Navigating Cybersecurity Regulatory Uncertainty

The financial services industry is one of the most targeted sectors by cyber criminals, ranking as the world’s second most attacked industry in 2023. With the increase in cyber-attacks and their potential to harm investors and disrupt markets, regulators are placing a significant emphasis on how firms are managing cybersecurity risk.

Newly established regulations, such as the European Commission’s Digital Operational Resilience Act (DORA) and the U.S. Securities and Exchange Commission’s (SEC) amendments to Regulation S-P and proposed Cybersecurity Risk Management Rule, are now setting the tone for what will likely be sustained regulatory pressure around cybersecurity risk management.

To better understand how firms were responding to this influx of cybersecurity regulations, we partnered with the National Society for Compliance Professionals (NSCP) to conduct the 2024 Cybersecurity Benchmarking Survey. This survey explored many aspects of respondents’ cybersecurity risk management activities and included questions seeking to identify common concerns within the financial sector about the rapidly developing regulatory landscape. While the survey focused primarily on developing regulations proposed by the SEC, most concerns expressed by respondents are applicable to many emerging regulations around the globe.

Here are our respondents’ top three regulatory concerns and how firms can prepare to face them:

1. Uncertainty about how rules will be enforced

Most firms would acknowledge the need for standards to be set to protect clients and investors from cybersecurity threats, but there is still significant uncertainty surrounding how emerging rules will be enforced and what their impact will be on the organizations that need to follow those rules. This uncertainty surrounding rule enforcement was expressed as a top concern by 44% of survey respondents.

No one can directly predict how a specific rule will be enforced before precedents are set, but firms must still position themselves as best they can to align with regulatory expectations. It can be a tricky position, but there are effective measures to be taken that can aid organizations in weathering this kind of regulatory uncertainty.

• Prepare to demonstrate cybersecurity program effectiveness.
  Upcoming cybersecurity regulations generally seek to establish minimum requirements for how firms manage cybersecurity risk. While different regulatory bodies will set different standards, firms can get ahead of what will likely be the source of many potential regulatory questions by maintaining a thorough record of their own cybersecurity efforts, including changes and improvements made over time and how the program meets certain standards. This presents an effective way to provide regulators with clear evidence of the firm’s efforts and will allow firms to begin identifying any cybersecurity gaps before a regulatory exam.
• Provide written rationale for how the firm chose to interpret non-specific or vague language in the rule or regulation.
  Rules and regulations can often include vague or non-specific language, and until precedents are set, no firm can be fully certain of how such sections will be enforced. It is important that firms assess the language in upcoming rules and regulations to identify instances of non-specificity, and record what the firm understands the rule to state, including any interpretive guidance that the firm has received from outside council. Consistent application of this interpretation should be put in place through the firm’s policies and procedures to demonstrate good-faith efforts to comply while the firm waits for clarification from the regulatory body.
• Ensure alignment with previously reported details.
  Firms should ensure they keep regulators informed of any changes or developments from previously reported cybersecurity risk management practices, as required by the regulation. Should a regulatory body identify discrepancies between a reported cybersecurity risk management practice and what is actually in place for the firm, it is highly likely that the firm may be penalized. Firms should ensure their cybersecurity programs on paper match what is being implemented in real life.

2. Complying with cybersecurity incident reporting requirements and timeframes

Most upcoming and recently instated regulations include some reporting requirement regarding cybersecurity incidents. Narrow reporting timelines such as DORA’s 72 hour notification requirement, and the proposed 48 hour disclosure requirement for the SEC’s proposed Rule 206-(4)9 38a-2 have increasingly drawn concerns from firms usure of how they’ll actually adhere to these requirements. 36% of survey respondents indicated this was one of their top concerns.

• Identify reporting requirements and assess gaps in existing response plans.
  Firms should identify any existing reporting requirements and assess their own policies and procedures to establish what processes may be used for streamlining reporting. Existing incident response plans (IRPs) should be tested and reviewed to identify where a firm may fall short of rapid reporting requirements and how efficiently they may gather information required for notification or disclosure requirements.
• Update response plans to align with reporting requirements.
  While most firms may have some form of IRP in place in the event of a cybersecurity incident, it is very likely that these plans do not account for new and upcoming reporting timelines or requirements. Once the firm has assessed its current procedures, it is key that they adjust existing plans to align with the new regulations. New key roles or procedures may need to be included in an updated IRP to ensure the required information is properly collected, the materiality and potential impact (such as potential future costs or losses) of an incident is calculated, and the incident is properly disclosed to specific regulatory bodies within their specified timelines.

3. Updating existing policies to ensure compliance with all applicable regulations and laws

30% of survey respondents identified updating existing policies as one of their top two concerns. Most firms today have at least some cybersecurity policies in place, and adjusting them to align with changing regulations can be a challenge if firms would need to assess these policies and procedures against multiple regulations. This gap analysis will likely require a meaningful investment of time by the firm, and where gaps are identified, there can be additional costs associated with updating policies and procedures, training employees on new ways of working, and assessing the effectiveness of these new policies and procedures.

It is key that firms thoroughly assess their existing policies to fully understand how much should change and which policies may be sufficient to adhere to new regulations.

• Assess regulatory preparedness with existing policies.
  Firms should prioritize their own understanding of their policies and identify where they may fall short of regulatory requirements. All cybersecurity policies implemented by the firm should be formally documented and assessed. Firms should have a complete overview of each of their policies and what they affect, as well as the role they play in the overall security posture of the firm.
  
  Firms should test their existing policies to define what updates may be required for full compliance. Mock regulatory exams can be a good tool to identify these shortfalls in a firm’s existing measures, though they are significantly underutilized with 45% of respondent firms having not performed a mock regulatory exam to assess their preparedness and have no plans of doing so in the next two years. Firms should focus on understanding what may be asked by regulators and what adjustments they may need to make to their policies ahead of any potential action by the same.
• Enforce adoption of updated policies.
  Firms should ensure they are ready to fully adhere to any updated policies they put in place to improve compliance. Many organizations may see some difficulty in adapting to new processes required by updated cybersecurity policies and procedures, so it is paramount that firms ensure they enforce compliance to all updated processes amongst their employees. Changes should be directly and clearly communicated and training should be conducted to ensure employees are made aware of how to operate within the updated policies and guidelines.

Download the full report

Learn about all of our findings from this survey in our full report. The survey covered:

• Cybersecurity risk management priorities
• Cybersecurity resourcing
• Third-party risk management
• Regulatory preparedness

Download

About the Survey

The 2024 Cybersecurity Benchmarking Survey, a joint project between the NSCP and ACA Aponix, was conducted online between January and February 2024. 308 respondents from multiple firms within the financial services industry participated in the survey, representing a variety of business types. Over 60% of respondents represented firms with assets under $5 billion, with a majority of firms indicating they had 50 or less full-time employees. The survey covered a range of topics including cybersecurity resourcing, third-party risk management, and regulatory preparedness and concerns. ACA hosted a webcast reviewing key insights from the survey that can be accessed here. The full report is also available for download here.

About ACA Group

ACA Group (ACA) is the leading governance, risk, and compliance (GRC) advisor in financial services. For over 20 years, we’ve empowered our clients to reimagine GRC to launch, grow, and protect their business. Our global team of 1,250 employees includes former regulators and practitioners with a deep understanding of the regulatory landscape. Our innovative approach integrates advisory, managed services, distribution solutions, and analytics with our ComplianceAlpha® technology platform. For more information, visit www.acaglobal.com.

About NSCP

Since 1986, the National Society of Compliance Professionals has been the leading non-profit, membership organization dedicated to supporting compliance professionals in the financial services industry, focusing primarily on investment advisers, broker-dealers, and private funds. NSCP membership offers a wide range of compliance resources, educational opportunities, and regulatory advocacy and engagement. NSCP provides its members with essential information on compliance topics, regulatory insights, and useful tools through its monthly publication, online and in-person events, and within an interactive online community. NSCP members have access to a diverse community of compliance professionals who share their knowledge and expertise. For more information, visit www.nscp.org.