SECURING FINANCIAL SERVICES
25th January, 2024 • London, UK
The rise of the regulator: new rules, new requirements, new headaches
In Europe, the UK, the US and Asia, regulators are finally taking cybersecurity seriously
It seems a little odd, given how much regulation there is around market abuse, consumer duty and financial crime, that there has been so little regulatory focus on cybersecurity. Yes, data privacy and resilience have come under the spotlight, but given the huge surge in attacks and the increased risks posed by geopolitical developments, it is surprising regulators have taken so long to revise and add to their rulebooks around cyber.
But they are. In Europe NIS2 imposes significant new burdens on organisations and UK-based organisations with EU operations will have no choice but to adhere to them.
In the US, the SEC has just The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
That statement explicitly links cybersecurity to enterprise value and makes it a matter of legitimate concern to investors. This is another story that links security to governance but also starts to assign real value to good security.
And in Australia (and elsewhere in Asia) regulators are also planning their next moves. In July consultation opened on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia's digital economy.
While the regulators continue to develop stricter frameworks around cybersecurity, the hackers have worked out that banks themselves are often very well defended. So instead of attacking directly, it’s easier to go in via third-parties or take out key market infrastructure in the same way.
This year’s attack on Ion Cleared Derivatives, a third-party service provider of cleared derivatives order management, order execution, trading, and trade processing, caused significant disruption and was a taste of how future hacks may look.
And there’s a link to regulation there too: the CFTC noted that the attack compromised firms’ ability to provide regulators with timely and accurate data. So, regulators are beginning to understand that poor security affects their ability to regulate. They will certainly respond.