Even before Mary Jo White, then-chair of the Securities and Exchange Commission (SEC), in 2016 declared cybersecurity risks to be the biggest threat to the financial system,  firms were pressured to tackle their cyber exposures. The pressure has only grown since.
At a national level, we have Rule 30 of the SEC’s Regulation S-P under which firms must adopt written policies and procedures to protect customer information. The Commodity Futures Trading Commission (CFTC) has also published its rules on IT system safeguards testing.2 At a state level, meanwhile, as of February, firms must file certificates of compliance with new requirements of the New York Department of Financial Services (NYDFS) to establish and maintain a cybersecurity program.
This last set of rules is among the more detailed and includes requirements that the cybersecurity policy must cover “vendor and third-party service provider management.” The NYDFS is not the first regulator to note that third-party vendors are an area of particular vulnerability, though. The SEC has long recognized this,3 and, more recently, the Financial Industry Regulatory Authority’s examination of firms’ cybersecurity also identified weaknesses in some firms’ processes for reviewing vendors’ security.4
With regulatory scrutiny on cybersecurity increasing, it’s likely this will become an increasing area of risk for firms—and not just in the United States. In Europe, the General Data Protection Regulation (GDPR) is hugely increasing the stakes this year when it boosts potential penalties for the most serious breaches to €20 million, or 4% of global annual turnover.
Regardless of the incentives to address third-party cyber risks, getting to grips with them won’t be easy for firms. A recent study by the Ponemon Institute found that 57% of companies don’t have an inventory of the third parties they are sharing sensitive information with, and the same proportion do not know if third parties’ policies would prevent a data breach.5
Addressing that will require firms to start by thoroughly mapping their data and tracking its flows throughout the organization. Funds should be tracked from collection by marketing teams soliciting new funds through document processing and administrator services to redemptions. Staff details should be tracked from CVs and background checks at recruitment to storage of relevant records and removal of logins and access by IT when a staff member leaves.
All these efforts will take time, though, and time is running out. Not only will we almost certainly see regulatory enforcement increasing in this area, but investors’ patience is also likely to prove limited. Firms that don’t address the risks to clients’ data may find that investors take action themselves and decide to put their data and their money elsewhere.