‘Volatile attitude’ to cybersecurity emerges after SEC attack

The hack on the agency’s EDGAR system is not an excuse to become complacent on cybersecurity, firms are warned.

A lack of examinations and its own recent hack does not mean the Securities and Exchange Commission will take a softer stance on cybersecurity, experts have warned.

Speaking at the Private Equity International Private Fund Finance and Compliance Forum in San Francisco on Thursday, a panel of cybersecurity experts stressed firms must not become complacent in their efforts to prevent cybercrime.

“A concerning volatility in attitude towards cybersecurity has emerged since the SEC attack was made public. Some firms have further ramped up their efforts, while others are saying ‘forget it! If it can happen to the SEC, it will happen to us’. But it’s vital firms stay on top of their procedures,” the senior vice-president at an insurance broker said.

A delegate poll found just 14 percent have had, or are in the process of, an exam by the SEC, but the SVP warned them this number was unlikely to stay low.

“Regulators are always catching up. They issued [a cybersecurity] risk alert [in August], it tells you what they’re looking for, and that should serve as either a warning, or the foundation of your cybersecurity policy,” the SVP said.

The panel advised anyone having difficulty convincing senior management of the importance of cybersecurity should focus on the business and reputational risk associated with an attack, not just the regulatory risk, to get them on board.

“Regulatory risk is almost the baseline,” the CFO of a private fund firm said. “A serious attack could take the business offline for days, and compromise confidential data. It should be stressed that this is a clear risk of insufficient protection.”

Those struggling to managing cyber-risk were advised to turn to external service providers, who can help a firm craft and maintain a cybersecurity policy that’s suitable for their business and become their first line of defence.

“Trying to keep up with cybersecurity threats is a never-ending task, and it can’t be solved by a small in-house technology team alone,” the chief compliance officer of a private fund firm said. “By collaborating with external service providers you can filter down problems much more easily.”

Half of delegates said they have already actively engaged external cybersecurity support, while the other 50 percent said they either haven’t considered it, or were in the early stages of exploring their options.