Posts

Cybersecurity for RIAs

RIA Cybersecurity: Prepare for New SEC Cybersecurity Requirements (2023)

Last year the Securities and Exchange Commission (SEC) voted to implement new and amended SEC RIA requirements to the Advisers Act of 1940 for cybersecurity risk management for registered investment advisers (RIAs) and funds.

Is your firm ready?

[ez-toc]

sec ria cybersecurity requirements

The proposed SEC rule changes would oblige RIA firms to develop and implement written policies and procedures to reduce cybersecurity risks that could harm clients and fund investors. The proposed regulations would also force advisers to report cybersecurity incidents like data breaches involving client information to the SEC.

Additionally, the proposed changes call for publicly disclosing cybersecurity risks and significant incidents from the last two fiscal years in their marketing materials and registration statements.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.

While comments initially closed in April 2022, comments were reopened on March 15, 2023. Once comments are fully closed, the finalized rules will most likely become effective later in 2023. We will be providing future updates once the final regulations are published.

What do the New SEC RIA Cybersecurity Requirements Entail?

The four significant proposed changes include the following:

  1. The proposal consists of new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. In addition, the proposed cybersecurity risk management rules require public companies to adopt and implement policies and procedures for identifying, assessing, and mitigating cyber risks.
  2. The proposal also includes a reporting requirement under new rule 204-6 mandating companies report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients.
  3. The updated rules include changes to Form ADV Part 2A requiring advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
  4. The proposal also includes new recordkeeping requirements under the Advisers Act and Investment Company Act Rule 204-2 to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.

RELATED CONTENT → Security vs. Compliance: Differences & Similarities

What Can You Do to Prepare for RIA Cybersecurity Enforcement?

Here are some expert tips on being ready for enforcement when the changes go into effect later this year.

  •  Develop and Implement Policies and Procedures

RIAs and funds must create comprehensive cybersecurity policies and procedures to mitigate cybersecurity risks per the proposed rules. Keep in mind that these policies and procedures must be both compliant and actionable.

  • Conduct a Risk Assessment

Evaluate cybersecurity risks by identifying, categorizing, and prioritizing cybersecurity risks related to your systems and operations. By conducting an effective risk assessment, you’ll have the necessary information to develop compliant policies and procedures to combat potential cybersecurity risks.

  • Prepare for Disclosure Obligations

When it comes to disclosures associated with cybersecurity risks or incidents, develop procedures for clear, accurate, and timely disclosures to the SEC, clients, investors, and other market participants.

  • Continuity Planning

In the event of a cybersecurity incident, you must be able to maintain system operations. So, test your incident response and business continuity plans through tabletop exercises to ensure compliance with the requirements.

  • Reporting and Documentation

Employing a governance, risk, and compliance (GRC) solution will ensure you have well-documented evidence that your cybersecurity program is compliant.

In addition to ensuring that your firm will align with the changes, these suggestions are also considered best practices for mitigating the risks from data breaches and other cyber attacks. Following these and other practices makes good sense whether your firm is required to or not.

To learn more about GRC, download our free guide →  Understanding Governance, Risk Management, and Compliance for Financial Services.

By employing these practices, you’ll be ready for any forthcoming changes to cybersecurity regulations and well-protected against potential security threats. One solution for preparing now or later is to work with an experienced and knowledgeable IT service provider. An IT partner experienced with RIA firms, and one employing robust cybersecurity and compliance solutions can reduce the time and resources it takes to comply with and implement these and other cybersecurity compliance standards.

by

What is Governance, Risk, and Compliance?

As a C-level executive in the financial services industry, you are constantly looking for ways to optimize your firm’s operations, achieve strategic goals, and reduce risk. Governance, risk management, and compliance (GRC) can help you do just that.

GRC is a framework designed to help organizations align their objectives with risk management and compliance policies.

[ez-toc]

What is governance risk and compliance?

 

In today’s highly regulated business environment, organizations need to have a comprehensive GRC system that enables them to manage their risks effectively, comply with regulations and laws, and meet the needs of their stakeholders. Let’s explore why organizations need effective GRC and how it can help them achieve their strategic goals.

What is GRC?

GRC comprises three key components to align policies, reduce risk, and ensure compliance.

Governance is the process of developing and adhering to policies, procedures, and practices that support an organization in meeting its business objectives. An effective governance system helps ensure that the organization makes decisions aligned with business goals. In addition, by establishing effective governance, organizations can ensure that their plans are being implemented effectively and have the necessary structures, processes, and systems in place.

Risk Management is the process of identifying, assessing, and mitigating risks associated with operations within the firm or from external threats the firm faces. An effective risk management program will help identify potential risks early so that they can be addressed before they become significant issues.

Compliance is the adherence to mandated internal and external standards, regulations, and best practices that must be met for a firm to operate responsibly and fulfill legal obligations. Good compliance requires an effective combination of policies, procedures, training, monitoring, and corrective action.

Why Does My Firm Need a GRC Program?

Financial services firms are under tremendous pressure from increased regulations, heightened scrutiny from investors, clients, and other stakeholders, and rising security risks. However, according to Hyperproof, 65% of businesses still manage IT risks using an “ad-hoc, reactive approach, with siloed processes and disconnected tools.”

A robust GRC response can benefit these firms by helping them address expanding regulations, control risk across all business units, reduce the cost associated with audits and due diligence questions (DDQs), improve compliance processes, and streamline reporting requirements.

Related Content → IT Security and Compliance. What’s the Difference?

By combining these three components into one unified system—GRC—firms can benefit from a variety of outcomes, including:

  • Improved efficiency across departments
  • Increased visibility into compliance requirements
  • Reduced costs through streamlining processes
  • Better identification of potential risks
  • Streamlined reporting
  • Better decision making
  • Enhanced stakeholder confidence
  • Strengthened brand reputation
  • Improved organizational agility
  • Amplified data security and privacy protection

By bringing governance policies and procedures, risk management, and compliance programs together, firms can swiftly adapt and adjust as needed while remaining compliant with all applicable regulations and internal best practices. Moreover, with integrated GRC—it will become easier for executives to confidently navigate today’s complex world of risk analysis and regulatory compliance more successfully.

Solving GRC

In the past, GRC organizations implemented GRC as distinct activities. Processes and systems were created in silos and often in response to a specific trigger—like new regulations, security incidents, or audit findings – without integration throughout the company. The approach created a web of inefficiencies, redundancies, and inaccuracies that left businesses vulnerable to fines and penalties, lawsuits, reputational damage, and even loss of revenue.

In today’s world of increased risks and shifting compliance, it is of the utmost importance to implement a GRC solution that creates an effective foundation for recognizing, assessing, and controlling risks. In addition, organizations must remain continuously vigilant and responsive to the ever-evolving risk and compliance environments with ongoing monitoring, support, and guidance.

GRC tools should also reinforce and streamline your policies, procedures, and processes. Given the complexity of the financial services industry, many firms are choosing an IT partner with domain expertise and one that provides strategic guidance and know-how in addition to a technology platform.

DOWNLOAD → Read more about the must-have elements of a GRC platform and IT partner in Understanding Governance, Risk Management, and Compliance for Financial Services.

by
Financial Services Compliance

Financial Services Compliance: What to Know in 2023

Financial services compliance is a dynamic target with extreme consequences for non-compliance. For financial services firms, there is absolutely no room for error. Firms must remain vigilant to ensure they meet their obligations under a growing set of laws, regulations, and standards.

The Intersection of Financial Services Compliance & Technology

[ez-toc]

Financial Services Compliance

In the financial services sector, compliance has always been a significant concern. While earlier methods of compliance reporting were largely manual, the intricate nature of today’s financial services compliance and security challenges renders such methods obsolete. To navigate this intricate landscape, firms need to move beyond traditional check-box compliance methods. Instead, they should adopt comprehensive compliance platforms complemented by specialized advisory services.

Regulatory agencies introduce security and compliance measures to bolster the global economy’s stability and safeguard consumer privacy. The surge in third-party affiliations further underscores the importance of enhanced management to minimize risk. Meeting the specific reporting and data management standards set by these entities requires financial services firms to establish intricate, often expensive, and time-intensive systems. Yet, the cost of non-compliance is even steeper, with potential repercussions ranging from fines and sanctions to reputational damage and revenue loss.

The Compliance Landscape for Financial Services

Highlighted below are several of the most critical regulations and standards that must be met by the financial services sector:

  • FINRA

The Financial Industry Regulatory Authority (FINRA) is an independent body that oversees the brokerage community, assisting both investors and firms. Its primary goal is to maintain a safe and fair market. To achieve this, FINRA regularly updates its rules in response to global market changes. A significant focus of these regulations is on advanced cybersecurity measures. These standards aim to guard against cyberattacks, identify system breaches, and establish plans for business continuity and breach responses.

  • SEC

Financial firms must adhere to regulations set forth by the Securities and Exchange Commission (SEC). The SEC promotes fairness, transparency, efficiency, and compliance of all publicly-traded companies in the U.S. Financial firms are required to comply with the SEC’s Financial Reporting Requirements, which include annual and quarterly reporting as well as other periodic filings. Financial firms must also adhere to SEC governance and risk management standards, such as cyber risk policies, identity theft prevention plans, data security processes, insider trading safeguards, and more.

The SEC Chair, Gary Gensler, recently expressed his support of the Office of Information and Regulatory Affairs Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions, saying the agenda “reflects the need to modernize our ruleset, moving deliberately to update our rules in light of ever-changing technologies.”

  • SOX

First passed in 2002, the Sarbanes-Oxley Act (SOX) was established to protect individuals by increasing transparency in the financial services sector and requiring formalized checks and balances for individual entities. In today’s world, SOX compliance is aimed at limiting access to internal systems that contain confidential or financial data. Fortunately, SOX internal controls are also solid business practices that can enhance your firm’s cybersecurity risk profile and reduce the threat of insider attacks.

  • Due Diligence Requests (DDQ)

Compliance with investor due diligence requests (DDQs) has become more and more complex as the Financial Services industry grows. DDQs typically involve detailed information about financial operations, accounting practices, and related risk factors. Responding to these inquiries can be difficult, but it’s necessary in order to maintain regulatory compliance and build trust with investors. Financial services firms need to develop a reliable system for tracking and responding to DDQs quickly and accurately, as well as an audit trail of the communication process to prove compliance.

  • Cybersecurity Insurance

Cyber insurance carriers have expanded their compliance requirements and increased their schedule of audits to ensure that firms have robust controls in place. These audits assess security protocols, policies and procedures, disaster recovery plans, and more. Financial services firms must plan ahead for these inspections by having the right personnel prepared with well-documented processes and systems to prove compliance. Additionally, firms should have an external cybersecurity partner who can provide executive-level support to ensure the audit is successful.

Cybersecurity & Compliance: What’s the Difference?

Security and compliance are often mistakenly assumed to be synonymous, yet they are, in fact, distinct. Security and compliance are both essential, yet their purposes vary. While security is meant to protect data and infrastructure, compliance serves as a means of meeting legal or regulatory obligations.

Compliance and security have similar objectives around managing risks and securing sensitive data and systems but have different processes and workflows to accomplish these goals. Put simply, compliance is the act of meeting contractual or third-party regulatory requirements by adhering to set guidelines and standards. On the other hand, security requires implementing effective technical controls in order to safeguard assets from cyber attacks.

Both are critical for the financial services sector.

Solving Compliance Now & Into the Future

As we move into 2023, financial services firms face an evolving landscape of stricter and more comprehensive regulations. To navigate this, it’s imperative for these firms to stay informed and adapt. They should invest in the right IT infrastructure, recruit skilled personnel, and collaborate with trusted external partners. Moreover, having efficient systems to address DDQs promptly and accurately is crucial. Ensuring they maintain robust cyber insurance policies is equally important. By proactively taking these measures, firms can not only ensure compliance but also effectively mitigate potential risks.

Understanding the evolving world of IT compliance for financial services firms is an ongoing conversation, not a one-time decision. Learn more about the compliance obstacles facing the financial services sector. Download Coretelligent’s complimentary whitepaper: How Financial Services Firms Can Manage Compliance.

 

by
Cybersecurity for Broker-Dealer Firms

Cybersecurity Threats Faced by Broker-Dealer FINRA Firms

Cybersecurity for Broker-Dealer FirmsAs a broker-dealer firm executive, you know that one of FINRA’s key mandates is to help prevent cyberattacks against its regulated firms. The Financial Industry Regulatory Authority, or FINRA, is, of course, a not-for-profit regulatory organization authorized by Congress to protect investors and ensure market integrity in the United States. This post will explore some of the most common cybersecurity threats faced by FINRA firms.

What are the Most Common Cybersecurity Threats for Broker-Dealer Firms?

Now more than ever, broker-dealer firms rely on their technology infrastructure the cyber landscape presents a regular number of security challenges requiring robust preparedness for brokerages and other financial services firms.

1. Imposter Websites

According to FINRA, member firms routinely report phony websites posing as FINRA members and using registered names and company data to establish fraudulent sites that market investment services and products. These sites attempt to steal both personal information and money by leading visitors to believe they are interacting with a bona fide business.

2. Customer And Firm Employee Account Takeovers (ATOs)

Email account takeovers can occur with both customer or firm personnel accounts and begin with a comprised email account. Cybercriminals can gain unauthorized access to email accounts through data breaches, phishing emails, or websites that trick users into clicking on malicious links allowing them to execute unauthorized transactions in financial accounts, firm systems, bank accounts, and credit cards.

One of the dangers of an ATO for an employee account includes criminals creating fake identities to establish accounts for automated clearing house (ACH) or wire fraud.

3. Malware and Ransomware

Malware is malicious software and can take many forms, including viruses, spyware, and ransomware. These malevolent programs can steal data, encrypt it, delete it, and even hold it for ransom by infiltrating and taking over computing operations. Phishing is one of the most common ways that malware is introduced. Ransomware is a type of malware that, when launched, can encrypt data and prevent access to networks until a ransom is paid to the attacker.

4. Data Breaches

A data breach is a security incident in which hackers gain unauthorized access to confidential data like financial records or personally identifiable information (PII). Data breaches can lead to financial losses, reputational damage, lawsuits, and fines and penalties.

What Can FINRA Firms do to Prepare?

Core Cybersecurity for Broker-Dealer FirmsEarlier this year, FINRA, along with the SEC, Homeland Security, and other agencies, alerted members to the increased likelihood of cyber attacks as part of the invasion of Ukraine with a Sheilds Up warning.

In a recent op-ed, written by Jen Easterly, the director of CISA, and Chris Inglis, the national cyber director, the pair consider when the Sheilds Up warning might be lifted:

When will we be able to put our shields down? In today’s complex, dynamic, and dangerous cyberthreat environment, the answer is that our shields will likely be up for the foreseeable future.

For broker-dealer firms, this means continuing to follow the guidance provided by FINRA as well as cybersecurity professionals with experience within the financial services sector. There are cybersecurity controls that can mitigate the risk of cyber attacks.

To learn more, download our Guide to Effective Cybersecurity Controls for Broker-Dealer Firms.

Additionally, our Cybersecurity Threats and Effective Controls for FINRA Firms Infographic provides a quick overview of the threats faced by FINRA firms, as well as the controls to implement to reduce the risks from those threats.

Combining Cybersecurity Controls and Expertise

Balancing business initiatives with security and technology can seem challenging, particularly for broker-dealer firms without an internal team of cybersecurity experts, but Coretelligent can help. We offer our expertise and robust cybersecurity solutions to solve the challenges of the highly regulated financial services industry. In addition, we have years of experience working with broker-dealer firms and other firms like hedge funds, venture capital, and family offices. As a result, we understand the pain points these firms face in the digital world and have the solutions—from compliance and cybersecurity to growth and business transformation—to solve them.

by
security and compliance for financial services

Security and Compliance for Financial Services While Scaling Up

security and compliance for financial services

From operational processes to security challenges and regulatory uncertainty, the financial services sector has very specific IT requirements. Whether you are interested in scaling vertically or horizontally, simply maintaining secure document management and compliant levels of access for employees can be difficult. Managing complex financial services workflows and meticulous processes requires intensely powerful technology, which can be more expensive than financial services firms can afford and still fuel growth engines. With the rise of platforms and partners dedicated to the digital needs of financial services firms, it is more important than ever to fully vet the security and compliance levels of your systems while forging ahead with digital transformation.

Safely Taking Advantage of the Benefits of Cloud

In many ways, cloud computing has paved the way for financial services firms to envision new ways of doing business that are faster, more automated, more compliant and more secure. Managing the huge amounts of data inherent in financial services has caused many firms to shy away from privately hosted or aggregated data centers and move exclusively to the cloud. While the cost-savings can be significant with this shift, the instant scalability of cloud computing is what has been most seductive. The variability of transaction rates over time allows for faster scaling and better control over the consistency of transactions. Even with all the benefits, not all cloud storage and transactions are the same as the security of your cloud partner could be the chink in your armor that cybercriminals are hoping to exploit.

The Rising Importance of RegTech

There was FinTech, and now RegTech: the technology utilized to ensure you are fully complying with the regulatory authorities of the world. This is particularly crucial for financial services firms that often work with individuals and organizations around the globe. This dramatically increases the complexity of the challenges you are facing, and as more countries adopt their specific data privacy policies the intricacy of avoiding regulatory risk will skyrocket. Financial services firms must either comply with these regulations or choose not to do business in that region, something that can severely hamper growth potential for the future. Many organizations are being faced with the option of patching together multiple existing systems and workflows, hoping to capture the spirit of regulations without full confidence that compliance has been achieved. Finding a way to create flexible and scalable — not to mention compliant and secure — systems will continue to be a challenge for financial services firms that manage their technology internally.

Reducing Risk from Security and Compliance for Financial Services Sector

In an ever-changing regulatory and security climate, financial services firms that attempt to meet the obligations set forth by regulators by utilizing manual processes can quickly cause inconsistencies that are not easily discovered without a full audit of systems and processes. Where RegTech can step in is through creating a more resilient base for the organization, allowing for greater scalability as new reporting, security and workflow requirements come to light. Solutions that include AI and machine learning in cybersecurity are often able to detect abnormal activity within a network, aiding in financial crime detection procedures by scanning millions of transactions in a short period of time. Employing machine learning solutions ensures that the systems are able to grow over time — improving their ability to detect inconsistencies and alert technology and business staff to a potential situation.

Trusted Cybersecurity is Vital to Scalability

Third-party vendor risk is often underestimated but is a topic that should be brought top-of-mind for financial services professionals. The highly sensitive information stored within the financial services sector and the increasing data privacy regulations have made the level of security for partners and your data storage providers a key concern. Knowing that your cloud provider has resources dedicated to cybersecurity provides distinct advantages in the face of ever-shifting compliance reporting and security risks.

Finding the right mix of proactive support, regulatory knowledge and cybersecurity experience can be difficult for firms in the financial services sector. With their compliance assurance and engineering excellence, the professionals at Coretelligent are helping financial services organizations find the path forward to scale. Our consultants and technicians represent a broad spectrum of technical expertise, ensuring we have the resources in place to support growing financial services organizations across the country.

by

Business Continuity Checklist for Financial Services Firms

Business Resiliency and Disaster Recovery (DR) are critical for any organization, but these activities are particularly vital for financial services firms.

Sensitive data and compliance requirements create additional pressures to safeguard systems and ensure data recoverability.

Furthermore, the reputational damage caused by data loss or an extended outage can be catastrophic.

In today’s uncertain atmosphere, it’s important to note that a disaster can come in many forms — such as a company that is suddenly under quarantine that doesn’t have the infrastructure in place to support remote operations.

Taking the following steps can help assure operational continuity and data protection.

If your firm does not currently have an experienced internal IT team, a trusted managed IT provider should be engaged to provide guidance.

1. Establish a Business Continuity Plan (BCP):

  • Meet and collaborate with leadership from all teams to identify and document critical data, systems, and applications.
  • Perform a risk assessment of this list. Identify any potential internal and external threats, the likelihood of each, and the severity of impact.
  • Classify data and applications according to criticality.
  • Consult with business line managers to define recovery objectives for each classification.
  • Identify and document any compliance requirements for data backups and disaster recovery (DR).
  • Include considerations for potential scenarios including but not limited to office closures and quarantines.
  • Determine the appropriate tools and processes to meet the identified requirements.
  • Select at least one Point of Contact (PoC) and secondary contacts to execute and oversee the BCP in a disaster scenario.
  • Include names and contact details for all BCP team members.
  • Document and communicate the plan. Ensure that all stakeholders and dependent personnel are informed of the BCP and have access to it.

2. Test Your Business Continuity Plan

  • Review the results from the last test. Confirm gaps have been remedied.
  • Perform a walkthrough with your BCP team, IT provider, and cyber/risk consultants to ensure everyone is clear on their role and the plan as a whole.
  • Execute the plan and document any newly discovered gaps, challenges, and improvements.
  • Make relevant adjustments, if needed.

3. Validate Vendor Readiness

  • Verify the ability of critical service providers to support your business during a disruption.
  • If a service provider is not prepared, consider an alternative vendor or work with them to see how you can assist.
  • Develop alternative processes (e.g., manual or in-house) to ensure the continuation of critical business operations.

4. Ensure Remote Access Capabilities for Essential Personnel

  • Provision laptop computers for personnel who are essential to business operations.
  • Require employees to carry laptop computers home each day.
  • Confirm remote access solutions like VPN or VDI are operational and that personnel are trained in usage.
  • Test employees’ ability to work remotely (e.g., rotate staff to work remotely on selected days during the week to identify issues proactively in anticipation of a facility closure or quarantine order).

5. Conduct Training

  • Conduct a webcast or to review the BCP with your entire organization.
  • Ensure BCP team members understand roles and responsibilities during a business disruption.
  • Conduct tabletop exercises in preparation for office closures, quarantines, and health emergencies as well as public transportation and critical service provider disruptions.
  • Ensure employees understand how to work remotely and who to contact regarding access issues.

By following the above steps your firm will be prepared for business disruption and will be positioned to minimize the impact.

If you or your firm needs any assistance with developing a business continuity plan, IT strategy, cybersecurity solutions or compliance reporting, Coretelligent is here to help.

Contact our team of experts at 855-841-5888 or via email to info@coretelligent.com to schedule your complimentary initial consultation

by
Financial Services Vulnerabilities

Identifying Common Financial Services Vulnerabilities

Financial services institutions have long been a top target for cyber threats. Access to a large amount of sensitive and confidential information makes the financial sector a target-rich environment for cyberattacks. In addition to mitigating cybersecurity threats, financial firms must also prioritize maintaining and strengthening compliance. These balance of these two priorities presents a unique set of challenges for companies in financial services.

With the inherent diversity of the financial services sector and the shifting cybersecurity and compliance landscape, identifying a one-size-fits-all set of vulnerabilities for all financial services institutions is impossible. However, there are common vulnerabilities to be aware of.

  • Reactively Evaluating Current Cybersecurity Posture:

    Institutions cannot address cybersecurity and compliance vulnerabilities of which they are unaware. Moreover, leaving these vulnerabilities unaddressed can have costly consequences. If unaddressed until an incident occurs, institutions have no choice but to utilize a reactive approach that can leave the business facing outages and shaken customer confidence. Instead, financial service firms should consider taking a proactive approach. By utilizing Coretelligent’s Cybersecurity Evaluation Checklist designed for financial services as a jumping-off point, financial service firms can do an initial assessment of existing vulnerabilities to discuss with a managed service provider (MSP).

  • Ransomware Attacks:

    As the world continues to become more digitally integrated, opportunities for ransomware attacks grow exponentially. In a ransomware attack, attackers use malware to gain access to your organization’s systems or data and hold that data until a ransom is paid by the organization. The results of these attacks are devastating. In addition to the price of the ransom, there are legal fees and other costs associated with damage control, as well as potential loss of data.

  • Access Vulnerability:

    Flaws in various levels of access to information can leave sensitive data exposed and vulnerable for attackers. Cybersecurity integration is key across all divisions and at all levels of access in an organization. Cybercriminals will seek to exploit any weaknesses identified at any level, regardless of the internal structure of the business.

  • Managing Compliance:

    The evolution of information technology has increased the compliance burden on the financial services industry. Financial service organizations are amongst the most regulated business segments in the U.S. However, simply maintaining compliance may no longer be enough. Instead, actively managing compliance risk and strengthening compliance overall is key in earning customer confidence and avoiding costly penalties.

  • Business Continuity:

    What comes next if the worst happens and a cyberattack hits your company? Is your data backed up safely? How quickly would you be able to restore access to users? A proactive and dynamic backup and disaster recovery solution is critical for preventing business interruption and loss of essential data, which could trigger a compliance violation. Off-the-shelf, onsite backup solutions often do not provide the level of performance required to meet the needs of financial and investment organizations. It is vital to establish a solution before an outage to ensure timely recovery and minimize interruption time for clients.

Addressing security and compliance vulnerabilities may seem challenging, but Coretelligent can help. Working with Coretelligent means working with an IT partner who understands both the security and compliance needs of the financial services sector. Contact us today at 855-841-5888 or fill out our online form.

by
SEC Compliance Rule

SEC Signals New and Expanding Compliance Rules to Combat Cyber Crime

SEC Compliance RuleIndicates significant changes to regulations for broker-dealers, investment companies, RIA, and other market agents.

The SEC has been signaling the expansion of the compliance around cybersecurity for public financial firms for some time. Increased and intensified state-sanctioned cyber-attacks, data breaches, and ransomware have spotlighted the risk to the U.S. economy, its investment markets, and its investors.

“The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars,” said SEC Chair Gary Gensler in a speech on January 24th. “Hackers have attacked broker-dealers, government agencies, meat processors, and pipelines. These attacks can take many forms from denials-of-service to malware to ransomware.”

Referencing the 2021 Robinhood breach and the SolarWinds incident from 2020, Gensler mentions the joint work of the FBI, CISA, and the Biden administration is ratcheting up to curb the plague—not the COVID-19 pandemic, but the scourge of cybercrime.

He shares that the SEC is looking at ways to strengthen the financial markets’ cyber readiness and hints at a new and expanded compliance framework.

In terms of policy, there are three areas under scrutiny: cyber hygiene and preparedness, cyber incident reporting to the government, and disclosures to the public.

These areas call for IT solutions that prepare for, respond to, and report cyber events. Practices like access management and end-user training, which both reduce the likelihood of cyber incidents, will need to be implemented and reinforced. Additionally, a robust backup system and a disaster recovery plan should be developed or expanded for responding to any events that may happen. Depending on the specific language that ends up in new or expanded regulations, additional IT solutions will most likely be needed for compliance.

As far as which type of organizations may be facing new and strengthened regulations—the list includes SEC registrants in the financial sector, including broker-dealers, investment companies, registered investment advisers, and others. Also in the crosshairs are public companies, third-party service providers, and other organizations not currently registered with SEC, but which support or interact with SEC-registered companies.

Specific regulations that the SEC is proposing to change:

  1. Expanding Regulation Systems Compliance and Integrity (Reg SCI) to cover more entities, including market-makers, broker-dealers, and other financial entities. Reg SCI requires SEC registrants have robust sound technology programs, business continuity plans, testing protocols, data backups, and more.
  2. Implementing new regulations for financial sector registrants, like investment companies, investment advisers, and broker-dealers, not covered by Reg SCI around cybersecurity hygiene practices and incident reporting.
  3. Modernizing Regulation S-P, which deals with data privacy, changing the scheduling and content of notifications to clients about data breaches involving personally identifiable information.

These changes would significantly impact a wide array of companies and subject them to expanded or newly instituted regulations that they may not be prepared to meet.

If your organization requires assistance with keeping up with and implementing these and any other cybersecurity compliance requirements, reach out to our experts. Coretelligent has a suite of solutions, including CoreArmor and CoreBDR, designed to address the compliance and security needs of the financial sector. With over 16+ years of experience helping clients navigate a whole host of IT compliance regulations and bolstering their cybersecurity posture, we can help your firm understand and meet its regulatory requirements.

 

 

 

by
Solving Cybersecurity on-demand webinar

Watch Solving Cybersecurity for Financial Services On-demand Webinar

On-demand webinarWe get it. As executives and IT professionals, you are busy. To that end, we are debuting a new series of short on-demand webinars intended to answer the most commonplace requests we receive. These webinars are designed to connect your firm’s real-world problems with the solutions that address them. They are short and available on your timetable—no signing up for a scheduled webinar and then missing it because you get pulled into a meeting!

The first video is for financial services firms needing guidance on strengthening cybersecurity readiness and compliance response.

Better understand how to effectively respond to the moving target of the twin challenges of cybersecurity and compliance with our free on-demand webinar.

This short compliance and cybersecurity webinar focuses on the following topics:

  • IT Pillars of compliance
  • Cybersecurity priorities for SEC compliance
  • Tips on how to improve cyber readiness and meet compliance
  • And more!

→ Sign up here to watch the webinar.

On-demand webinar

by
FINRA Rule 4370

What Does the BCP FINRA Rule 4370 Update Mean for Your Firm?

FINRA Rule 4370

The Financial Industry Regulatory Authority (FINRA) recently announced the completion of the review process for FINRA Rule 4370 and upholds the Rule as it currently stands. The agency put the Business Continuity Plan (BCP) Rule 4370 into place to ensure continuity of operations for broker-dealer firms following a disruption or disaster. FINRA based its decision to keep 4370 intact on the recently completed BCP Rule and Pandemic Review, both of which highlight the benefits of the Rule.

The FINRA BCP Rule requires broker-dealers to maintain continuity plans designed to ensure their ability to resume business operations after an interruption or in the event of a disaster. Regulatory Notice 21-44 provides clarification of FINRA’s compliance obligations for broker-dealers waiting to see where the agency would land regarding updating or maintaining the Rule.

Background on Rule 4370

In early 2019, announced a review of the Rule to determine its effectiveness and viability. In addition, the agency considered the costs, risks, and benefits associated with developing, maintaining, and implementing BCPs against not utilizing them.

According to FINRA’s announcement, stakeholders reported that Rule 4370 was working as intended. FINRA observed that the Rule’s “flexible, non-prescriptive, and risk-based approach has been effective in ensuring firms of all sizes are prepared for potential business disruptions.”

Additionally, during the early stages of the pandemic, FINRA also published Regulatory Notice 20-08, which recommended that member firms review their plans for pandemic preparedness.

What Does This Mean For Your Firm?

FINRA has made it clear that firms should continue developing and maintaining plans according to Rule 4370. However, the agency will not be providing specific guidance; firms are on their own when it comes to fulfilling the requirements for compliance.

What Are the Next Steps?

New and established brokerage firms will need to evaluate their status regarding Rule 4370 to guarantee compliance and that they are operating with an effective BCP. However, a BCP alone is not enough to ensure continuity.

For firms looking to assess their disaster readiness and compliance, there are six critical components of a BCP that will be there when you need it.

    1. Establish or Evaluate Existing BCP
    2. Test BCP
    3. Validate Vendor Readiness to Support BCP
    4. Ensure Remote Access for Essential Personnel
    5. Educate Personnel and Conduct Training
    6. Routinely Repeat this Process

By following these steps, your firm will be prepared for potential business disruptions and remain compliant. Of course, there is more involved in each of these steps. For more granularity, read our post, Business Continuity Checklist for Financial Services Firms, which outlines just how to assure operational continuity and data protection.

Coretelligent is here to help your firm navigate the details in developing and maintaining a business continuity plan. We can also assist with incorporating it into your IT strategy, cybersecurity solutions, and compliance reporting. As an MSP with considerable experience within the financial services industry, Coretelligent understands the regulatory imperatives required of you and your business. That is one of the main benefits of working with an IT partner with deep industry knowledge and expertise.

Reach out and we will work with your IT and compliance teams to review your BCP and develop a roadmap to make sure your firm is secure.

by