Navigating the intersection of Financial Regulations, Cybersecurity, and IT Asset Risks: What it means for CISOs and how they can imply

Due to the growing number of cyberattacks and their increasing severity, financial regulators are increasingly interested in mitigating these cyber risks. As a result, regulators are creating and enacting stricter regulations related to cybersecurity in the global financial industry, with severe penalties for non-compliance. The new regulations will impact chief information security officers’ (CISOs’) asset risk management efforts and even their roles in their enterprises.

One of the new regulations is the U.S. Security and Exchange Commission’s proposed - “rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (‘registrants’) that are subject to the reporting requirements of the Securities Exchange Act of 1934.” These amendments will take effect this spring and will also require public companies to disclose to investors in a standardized manner their policies, procedures, and competencies for cybersecurity, any cybersecurity incidents that occur, and updates regarding past cybersecurity incidents.

European regulators also are requiring firms to shield against cybercrime. The European Union’s NIS2 Directive (Network Information Security 2 Directive), which includes “measures for a high common level of cybersecurity across the Union,” takes effect on October 17, 2024. According to Article 21 (Cybersecurity risk-management measures), “essential and important entities must … manage the risks posed to the security of network and information systems … and prevent or minimize the impact of incidents … strengthening EU’s cybersecurity posture by expanding the scope of the directive and introducing more stringent rules, especially those about cybersecurity risk management, including among the supply chain.”

In light of the new regulations and the damage of cybercrime, cybersecurity, and asset risk management are becoming more of a business concern for financial organizations — no longer only the security/IT team’s concern. As IT research firm Gartner recognized, corporate boards now view cybersecurity as a business risk, and CISOs will increasingly need to present cybersecurity to business stakeholders as a business risk rather than technology. Now, more than ever, to comply with new regulations and to address the concerns of business leaders and corporate boards, CISOs need to know and understand their entire asset environment and manage the associated risks.

However, there are many challenges faced in managing the entire asset environment because more than 60% of devices connected to a financial services organization’s network are neither noticed nor managed, especially following the growth of hybrid working, IoT, and the use of personal devices.

Although it is a hectic task for CISOs to know and understand their entire asset environment and manage the associated risks. But there are several steps they can take to help make it possible. For example, CISOs could use IT asset management solutions that are scalable and account for any asset type (IT/OT/IoT), whether they’re managed or not, and wherever they’re being used. They could implement solutions to document the presence of authorized and unauthorized devices, the exact device models, the identity of those using them and how they are using them, the risk level of the devices and the users themselves, and whether the devices have any known vulnerabilities. CISOs also could deploy IT asset management solutions that automatically block from the network unknown and unwanted devices and those that breach access control rules. Finally, continuously monitoring network-connected devices ensures real-time visibility and control.

Other U.S. regulations, such as the Securities Exchange Act of 1934, include stringent provisions for capturing business communications, but this is extremely difficult to enforce as employees can communicate about business on personal devices not connected to the network. Although capturing business communications is very separate from cybersecurity, corporate boards, and business leaders view it as a related business risk involving devices. As there is no solution for monitoring business communications on devices not connected to a company’s network, there are many devices connected to the network that are unmanaged — more than those that are managed. By managing all network-connected devices, enterprises can better capture business communications and strengthen their compliance.

There are significant consequences for non-compliance in the United States and Europe. For example, in September 2022 the U.S. Securities and Exchange Commission announced charges against 15 broker-dealers and one affiliated investment adviser for “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications,” in violation of “certain recordkeeping provisions of the Securities Exchange Act of 1934.” The firms agreed to pay combined penalties of more than $1.1 billion and to improve their compliance policies and procedures. For European financial organizations that don’t comply with the NIS2 Directive, EU member states will be required “to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.”

CISOs within the financial services sector confront formidable hurdles in meeting evolving cybersecurity regulations. With the SEC intensifying its scrutiny and enforcement, notably citing instances like SolarWinds’ CISO in defense scenarios, ensuring comprehensive management of all network-accessing devices and their inherent risks emerges as an indispensable facet of an organization's cybersecurity and compliance framework.