Due to the ever-growing number of cyberattacks and their increasing severity, financial industry regulators are increasingly interested in mitigating cyber risks. As a result, regulators are creating and enacting stricter financial industry regulations regarding cybersecurity, with severe penalties for non-compliance. The new regulations will impact chief information security officers’ (CISOs’) asset risk management efforts and even their roles in their organizations.
New Financial Industry Regulations
One of the new financial industry regulations is the U.S. Security and Exchange Commission’s (SEC) proposed “rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (‘registrants’) that are subject to the reporting requirements of the Securities Exchange Act of 1934.”
These amendments will take effect this spring and will require public companies to disclose to investors in a standardized manner their policies, procedures and competencies for cybersecurity, any cybersecurity incidents that occur and updates regarding past cybersecurity incidents.
European regulators also are requiring organizations to strengthen their stances against cybercrime. The European Union’s NIS2 Directive (Network Information Security 2 Directive), which includes “measures for a high common level of cybersecurity across the Union,” takes effect on October 17, 2024 (NIS2 Release Date). According to its article 21 (Cybersecurity risk-management measures), “essential and important entities must … manage the risks posed to the security of network and information systems … and prevent or minimize the impact of incidents … strengthening EU’s cybersecurity posture by expanding scope of the directive and introducing more stringent rules, especially those pertaining to cybersecurity risk management, including among the supply chain.”
More than 60% of Devices Connected to a Financial Services Organization’s Network are Neither Noticed nor Managed
In light of the new financial industry regulations and the damage of cybercrime, cybersecurity and asset risk management are becoming more of a business concern for financial organizations. No longer only the security team’s concern. As IT research firm Gartner recognized (Cybersecurity Leader’s Role), corporate boards now view cybersecurity as a business risk. CISOs will increasingly need to present cybersecurity to business stakeholders as a business risk rather than technology.
Now, more than ever, to comply with new financial industry regulations and to address the concerns of business leaders and corporate boards, CISOs need to know and understand their entire asset environment and manage the associated risks.
However, there are many challenges in managing the entire asset environment. The fact is that more than 60% of devices connected to a financial-services organization’s network are neither noticed nor managed (CyberSecurity for Financial Institutions). Especially following the growth of hybrid working, IoT security and the use of personal devices.
Enhancing Cybersecurity Compliance for CISOs
Although it is a daunting task for CISOs to know and understand their entire asset environment and manage the associated risks, there are several steps they can take to help make it possible. For example, CISOs could use IT asset management solutions that are scalable and account for any asset type (IT/OT/IoT), whether they’re managed or not and wherever they’re being used. CISOs also could implement solutions to document the presence of authorized and unauthorized devices. The exact device models, the identity of those using them and how they are using them, the risk level of the devices and of the users themselves and whether the devices have any known vulnerabilities. CISOs also could deploy IT asset management solutions that automatically block from the network unknown and unwanted devices and those that breach access control rules. Finally, continuously monitoring network-connected devices ensures real-time visibility and control.
Financial Industry Regulations and Unmanaged Devices
Other U.S. financial industry regulations, such as the Securities Exchange Act of 1934, include strict provisions for capturing business communications. This is extremely difficult to enforce as employees can communicate about business on personal devices not connected to the network. Although capturing business communications is separate from cybersecurity, corporate boards and business leaders view it as a related business risk involving devices. While there is no solution for monitoring business communications on devices not connected to a company’s network, there are many devices connected to the network that are unmanaged. More than those that are managed. By managing all network-connected devices, organizations can better capture business communications and strengthen their compliance.
Consequences of Non-Compliance in the Financial Sector Across the United States and Europe
There are significant consequences for non-compliance in the United States and Europe. For example, in September 2022 the U.S. Securities and Exchange Commission announced charges against 15 broker-dealers and one affiliated investment adviser. For “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications,” in violation of “certain record keeping provisions of the Securities Exchange Act of 1934.” The firms agreed to pay combined penalties of more than $1.1 billion, and to improve their compliance policies and procedures. For European financial organizations that don’t comply with the NIS2 Directive, EU member states will be required “to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.”
CISOs in financial services can attest the challenges in complying with new cybersecurity regulations. Now, that the SEC ratchet up its enforcement against CISOs that fail to properly disclose their cybersecurity risks (e.g. naming SolarWinds CISO as a defender), a much better management of ALL devices accessing the networks and their associated risks is a must have component of the organization’s cybersecurity and compliance.