In January 2022, the Allianz Risk Barometer asked companies from around the globe what their biggest concerns were. Cybersecurity was the top response garnering 44% of the vote and coming ahead of other all-consuming concerns such as the COVID pandemic, climate crisis, and war.
Inflicting an estimated $6 trillion in damages on the global economy, cybercrime poses a very real threat to financial systems. And the SEC seems to agree about the legitimacy of this threat based on its recent focus and proposed changes to existing disclosure regulations for public companies and hedge funds.
What Are the Proposed SEC Amendments?
In March 2022, the Securities and Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
The proposed amendments would require, among other things:
- Current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents
- Periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks
- The registrant’s Board of Directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures
Broadly speaking, the SEC has widened the ambit of compliance for firms to include cybersecurity as a critical factor for disclosures and to develop written policies and procedures.
The Fallout for Investment Firms
Since 2020, firms across the industry have experienced a sharp spike in cybersecurity threats due to a combination of factors:
- Working from home (WFH): Sensitive data may no longer be under company security as working remotely has become the norm for employees. As these employees adjust to remote work, many of them depend on connections and devices to do their jobs that may not have adequate protection against online threats.
- Bring your own device (BYOD): With the ubiquity of personal computing devices, such as mobile phones and tablets, IT security departments must deal with a much wider landscape of vulnerabilities and potential security flaws.
- Remote work security challenges: Because teams are highly disconnected and dispersed, many firms struggle to impose online security policies. Remote access to sensitive data also increases the quantum of cyber risk.
- Drastic increase in ransomware attacks: Ransomware attacks nearly doubled between 2020 and 2021, accounting for 65% of all global cyberattacks. North American firms were the targets in more than half of the 2,690 reported attacks.
- Weak public key infrastructure (PKI): Long certificate terms, lack of certificate automation, inconsistent governance, and improper protection of private keys are common security challenges at PKI implementations in many firms.
In 2002, the SOX Act forced corporate boardrooms to introduce and incorporate financial and accounting experts among their members. With the recent changes, cybersecurity experts will become the next critical boardroom addition as disclosures will reveal which firms are lacking in this skillset at the top levels of leadership.
In the present regulatory climate, it appears to only be a matter of time before the SEC requires funds and other financial investment firms to include a Chief Information Cybersecurity Officer (CISO) in major decision making. In fact, CISOs—senior-level executives with expertise in information and data security—are already a permanent fixture in over 80% of all major corporations.
How Do the Proposed SEC Amendments Affect Family Offices?
Although family offices are currently exempt from SEC registration, recent legislation has been introduced (H.R. 4620, The Family Office Regulation Act of 2021) which could limit that exemption. While family offices currently fly under the radar due to their small size and discreet clientele, that doesn’t mean they’re invisible to cybercriminals. According to a UBS Global Family Office Report, more than 20% of family offices in North America had experienced a cyberattack.
That threat level has only gone up in more recent years. In 2022, a survey of 250 family offices across 12 countries demonstrated that nearly 75% had suffered breaches caused by cyberattacks. The following factors make family offices an attractive target for cybercriminals:
- Smaller staff with access to large amounts of sensitive data
- Data related to HNW and UHNW families and individuals
- Focus on reputation and discretion makes them easy targets for blackmail and extortion
Practical Solutions to Improve Cybersecurity
Many of the security concerns that bigger firms face are also germane in family offices. These security vulnerabilities include outdated software and digital certificates, staff using personal devices and unsecured connections such as public Wi-Fi, staff using weak passwords, and multi-factor authentication.
Developing a strong information security program based on the following guidelines, however, can help reduce the cybercrime risk for both groups:
- Provide better staff training regarding digital security best practices, credential management, and device security updates.
- Adapt your organization’s IT infrastructure for a remote work/hybrid office arrangement with VPNs, multi-factor authentication, automated certificate management, better PKI, etc.
- Create detailed policies for employees regarding IT security minimum requirements for WFH and BYOD.
- Prepare adequate incident response plans for everything from loss of sensitive data on a missing laptop to phishing attacks and ransomware incidents.
- Perform constant monitoring, frequent penetration testing, and regular cybersecurity preparedness assessments.
- Enlist a CISO to create a practical roadmap for cybersecurity that covers all the bases without having a prohibitively painful impact on your overhead costs.
Does Your Firm Need a CISO?
All these activities fall under the rapidly expanding job description of a CISO. But for many firms, hiring a full-time executive and maintaining a team for 24/7 monitoring can be prohibitively expensive. In this climate, outsourcing can provide organizations with a practical solution. Firms can consider hiring a virtual CISO to help them develop clear (and more affordable) parameters for cybersecurity.
The Bottom Line
In the present regulatory climate, it’s only a matter of time before the SEC requires funds and other financial investment firms to employ a CISO.
Looking for support for your firm’s most pressing challenges, such as cybersecurity? Arootah Business Consulting propels your business forward by leveraging our experience across the key areas of a firm: investments and operations. Learn how our experienced industry veterans can support your firm throughout the entire life cycle: from startup to raising capital to ongoing operations and beyond.