Finance industry regulators are expected to crack down on cybersecurity in 2019, including with penalties levied on firms that fail to protect customer data or respond to a breach appropriately, InvestmentNews writes.
How Changes in 2018 Indicate a Regulatory Shift
Many firms see cybersecurity as just another compliance issue to be “ticked off,” but failing to implement a policy gives a false sense of security, which can leave firms open to attacks and fines, InvestmentNews writes.
Last year, the SEC named cybersecurity a priority, asked for increased funding for cybersecurity personnel and updated its guidance on companies’ obligations, the publication writes.
The regulator also published a report of nine undisclosed cyber attacks to act as a warning and reiterate firms’ responsibilities, according to InvestmentNews.
The SEC is focusing on companies’ failures to report breaches, as evidenced by Yahoo’s $35 million fine, as well as the need for firms to continuously test and update their cybersecurity to ensure its effectiveness, the publication writes.
FINRA also ramped up its efforts in 2018, fining a small broker-dealer for inadequate procedures and updating its 2015 cybersecurity best practices, InvestmentNews writes. Furthermore, state regulators are bringing in their own cybersecurity rules, with 265 bills introduced in 2018 — up from 240 in 2017 and 104 in 2016 — 52 of which have passed into law as of November 6, according to the publication.
It is not if, but when, a firm will suffer an attack, and regulators are looking for advisors to have tried and tested responses to breaches, InvestmentNews writes. Unfortunately, while the financial services industry is adapting well to cybersecurity rules, small firms lack the resources to follow through on their paper policies, according to the publication.