The Advisor’s Guide to SEC Cybersecurity Compliance
As a financial professional, technology is intertwined throughout everything you do: prospecting, onboarding, portfolio management, financial planning, meetings – it’s everywhere. The efficiency, convenience and scalability that tech offers has completely changed the way advisors operate for the better.
But all that streamlining comes with no small amount of risk – namely, cybercrime. The cybersecurity of your systems can make the difference between protecting your firm’s (and your clients’) most valuable information, and leaving it out there for any hacker with enough skill and willpower to go after it.
The SEC has prioritized cybersecurity the last few years and implemented regulations for advisory firms to keep ahead of digital threats. Today, we’re exploring why cybersecurity is important, what laws the SEC has adopted concerning digital security and three steps you can take to stay compliant in 2024 – let’s dive in.
The Cost of Cybersecurity for Financial Advisors
If you’re wondering whether cybersecurity is really a problem, the facts paint a pretty jarring picture:
In 2022 alone, over 24 billion passwords were hacked – and for the financial industry, those attacks translated into heavy losses. The average cost of a data breach in the financial sector was $6 million, the second-highest of any industry behind healthcare.
Statista writes that “the United States is one of the biggest financial markets worldwide and is a target for a considerable share of cyber attacks” and warns that cyberattacks within finance are evolving beyond websites to transaction systems as well.
SEC Regulation and Guidance: What You Need to Know
The SEC’s latest cybersecurity regulations came in July 2023. Under the rules, any registered advisor are required to “disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”
In practice, firms are required to:
- Create processes that effectively identify and manage risks of cybersecurity threats
- Notify affected investors of any material impacts within four days of discovering an incident
- Provide adequate disclosures in accordance with the rule
The SEC is serious about cybersecurity
Just a year prior to the adoption, the SEC bulked up its Crypto Assets and Cyber Unit, sending a clear message that they’re serious about cybersecurity and expect firms to be, as well.
In November 2023, the SEC brought their first ever cybersecurity case against a firm’s Chief Information Security Officer for having allegedly “misled investors about its cybersecurity practices and known risks.”
How to Achieve Cybersecurity Compliance in 2024: 3 Steps for Success
Staying ahead of the cybersecurity curve requires a multi-pronged approach. Here are three key steps to help your firm find regulatory success and security in 2024:
1. Stay informed
To be cyber-compliant, it’s important that you stay aware of:
- SEC regulations
- Emerging cyber threats
- Best practices for cybersecurity prevention and what to do in the event of a breach
While this responsibility may fall primarily on your Chief Compliance Officer (CCO), every member of your organization needs access to the knowledge and resources necessary to protect your data.
One of the most simple and impactful places you can start: Password security. Unique passwords are the first defense against hackers, yet a staggering 88% of people use the same password for all their accounts.
You can also point your staff toward educational resources like the SEC’s cybersecurity page, which offers updates, relevant Risk Alerts and even an interactive quiz on cybersecurity knowledge.
2. Embrace tech solutions
Although it might seem counterintuitive, one of the best ways to fight cybercrime is to invest in robust technology. The right tech tools can help your firm monitor for risks and add extra layers of protection between you and would-be hackers.
As you explore which software solutions are a best fit for your firm, be sure to do your due diligence and ensure they uphold stringent security standards. Before you begin implementing any new programs, ask about their security practices, including how any confidential data is sent and stored.
For example, we use a secure open API to send and receive data for our proprietary Risk Number questionnaire. Because our open API allows systems to “speak” directly to one another, we’ve eliminated the need to download data to devices, reformat and reupload information to another system – effectively reducing risk and saving your team time.
3. Be transparent
Lastly, one of the core tenets of SEC cybersecurity compliance is transparency between your firm and investors. To that end, your firm needs to regularly disclose your cybersecurity practices and promptly inform clients of any incidents.
A commitment to transparency fosters trust and demonstrates your dedication to client protection.
By prioritizing cybersecurity and actively adhering to the SEC’s evolving regulations, you can safeguard your firm and your clients from the unfortunate reality of cyberattacks. With a complete knowledge of regulations, a security-savvy tech stack and a commitment to advisor-client transparency, you can tackle cybersecurity with confidence in 2024.
Get Started with Nitrogen
Gain access to portfolio-level analytics that can drive your client engagement and inform your compliance processes. Click here to request a free demo today.