with an IT firm with specialized knowledge of the compliance requirements outlined in SOX is ideal to ensure compliance and improve your security posture.

Actively Monitoring for Cybersecurity Threats

There is a difference between performance monitoring and cybersecurity monitoring.

Performance monitoring lets you know if systems are operating efficiently, but it doesn’t tell you what security threats exist or the severity of those risks.

In 2023, the risks from malicious cyberattacks and technology are substantial and are a constant threat. It is no longer acceptable to run occasional cybersecurity scans and assume you are seeing an accurate picture of your overall security posture. Instead, to have a complete understanding of the risks and incidents that occur on your network, you need 24x7x365 activity monitoring.

With a managed detection and response (MDR) platform, a team of security analysts with skills in forensic analysis can identify, evaluate, and provide a response plan to threats and breaches within your network.

SIEM Technology

Without the help of security analysts and security information and event management (SIEM) technology, you may not see the significant link between small risks or incidents.

Security experts use SIEM platforms to correlate and analyze threats. This helps to provide context and severity of risks, which is instrumental in determining materiality.

Keep in mind that you need a security expert to utilize the full benefits of these types of internal security controls.

Meeting SOX Compliance Requirements with Comprehensive Cybersecurity

As mentioned, to maintain SOX compliance, your organization needs to be able to measure the materiality of cybersecurity risks and incidents.

Without the right tools, expertise, and testing, your business could experience a breach causing tremendous financial costs, permanent data loss, or even closure.

Even if your organization is not required to be SOX compliant, implementing internal controls and data protection procedures increases your overall security posture. For a private company or a non-profit, which are not mandated to have SOX compliance programs, creating and monitoring security controls is considered to be a cybersecurity best practice.


Related Content →  Evaluate your security readiness with our  Cybersecurity Checklist.


To learn more about SOX cybersecurity and compliance solutions, reach out to Coretelligent’s team of experts.

Financial Services Compliance

Financial services compliance is a dynamic target with extreme consequences for non-compliance. For financial services firms, there is absolutely no room for error. Firms must remain vigilant to ensure they meet their obligations under a growing set of laws, regulations, and standards.


The Intersection of Financial Services Compliance & Technology

Financial Services Compliance

In the financial services sector, compliance has always been a significant concern. While earlier methods of compliance reporting were largely manual, the intricate nature of today’s financial services compliance and security challenges renders such methods obsolete. To navigate this intricate landscape, firms need to move beyond traditional check-box compliance methods. Instead, they should adopt comprehensive compliance platforms complemented by specialized advisory services.

Regulatory agencies introduce security and compliance measures to bolster the global economy’s stability and safeguard consumer privacy. The surge in third-party affiliations further underscores the importance of enhanced management to minimize risk. Meeting the specific reporting and data management standards set by these entities requires financial services firms to establish intricate, often expensive, and time-intensive systems. Yet, the cost of non-compliance is even steeper, with potential repercussions ranging from fines and sanctions to reputational damage and revenue loss.

The Compliance Landscape for Financial Services

Highlighted below are several of the most critical regulations and standards that must be met by the financial services sector:

  • FINRA

The Financial Industry Regulatory Authority (FINRA) is an independent body that oversees the brokerage community, assisting both investors and firms. Its primary goal is to maintain a safe and fair market. To achieve this, FINRA regularly updates its rules in response to global market changes. A significant focus of these regulations is on advanced cybersecurity measures. These standards aim to guard against cyberattacks, identify system breaches, and establish plans for business continuity and breach responses.

  • SEC

Financial firms must adhere to regulations set forth by the Securities and Exchange Commission (SEC). The SEC promotes fairness, transparency, efficiency, and compliance of all publicly-traded companies in the U.S. Financial firms are required to comply with the SEC’s Financial Reporting Requirements, which include annual and quarterly reporting as well as other periodic filings. Financial firms must also adhere to SEC governance and risk management standards, such as cyber risk policies, identity theft prevention plans, data security processes, insider trading safeguards, and more.

The SEC Chair, Gary Gensler, recently expressed his support of the Office of Information and Regulatory Affairs Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions, saying the agenda “reflects the need to modernize our ruleset, moving deliberately to update our rules in light of ever-changing technologies.”

  • SOX

First passed in 2002, the Sarbanes-Oxley Act (SOX) was established to protect individuals by increasing transparency in the financial services sector and requiring formalized checks and balances for individual entities. In today’s world, SOX compliance is aimed at limiting access to internal systems that contain confidential or financial data. Fortunately, SOX internal controls are also solid business practices that can enhance your firm’s cybersecurity risk profile and reduce the threat of insider attacks.

  • Due Diligence Requests (DDQ)

Compliance with investor due diligence requests (DDQs) has become more and more complex as the Financial Services industry grows. DDQs typically involve detailed information about financial operations, accounting practices, and related risk factors. Responding to these inquiries can be difficult, but it’s necessary in order to maintain regulatory compliance and build trust with investors. Financial services firms need to develop a reliable system for tracking and responding to DDQs quickly and accurately, as well as an audit trail of the communication process to prove compliance.

  • Cybersecurity Insurance

Cyber insurance carriers have expanded their compliance requirements and increased their schedule of audits to ensure that firms have robust controls in place. These audits assess security protocols, policies and procedures, disaster recovery plans, and more. Financial services firms must plan ahead for these inspections by having the right personnel prepared with well-documented processes and systems to prove compliance. Additionally, firms should have an external cybersecurity partner who can provide executive-level support to ensure the audit is successful.

Cybersecurity & Compliance: What’s the Difference?

Security and compliance are often mistakenly assumed to be synonymous, yet they are, in fact, distinct. Security and compliance are both essential, yet their purposes vary. While security is meant to protect data and infrastructure, compliance serves as a means of meeting legal or regulatory obligations.

Compliance and security have similar objectives around managing risks and securing sensitive data and systems but have different processes and workflows to accomplish these goals. Put simply, compliance is the act of meeting contractual or third-party regulatory requirements by adhering to set guidelines and standards. On the other hand, security requires implementing effective technical controls in order to safeguard assets from cyber attacks.

Both are critical for the financial services sector.

Solving Compliance Now & Into the Future

As we move into 2023, financial services firms face an evolving landscape of stricter and more comprehensive regulations. To navigate this, it’s imperative for these firms to stay informed and adapt. They should invest in the right IT infrastructure, recruit skilled personnel, and collaborate with trusted external partners. Moreover, having efficient systems to address DDQs promptly and accurately is crucial. Ensuring they maintain robust cyber insurance policies is equally important. By proactively taking these measures, firms can not only ensure compliance but also effectively mitigate potential risks.

Understanding the evolving world of IT compliance for financial services firms is an ongoing conversation, not a one-time decision. Learn more about the compliance obstacles facing the financial services sector. Download Coretelligent’s complimentary whitepaper: How Financial Services Firms Can Manage Compliance.

 

What you need to know about cyber insurance requirements with image of shield and technology and coretelligent logo

The average cost of a data breach in 2022 in the U.S. reached a new all-time high of $9.44 million, according to IBM. With this continued rise in cybersecurity incidents, financial services firms are a popular target for cyberattacks.

However, obtaining cyber insurance can help mitigate these attacks’ financial burden. Now more than ever, financial services firms are strongly encouraged to get cyber insurance due to the intensifying threat landscape and increasingly complex requirements from regulatory bodies or authorities such as the SEC and FINRA.

Because of these developments, many businesses have turned to managed service providers (MSPs) for their expertise to manage cyber insurance compliance.


Cyber Insurance Compliance

What is Cyber Insurance Compliance?

Cyber insurance helps to mitigate or lessen the financial burdens from a data breach or other cybersecurity incident should your business fall victim. Still, as more and more companies file claims, the cost of cybersecurity insurance continues to rise. Premiums increased 79% in the second quarter of 2022 alone.

As the cost and frequency of cyberattacks increase, cyber insurance companies are forced to cover more payouts which causes a premium increase across the industry. Along with this premium increase, insurers also implement increasingly more stringent minimum security requirements for applicants for cyber insurance coverage.

Previously many of these requirements were simple checkbox practices you could complete once and forget; now, insurance companies are shifting to an active monitoring approach. This includes conducting periodic scans of your cybersecurity systems to ensure you maintain the required standards for coverage. If your external cyber footprint strays from secure standards, you expose yourself to a risk of adjusted premiums or a complete loss of coverage.

Benefits of Partnering with an MSP

Due to this active monitoring approach, many financial services firms are partnering with the experts at an MSP for guidance and maintenance of their internal and external cybersecurity environments that adhere to the insurance requirements.

Partnering with an MSP can provide additional benefits to firms, too.

  • Access to industry expertise and knowledge

As with the financial services industry overall, there is no one-size-fits-all for insurance coverage. Internal and external security posture and cybersecurity practices play a big role in deciding required insurance minimums so working directly with an MSP can help you become a better candidate for cyber insurance coverage at a lower premium.

MSPs help ensure you have the proper cybersecurity and data protections before applying to improve your chances of approval for coverage. In fact, in many cases, an MSP has established relationships with preferred cyber insurance providers that benefit their clients.

  • Compliance as a Service and Cyber Insurance

With compliance as a service (CaaS) products, a Governance, Risk, and Compliance (GRC) platform is included with your service. This platform allows organizations to track, manage, and report on compliance related to industry-specific laws and data security standards. This is integral should you experience a data breach or other cyber incident.

When filing your claim, proof of a business’s compliance is often required at the time of the incident, or you will be denied—utilizing compliance as a service product makes obtaining this proof much more straightforward. Access to a GRC and assistance filing a claim from your MSP through these services save you time when it matters most.

Streamlining the Requirements of Cyber Insurance

Gone are the days of simple checkbox requirements for obtaining cyber insurance. Companies must adhere to more stringent requirements in today’s market to obtain and maintain their policies. Working with an IT partner to gain cyber insurance coverage has many distinct advantages.

MSPs assist you during the application process and help secure lower premiums through vendor relationships. They ensure your company stays compliant with your policy and external regulations. If you face a data breach or attack, MSPs guide you in filling out claims forms. They also provide the necessary documentation to your provider when submitting your claim.

Next Steps

The cyber insurance market and models will continue to evolve. With compliance assurance and engineering excellence, the professionals at Coretelligent are helping financial services organizations find the path forward. A partnership with Coretelligent can help financial services firms establish themselves as insurance candidates, lower premiums, and mitigate overall risk.

Learn more about CoreComply, Coretelligent’s full compliance solution that streamlines and enables compliance, third-party risk management, DDQ, and cyber insurance audits.