In response a surge in cyber crime and a shift toward digitization in financial services, regulators are now turning up the heat on buy-side institutions, forcing management teams reconsider their approach to cyber security.
The SEC recently unveiled new cyber-risk governance guidance that will impact registered investment advisors, registered investment companies and funds. Consequently, these firms are likely to face more stringent requirements, particularly for cyber risk incident reporting.
Co-Chair of the Data Solutions, Cyber and Privacy Practice, Linklaters
Erez Liebermann – the co-chair of the Data Solutions, Cyber and Privacy practice at Linklaters, a global law firm, and a current member of the New York State Cyber Security Advisory Board – is keenly aware of the cyber risk obstacles now facing investment management firms. Liebermann, who also teaches Cyber Incident Response at the University of Texas at Austin Law School, previously worked as the Chief Counsel for Cyber and Privacy at Prudential Financial. He is, moreover, a former federal prosecutor who has prosecuted leaders of large, global hacking rings.
In a recent conversation, Liebermann shared his insights on a range of cyber-risk issues, including the potential impact of the SEC’s proposed rules, and best practices for cyber governance.
Christopher Hetner (CH): Erez, the SEC’s proposed cyber security rules obviously have downstream disclosure, governance and reporting implications. What do they tell us?
Erez Liebermann (EL): The SEC’s proposed rules focus on four key areas.
First, let’s consider their impact on risk management. The SEC is implementing a risk-based approach to cyber security, whereby advisors and funds will need to conduct a risk assessment and align their controls to that risk assessment.
This is not the first such regulation, as the New York Department of Financial Services’ Cyber Security Rule also aligns requirements to risk assessment. Moreover, the OCC recently issued a cease-and-desist order to a bank, and the first part of the required fix was a risk assessment.
The SEC’s newly-proposed rules not only call on the advisors and funds to have policies and procedures that address cyber risks but also include extensive references to third-party risk management.
Second, there is a new reporting requirement to report cyber security incidents to the SEC. While this requirement is limited to “significant incidents,” it could create significant risk of identity theft to investors.
Third, the proposed rules would increase disclosure requirements for cyber security risks and incidents. This is significant. Funds will need to disclose any major cyber security incidents that occurred in the last two years.
Finally, the proposed rules increase record keeping by requiring advisors and funds to maintain books and records of cyber security risks and incidents. The extent of this retention, in terms of logs, could be very extensive.
While these most recent proposals are limited to advisors and funds, prior SEC guidance in 2018 offered rules for disclosure of cyber security risks and incidents for all public companies.
CH: Can you share your experiences in the c-suite and boardroom around the topic of cyber security risk governance?
EL: Board members must oversee the whole organization. Despite calls for board members with cyber expertise, there is no such requirement.
However, board members are expected to have general knowledge of cyber security risks. The challenge for risk practitioners is to explain cyber risks, which are technical and complex by nature, in a clear and logical way that does not require technical expertise.
I have reviewed many cyber risk presentations. Often, these are based on a cybersecurity framework, like the one issued by NIST. The NIST Cybersecurity Framework, for example, has five modules: Identify, Protect, Detect, Response and Recover. An assessment in each of these categories is often on a numeric scale between 0-5. But telling a board that the company scored 3.8 out of 5 on the Identify module is not very helpful.
The disconnect is in translating these scores to a framework that a board can understand. For example, it would be helpful if we could identify the financial risk posed by having a score of, say, 3.8 as opposed to a 5.
The result of a discussion that is too technical is that the board is often left without enough material to grab onto and to ask the proper questions.
CH: What’s your perspective on how these regulations will impact the financial services industry?
EL: All financial services companies today have some level of cyber risk. In its 2021 “Board of Directors Survey,” Gartner Inc. found that directors see cybersecurity as one of the greatest business threats. Likewise, Jerome Powell, the U.S. Federal Reserve Chair, recently described cyberattacks as a “most significant financial stability risk.”
The regulators are trying to keep pace with these risks. In turn, the key for financial services businesses is to keep pace with both the risks and the regulators. And that starts with a risk assessment that should then be mapped to the regulations.
CH: Erez, lastly, do you have any additional advice for companies that want to develop cyber security strategies?
EL: Effective cyber security starts with a risk assessment. The risk assessment should map the controls to the risks, and then to the regulations. Keeping that goal in mind, when planning for cyber resiliency, important initial steps include developing an organization’s cyber risk appetite levels in financial terms, based on its unique risk profile, and defining the firm’s effective remediation and mitigation strategy to reduce financial exposure.
Boards should also keep certain items on the cyber resiliency agenda in their discussions with management. On an ongoing basis, the board should keep abreast of how management uses return-on-investment analysis to align the cyber security budget to financial exposure reduction. Moreover, they should oversee the steps that are taken to practically implement the cyber security strategy.
It’s important to remember that the success of a financial approach to cyber risk oversight will vary based on an organization’s cyber security maturity level and the experience of their personnel. Nevertheless, close cyber security collaboration between the board and the risk management team can be an effective way for an organization to address the financial impact of cyber threats.
Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury), a special advisor for cyber risk for NACD, and a national board member of the Society of Hispanic Professional Engineers. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at firstname.lastname@example.org.