Regulators are striving to strike a balance between ensuring data security and privacy, and facilitating cyber compliance. As policy-makers attempt to develop a regulatory framework for a safer digital environment, financial firms must appropriately navigate the industry’s everchanging environment.
CSS director of retail wealth manager Korrine Kohm joined 3D/L Financial Group’s regional business consultant Matt Shute on an Advisor Success Series podcast episode called “A Look at the Regulatory Landscape,” where they discussed the regulatory climate and what’s in store for advisory practices going forward.
It’s no secret that financial services organisations are intensifying efforts to enhance compliance effectiveness and sustainability in response to evolving regulatory expectations. The tenets of risk governance and conduct continue to dominate the expectations of regulators and consumers across the industry. In addition, cybersecurity, the protection of consumer data, and the competitive pressures from FinTech firms will only grow in importance.
Kohm said that the regulatory framework in which investment advisers, broker-dealers, investment companies and private funds operate, is changing continuously. This includes new or revised rules or regulatory guidance, interpretations and frequently asked questions. Regardless of the form the change comes in, companies in all sectors must consider the implications of their compliance program. A code of ethics tool is not only beneficial for better administration but also to stay on top of the SEC’s upcoming exams, Kohm said.
Highlighting the key areas which companies must focus on which require an increasing amount of resources, Kohm said cybersecurity and consumer data privacy concerns continue to generate strategic business challenges for financial institutions. As companies increasingly embrace emerging technologies, it’s key for security teams to fully understand the implications and potential risks of cyberattacks.
Kohm said a ransomware attack that shut down the Colonial Pipeline has left all global economies with a reminder that cybersecurity threats are constant and real, and that all sectors must remain vigilant. “I don’t think any organisation out there have been able to truly come to terms and what kind of budget you need for cybersecurity and what you really need to be to put in place,” she added. Indeed, only 5% of companies’ folders are properly protected, according to a Global Data Risk Report.
Given that cybercrime cost is estimated to reach a massive $10.5trn annually By 2025, the challenge for companies is adapting data into a functional and agile risk management strategy to protect employees as well as its customers. Furthermore, in the global environment, more regulators are on the prowl for companies which breach data sovereignty law, resulting in massive fines.
Kohm advised that companies – irrespective of their size – should be prepared for a hack attack. Many smaller companies harbour the belief that they are safe from cyberattacks and only large companies have the threat of a breach. However, Kohm pointed out that these smaller firms still have sensitive data such as clients’ security numbers, date of birth, and brokerage account numbers, making them a potential target.
Detailing on a few simple strategies, Kohm said that while it’s important to allocate resources towards robust cybersecurity software, it is equally essential to organise training programmes for employees. Kohm said, “Even if you’re a small firm of like five people, you need to consider what resources you need. Do a vulnerability test, a penetration test, phishing tests for your staff and see who clicked on that link that should not have clicked on and, more importantly, provide them with the training and the education to make sure that they don’t do it again.”
Speaking of CSS, Kohm said that given it has offices in Ireland and England, it is held to the GDPR standards which is “a really high privacy standard.” “We do take cybersecurity really seriously. We’ve had external IT audits of ourselves. And these are the things that we also recommend our clients do.”
Policymakers continue to prioritise cybersecurity with stricter regulations around cybersecurity. The US Department of Labor (DOL) stepped up its expectations of firms when it comes to cybersecurity. In April, it released a set of risk alerts and a collection of best practices on having a well-documented information security program. The guidance covered governance, access controls, encryption, software development lifecycle and incident response, as well as annual cyber risk assessments, regular independent security testing, and periodic security awareness training. Kohm said, as additional regulators including SEC and NIST take a closer look at financial organisations’ cybersecurity posture, it is imperative that firms periodically evaluate the effectiveness of their information security controls.