Cyber Risks Beyond Your Four Walls

Even before Mary Jo White, then-chair of the Securities and Exchange Commission (SEC), in 2016 declared cybersecurity risks to be the biggest threat to the financial system, [1] firms were pressured to tackle their cyber exposures. The pressure has only grown since.

Read Global Regulatory Outlook 2018 

At a national level, we have Rule 30 of the SEC’s Regulation S-P under which firms must adopt written policies and procedures to protect customer information. The Commodity Futures Trading Commission (CFTC) has also published its rules on IT system safeguards testing.2 At a state level, meanwhile, as of February, firms must file certificates of compliance with new requirements of the New York Department of Financial Services (NYDFS) to establish and maintain a cybersecurity program.

This last set of rules is among the more detailed and includes requirements that the cybersecurity policy must cover “vendor and third-party service provider management.” The NYDFS is not the first regulator to note that third-party vendors are an area of particular vulnerability, though. The SEC has long recognized this,3 and, more recently, the Financial Industry Regulatory Authority’s examination of firms’ cybersecurity also identified weaknesses in some firms’ processes for reviewing vendors’ security.4

With regulatory scrutiny on cybersecurity increasing, it’s likely this will become an increasing area of risk for firms—and not just in the United States. In Europe, the General Data Protection Regulation (GDPR) is hugely increasing the stakes this year when it boosts potential penalties for the most serious breaches to €20 million, or 4% of global annual turnover.

Cyber Risks Beyond Your Four Walls - Global Regulatory Outlook 2018

Regardless of the incentives to address third-party cyber risks, getting to grips with them won’t be easy for firms. A recent study by the Ponemon Institute found that 57% of companies don’t have an inventory of the third parties they are sharing sensitive information with, and the same proportion do not know if third parties’ policies would prevent a data breach.5 

Addressing that will require firms to start by thoroughly mapping their data and tracking its flows throughout the organization. Funds should be tracked from collection by marketing teams soliciting new funds through document processing and administrator services to redemptions. Staff details should be tracked from CVs and background checks at recruitment to storage of relevant records and removal of logins and access by IT when a staff member leaves.

All these efforts will take time, though, and time is running out. Not only will we almost certainly see regulatory enforcement increasing in this area, but investors’ patience is also likely to prove limited. Firms that don’t address the risks to clients’ data may find that investors take action themselves and decide to put their data and their money elsewhere.

 

 

Sources:
1 https://www.reuters.com/article/us-finance-summit-sec/sec-says-cyber-security-biggest-risk-to-financial-system-idUSKCN0Y82K4 
2 http://www.cftc.gov/PressRoom/PressReleases/pr7442-16 
3 www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf 
4 https://www.finra.org/industry/2017-report-exam-findings/cybersecurity 
5 https://www.opus.com/ponemon

Cyber Risks Beyond Your Four Walls 2018-04-19T00:00:00.0000000 /insights/publications/compliance-and-regulatory-consulting/global-regulatory-outlook-2018/cyber-risks-beyond-your-four-walls /-/media/assets/images/publications/thumbnails/global-regulatory-outlook/cyber-risks-beyond-your-four-walls.ashx publication {DA6CC51B-740E-439A-B283-2BBFB5326BAA} {DE05ECA4-1852-4BEF-A4E1-491CB497F9CB} {EBC1AB28-1393-493C-AF32-19B3B0B6E171} {1C3CB363-1B9A-40E2-AF19-5C433260F861} {E1E71CC6-CE33-46BD-A6CF-B547EF2D052C} {4FD55120-2DD8-4DB5-8DAA-3D9212C2436D} {4984481D-079C-4B42-B985-EA34752D3CD5} {E8669D15-7AE5-41D4-BE77-6C5E07C03F38} {36EE33A2-B269-45FC-8D7C-A5B66255C61E} {19B96101-31A4-4C6D-9597-A39E0C9E24C8} {910B8B61-AD72-44CF-87C2-BFA5FE119417} {AB22E3A7-0FD2-43A7-91E0-C3590E9141B9} {5AA4BE28-97DD-427B-A8CA-7B3BF3B5E4BF} {C9A6FAA4-0FA0-40A8-B4D2-2A0DDD29F14D} {F9A927B5-B65A-4F14-B590-DD46B5DC907A} {063D2ACD-1006-4DAD-8E9F-A8084C7358F8} {2361D727-0847-4B20-B8E9-68E7DBA5C7DC} {B062D54C-1425-4A04-8F9F-95EA14068E6D} {5BF06FE7-E88C-4627-A701-3E042F076F1F} {65648E61-ED08-40DF-AEE6-DB90ABD49289} {C8894F56-FF6C-4DEA-AB91-58D66A7F0624} {B7CF2537-1DBA-485F-A14F-8BD1524F1A8B} {95D7F66C-11BB-4E7D-B07C-48874A321F98}

Related Services

Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

By Jurisdiction

Regionally targeted assistance for asset managers in compliance program development, implementation and maintenance

By Jurisdiction
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

U.S. Regulation

Comprehensive support for asset managers registering in the U.S.

U.S. Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

EU Regulation

Comprehensive compliance and regulatory support for EU firms.

EU Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

UK Regulation

Comprehensive compliance and regulatory support for FCA authorized firms.

UK Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Irish Regulation

Comprehensive support for asset managers registering in Ireland.

Irish Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Hong Kong Regulation

Comprehensive SFC licensing support.

Hong Kong Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Singapore Regulation

Comprehensive MAS licensing support.

Singapore Regulation
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Channel Islands Services

Range of regulatory and compliance consulting services for firms registered in the Channel Islands.

Channel Islands Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Global Advice and Consulting

Assistance to develop, implement, and manage global compliance and regulatory consulting programs.

Global Advice and Consulting
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Cybersecurity Services

Cybersecurity support for asset managers.

Cybersecurity Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Financial Crime Prevention

Guidance on preventing financial crime.

Financial Crime Prevention
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Hosted Regulatory Solution

FCA hosted regulatory solution for UK and EU asset managers.

Hosted Regulatory Solution
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Market Services

Assistance with markets, transaction reporting and surveillance.

Market Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Regulatory Enforcement

Compliance support during an enforcement investigation.

Regulatory Enforcement
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Valuation and consulting for financial reporting, federal, state and local tax, investment and risk management purposes.

Valuation Advisory
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Alternative Asset Advisory

Transparent valuations of illiquid investments and complex securities and liquidity solutions through secondary market transactions.

Alternative Asset Advisory
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Portfolio Valuation

Alternative investment valuation for private equity and hedge funds.

Portfolio Valuation
Duff & Phelps Disputes

Governance, Risk, Investigations and Disputes

Combined Duff & Phelps and Kroll disputes, investigations, cyber, business intelligence, cross-border restructuring and other advisory.

Governance, Risk, Investigations and Disputes
Duff & Phelps Disputes

Governance, Risk, Investigations and Disputes

Securities Litigation

Assistance with complex securities litigation.

Securities Litigation