On episode 95 of the CCO Buzz podcast, we discuss the the growing focus of regulators on cybersecurity!
(GUITAR INTRO)
CCO Buzz: Hello and welcome back to the CCO Buzz! Where has the time gone? We can’t believe it’s already March and we’re approaching the end of Q1. With Q2 around the corner, most firms are taking the opportunity to assess what else is on the horizon for 2022. Yes, the year has only begun, but what is your firm doing to reach its full potential?
With the world and the industry navigating this fluid new normal, firms are adjusting to the evolving market space and the opportunities it has created for investors and investment professionals.
For today’s episode, we’re joined by Core Compliance’s Compliance Consultant. He’s here to discuss his upcoming Risk Management Update, “The Cybersecurity Evergreen: How Regulators Are Growing Their Focus on Cyberthreats and Protections,” which provides an in-depth look at the progression of a cyber-based economy for the industry, the trending growth of malicious activity, as well as the continuous efforts of the SEC and other regulatory bodies to provide proactive rules and guidance for protecting the investment market participants and their assets.
With that, let’s begin…
As the world and industry continue to go through the ebbs and flows of social-distancing and closures to “reopening” from the early protective measures of the COVID-19 pandemic, how has the industry responded and transformed for continued client service?
Core Compliance: It’s funny that you mention that. I’m not sure if you realized two years ago this month, our country, along with many others, began implementing social-distancing measures due to the outbreak of the COVID-19 virus. As a society, we adjusted and began the shift to working from home, where possible of course, and companies adapted their methods of serving clients remotely, which included video conferences and multiple digital communication platforms.
But even before the pandemic, firms were already making moves towards a more digital and paperless approach to service and protocol. With the on-demand access and ease of sharing, storing and document management, embracing the new digital landscape and cloud-based systems became a critical need for firms adjusting to remote work.
But with the rise of need and cross-over to cloud-based systems, so too, does the risk and vulnerability increase along with the change or data breaches and cyber threats.
CCO Buzz: That’s an interesting concept to unpack – how the ease of access for a firm or organization, not only is beneficial for service and synergy of the client and team, but also how that same exact benefit is also a threat to the organization regarding data protection and access.
Core Compliance: And I unpack that same through pattern in my article. The investment securities industry is familiar with risk vs reward, as well as the need to mitigate as much risk as is possible. But when it comes to “cyber servicing”, a firm’s ability to continue delivering ongoing, quality service to investors in a remote environment is, no doubt, rewarding in terms of the firm’s bottom line.
But there is a risk to this approach, a reputational risk. Within this service model, investors further extend their trust in their securities professionals with not only their money and investment, but also their information. Should a cyberattack or security breach occur, it would infringe on that trust and could lead to an exodus of clients who no longer have confidence in service and protection.
CCO Buzz: Wow, I never thought of the impact or the risk vs reward juggle that firms have to consider. You would think that with this shift in data management and the cloud, cybersecurity breaches would be occurring everywhere and all the time. Wait, is it?
Core Compliance: Don’t panic, don’t panic! Many firms and the industry overall have taken proactive steps for protection. The SEC’s Division of Examinations (“EXAMS”) has regularly released guidance regarding cybersecurity and data protection. And their recommendations often encourage firms to revisit and assess their programs to have more robust systems, policies, and procedures in place to help reduce the cybersecurity risks on an enterprise level.
CCO Buzz: Hmmm, are there certain areas that firms should focus on, on an essential level, within their compliance programs?
Core Compliance: Yes, these include Governance & Risk Management, Access Right & Controls, Data Loss Prevention, Mobile Security, Incident Response & Resiliency, Vendor Management, and Training & Awareness – just to name a few. But there is much more a firm must do than just this list to ensure protection. These items would just be a good place to start.
As the dependency of technology continues, the SEC and regulatory agencies have continued to provide guidance, including the recently proposed Cybersecurity Risk Management Rules and Amendments.
Core Compliance: Well, I of all people know a good place to end for a cliff hanger. Listeners, if you want any additional insight to the growing focus of cybersecurity, as well as our understanding to the recently proposed Cybersecurity Risk Management Rules and Amendment, you’ll have to check out his article later this month.
Thank you so much for joining us today. And not to cut your off short, but is there anything else you’d like to share with the listeners?
Core Compliance: Thank you for having me. Any yes, if any listeners need assistance with their Compliance program or specifically their cyber security protocols, the team at Core Compliance can assist firms with preparing cybersecurity assessments and updating procedures. For assistance or more information about our services, please contact us at (619) 278- 0020 or visit us at www.corecls.com.
(GUITAR OUTRO)