In this portion of our latest webinar, Level Up Your Cybersecurity Stance: Going Above and Beyond the Baseline, Principal Mark Anderson and Business Development Manager Corbitt Grow discuss the new landscape financial services companies face.
If video isn’t for you, the transcript for this portion of the talk is below. To view the full webinar and transcript, fill out the form below to access the recording.
Transcript
Mark Anderson: So now we’re gonna set the scene though.
Corbitt Grow: Obviously we’re focusing on financial services firms for today and being in the space that y’all are in, there’s obviously a bunch of external factors and forces that you have to adhere to in order to operate in the way that you need to.
Two that are most relevant for today. One is the real threat posed by a cybersecurity attack. And secondly, it’s the responsibility that you have to maintain increasing compliance requirements and regulations from governing bodies like the SEC.
Just to provide a little more color to this, we actually, back in the tail end of this past year met with the local FBI field office here in St. Louis, and their hybrid cyber taskforce, met with Special Agent Akagha, and we had a great conversation. But one of the things we asked him was what’s the most prevalent form of cyber attack that you’re seeing? And without skipping a beat, he said BEC. Business email compromise. And the others, they just don’t even come close.
That’s relevant because BEC is essentially an escalated form of spear phishing, where they’re targeting C-suite, HR, payroll, accountants, etc. Basically, everybody who’s touching the money within an organization and in the financial services space that makes you all part of that highly targeted demographic. So this is all really pertinent. That’s the cybersecurity side of why this is all important. Then Mark is going to touch a little more on the SEC side of things.
Mark Anderson: Thanks, Corbitt. As you all are aware, right, in the summer of 2023, the SEC adopted new cybersecurity reporting rules specifically for RIAs, right? And requiring our RIAs to have implemented written policies and procedures to formally address cybersecurity risks. Not only that, though, if an event, a significant event, happens, an RIA is now required to report that event within 48 hours of it being discovered. And you need to have implemented incident response programs, which include notifying your customers within 30 days of their sensitive information being compromised.
So then Rule 10 comes along, right? The key is that it hasn’t yet been – It’s proposed, it hasn’t been ratified yet. But, if adopted, it applies to market entities and covered entities. And you might be saying, “Well, Mark and Corbitt, I’m not one of those. So this doesn’t apply to me like why are you even bringing it up?” We’re going to talk about that in a second.
But it is proposing to establish and maintain enforcement of written policies and procedures designed to address cybersecurity risks similar to the earlier one, but just in a lot more detail.
Why does this matter? What we’ve witnessed is that the SEC has really taken a very determined enforcement approach beyond just these market entities and covered entities and publicly traded firms, and has dipped down into private company space.
In 2020, the SEC demanded the names of clients that were caught up in a 2020 cyber attack that a private law firm, Covington and Burling actually was involved with, again, from the Thomson Reuters, October 2023 article.
It doesn’t mean “If I’m a small company, that doesn’t apply to me,” that’s really something that we’re urging everyone to think twice about.
Procedures for periodic assessments of cyber security risks, we want to minimize any user related risks and and prevent unauthorized access to your IT systems. We have to be able to monitor, protect and oversee your IT systems, any third party providers, the information that you’re trying to protect, etc.
We also have to adopt measures to detect, mitigate and remediate against those threats. And how am I going to recover? So I need written procedures to say, “Oh, I’ve been, you know, part of a breach, what do I now do?” Get the playbook out and let’s just start going through, you know, step number one to the end.”
At least annually, a covered entity would need to review all of those policies and procedures, determine their effectiveness and then present and write a written report that could be asked for by the SEC.
In summary, however, Rule 10 has not been adopted. But we always here at Anderson Technologies have the approach that we like to get out in front of any kind of security planning, rather than playing catch up once something like this becomes law.
Just to reiterate, if you’re a private company, this quote from Thomson Reuters, I found very interesting. They’re requesting that all of us have this shift in mindset, that it’s not a kind of cross our fingers and hope that an incident doesn’t happen to us. “Threats should no longer be considered a surprise, but rather expected or inevitable.” That was a word that really caught my attention.
