The rise of cybersecurity regulations is causing concern for many firms, particularly those in the alternative investment industry. In 2022, the U.S. Securities and Exchange Commission (SEC) proposed cybersecurity rules that would affect all firms in this industry. These new regulations will require enhanced reporting, including compliance checks around board oversight, incident response, and annual reviews.
These proposed changes represent a significant shift in how the SEC will conduct due diligence in the future. For many firms, this could seem daunting. However, the message is clear: firms must take a proactive approach to ensure their cybersecurity posture ahead of the expected new rules in 2023. Cybersecurity is no longer a mere checklist item to be considered once a firm has achieved a certain level of AUM or funding – cybersecurity is a top consideration for firms of all sizes.
A cautionary tale of the importance of cybersecurity compliance can be seen in EyeMed, an Ohio-based vision care benefits company. EyeMed was required to pay a $4.5 million fine for failing to conduct a necessary risk assessment and violating the New York State Department of Financial Services cyber rules. This mistake could have been avoided had they conducted ongoing vulnerability assessments and implemented a multifactor authentication process for their email system. In addition to the fine, EyeMed was given three months to conduct a risk assessment and provide the regulator with a clear plan to improve its cybersecurity practices to avoid future mistakes.
The EyeMed incident highlights that cybersecurity is a compounding issue that cannot be solved overnight. It requires firms to take charge and create comprehensive, technical, and actionable plans that can be executed quickly so that firms can stay one step ahead of looming cyber threats. The key to preparing for SEC compliance is in “owning” a firm’s cybersecurity. While technology solutions can make this process easier for firms, board members must also empower themselves to take a proactive approach to their cybersecurity defenses by implementing data flow mapping to perform in-depth vulnerability analysis.
While certain technical controls like policies, risk assessments, and cybersecurity training can be outsourced, firms must also complete additional actions, including internal team training to comply with the proposed 48-hour incident reporting deadline, data flow mapping to identify vulnerabilities and enable firms to implement the required mitigation tactics, and board reporting on the fund’s current and future cybersecurity preparedness.
Many firms in the past left cybersecurity in the hands of IT providers or MSPs, particularly those without a Chief Information Security Officer (CISO). However, relying solely on IT providers or MSPs is no longer adequate. Cybersecurity today must be reviewed to protect sensitive data and information and prevent the significant costs of non-compliance. The stakes are even higher in the face of the new SEC regulations, and firms that fail to incorporate cyber into their strategic business operations and budgets may end up paying for it elsewhere in fines and the loss of consumer trust.
Ensuring a firm’s effective cybersecurity posture is not an overnight process – it requires ongoing risk assessments and an actionable roadmap to identify existing vulnerabilities and correct for the future. With appropriate planning, technological investment, and empowerment from board members, firms can meet and exceed the SEC guidelines, becoming proactive in their fight to protect against cyberattacks.
Jason Elmer, Founder and President of Drawbridge, brings more than 20 years of cybersecurity and IT infrastructure experience to his role. As Founder and President, he is responsible for driving Drawbridge’s day-to-day operations, expanding its geographic and technology footprint, and leading the company for global growth and scale.
In summary, firms need to take a proactive approach to cybersecurity to protect against looming threats. It’s no longer just a checklist item; it’s a vital consideration for firms of all sizes. By taking cybersecurity seriously, firms can avoid costly fines and loss of consumer trust. With appropriate planning, technological investment, and empowerment from board members, firms can exceed the SEC guidelines and become proactive in their fight to prevent cyberattacks.