AlixPartners for youNewsroomOur firmContactAlumniAccessibility tools
What we doOur peopleCareersInsights

The U.S. financial services regulatory landscape is in a state of constant flux. Organizations face a myriad of proposed changes over the next few years, signalling a recognition of the sector’s role in critical infrastructure and the increasing importance that regulators are placing on cybersecurity.

Organization leaders and board members should view the proposed changes, which call for greater transparency into cybersecurity incident and risk management, as an opportunity to drive wider security improvements and organizational resilience.

In the U.S., three major cybersecurity regulations have already affected or will affect the financial services sector:

  1. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires U.S. critical infrastructure sectors to report substantial cyber incidents and ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
  2. The U.S. Securities and Exchange Commission (SEC) proposed extensive cybersecurity obligations for public organizations, mandating stringent and informative disclosure requirements for cybersecurity incidents, risk management strategy, and governance.
  3. The New York Department of Financial Services (NYDFS) made amendments to its cybersecurity regulation stipulating minimum controls that must be implemented, enhanced incident reporting obligations for third-party breaches, and reporting cybersecurity governance practices.

The proposed rules follow regulations recently enacted by the National Credit Union Administration (NCUA), which require federally-insured credit unions to report cyber incidents to the NCUA no later than 72 hours after the occurrence of an incident.

Despite differences in scope, the proposed changes can be distilled into two broad thematic requirements, which other industries will likely have to navigate in the future.

Broader situational awareness through enhanced cybersecurity incident disclosures

The three regulations are congruent in a mandate for more rigorous incident reporting requirements, with notification required 24-96 hours after the occurrence of an incident.

Greater scrutiny is placed on ransom payments; firms will no longer be able to discreetly make ransom payments. Under CIRCIA, firms will be required to report ransom payments no later than 24 hours after the payment. Under NYDFS, firms will also be required to provide a written description detailing why the ransom payment was necessary and the due diligence taken to assess alternatives.

Greater emphasis is also placed on organizations’ incident readiness, incident management, and remediation. Organizations are required to keep the SEC and NYDFS informed of changes to policies and remedial controls. Under the SEC, the board must also disclose management practices to shareholders.

Improvements in information sharing between firms, the regulators, and shareholders will increase the situational awareness of threats faced by the financial community. Moreover, shining a public spotlight on firms’ incident readiness practices will empower organizations to take action to mature cyber incident response programs, or risk being seen as an organization with poor cyber hygiene, impacting reputation and value.

Organizations need to balance the act of disclosing security information to regulators and shareholders without disclosing sensitive information that compromises security.

Transparency into the board’s cybersecurity oversight and expertise

Regulations proposed by the SEC and NYDFS place greater emphasis and accountability on boards’ oversight of cybersecurity, including disclosures on whether the entire board, specific board members, or a board committee is responsible for the supervision and direction of the cybersecurity risk management program. 

Under both regulations, the cybersecurity experience, certifications, and skills of the board of directors will be spotlighted. The regulations require boards to possess sufficient cybersecurity expertise or be advised by someone with sufficient expertise and knowledge to exercise effective oversight and approve the policies that underpin organizational security.

The proposed measures place cybersecurity on the agenda of board meetings and drive demand for cybersecurity knowledge among leaders. Possessing the appropriate top-level cybersecurity expertise and providing the board with a suitable platform drives the alignment of cybersecurity strategy with wider business strategy.

Positioning your organization for success

Reporting is one piece of a larger puzzle, but the signal of intent is clear – greater transparency into cybersecurity programs is required.

In addition to assessing organizational compliance with applicable regulations to identify gaps, organizations can begin positioning themselves for success by completing quick-win items and planning longer-term strategic initiatives.

Quick wins

  1. Update and exercise incident response processes: Response plans should be reviewed and updated to incorporate proposed notification templates. Ransom payment strategies should be documented and understood by the executive team and board. The response program should be tested at least annually via a tabletop exercise.

  2. Enhance cybersecurity reporting capability: Extend the executive and operational Key Performance Indicators (KPIs) that are used to measure the efficacy of key security controls to include cybersecurity governance and board-level oversight and expertise.

Strategic initiatives

  1. Promote situational awareness of novel threats and forthcoming regulations: Joining and actively participating in cybersecurity communities facilitates the information sharing of pertinent risks and upcoming regulations within the finance community. Embedding the information received into the firm’s cyber risk management program drives proactive security. 

  2. Strengthen relationships between the board and the firm’s cybersecurity experts: Building formidable relationships between the security specialists and boards requires more than simply extending an invite to board meetings. Cybersecurity education should be targeted at the board level, focusing not only on the latest cybersecurity threats and news headlines but also the board’s role with respect to security. This can be understood through participation in tabletop exercises and understanding the level of investment required to manage the organization’s risks.

Our clients that have successfully positioned their organization for success with the forthcoming regulation have shared board-level buy-in and enthusiasm for driving the proposed changes. They view the regulatory changes as an opportunity to strengthen the organization’s cybersecurity resilience and provide a fresh pair of eyes to evaluate the cybersecurity program. 

To drive an adaptive approach to cybersecurity, organizations must think about building relationships and establishing regular dialogue between the board and the cybersecurity function, as well as improving situational awareness through information sharing within trusted communities and real-time monitoring of the threats that their industry is facing. 

Authors