In itsQuarterly Cyber Regulations Update: February 2023,the Wall Street Journal highlighted upcoming regulations from multiple U.S. agencies that will impact investment firms’ cybersecurity risk management, governance, and incident disclosure policies. Here are five cybersecurity and privacy best practices to ensure your firm is compliant and secure. 

  1. Review and update your cybersecurity risk management program to comply with new regulations from the U.S. Securities and Exchange Commission (SEC) and New York Department of Financial Services (if applicable). Ensure your program covers all the necessary elements, including incident reporting, information disclosure, governance, and oversight.  
  2. If your firm works with third-party vendors (and it likely does), it’s crucial to evaluate your vendor management program to make sure they’re compliant with the latest regulations. Establishing a third-party risk management program will help you review their cybersecurity policies and procedures, conduct third-party risk assessments, and establish a process for incident response and notification.  (Learn more about third-party cybersecurity risk.) 
  3. Update your incident response plan (IR) so that it covers all the necessary elements, including incident detection, containment, investigation, and reporting. The new regulations require companies to report material cybersecurity incidents and periodic updates about previously reported incidents. An effective IR solution responds to a detected breach within minutes, shares regular updates until the incident has been contained and eradicated, defines remediation plans, and delivers a full report with actionable recommendations.
  4. The new privacy laws in the U.S. and EU give consumers more control over their personal information. To be compliant, firms need to have a process for receiving and responding to consumer requests, including access, deletion, and correction. Working with a cybersecurity provider that has experience navigating these policies can help firms take a comprehensive approach to privacy and security, which is essential for protecting personal information. 
  5. Employees are often the weakest link in cybersecurity defenses. Firms should provide cybersecurity training and awareness to all employees to help them understand their role in protecting company data and systems.
See also  Debunking the Misconceptions of Consolidating IT and Cybersecurity Providers

To stay ahead of the evolving regulatory landscape, it’s crucial for operations and technology leaders to regularly review their cybersecurity risk management programs, third-party vendor management, incident response plans, privacy policies and procedures, and provide cybersecurity and awareness training to employees. Agio can help you meet these new regulatory requirements and keep your firm secure and compliant. Read more about our cybersecurity governance programs here.