According to a recent study, almost 4 out of 10 professionals in compliance within the asset management, investment advisory, and secret market sectors have yet to assess AI as a cybersecurity threat. Additionally, a similar proportion have concerns regarding the implementation of the Securities and Exchange Commission’s (SEC) new cybersecurity regulations.
These findings are derived from the 2024 Cybersecurity Benchmarking Survey, a collaborative venture between the ACA Group—a consultancy specializing in financial services management, risk, and compliance—and the National Society of Compliance Professionals (NSCP).
Conducted biannually by ACA Aponix, a division of the ACA Group, and the NSCP, this survey is designed to assist organizations in navigating the growing concerns and uncertainties surrounding security threats. In January and February, 308 international compliance experts from financial service companies participated in the survey.
Key discoveries from the 2024 research include:
Challenges in Compliance: 44% of the respondents expressed uncertainty about the SEC’s rule implementation, while 36% voiced concerns about meeting cyber-incident reporting obligations and deadlines.
Evaluation of AI Risks: Despite 38% of the participants not yet acknowledging AI as a cybersecurity risk and 27% considering AI irrelevant to cybersecurity, nearly half (49%) are in the initial phases of exploring AI for managing cybersecurity risks.
Primary Virtual Threats of Concern to Respondents:
- Payment fraud/business email compromise (70%)
- Ransomware (67%)
- Privacy threats and risks of personal data exposure (52%)
Interestingly, respondents ranked deepfakes as the least concerning, with only 5% identifying them as a significant issue.
Preparedness for Cybersecurity: Almost 80% of compliance professionals are confident in their firms’ ability to handle a cyber breach. However, only 40% have tested their businesses’ response plans internally.
- Response to Cyber Incidents: About 83% feel equipped to deal with unexpected system failures, with many utilizing digital insurance as a crucial risk management tool.
- Vendor Security: Despite concerns about vendor due diligence, more than half (51%) of the firms have not updated any vendor contracts with additional cybersecurity clauses in the past 24 months.
Mike Pappacena, a Partner at ACA Aponix, stressed the significance of staying informed about evolving security risks. The study highlights ongoing concerns regarding regulatory compliance, with almost half of the respondents expressing reservations about SEC enforcement.
SEC Regulatory Updates
To tackle security and AI threats in the securities industry, the SEC is currently evaluating at least three projects under its forthcoming regulatory guidance initiatives.
In July 2023, the Commission introduced new regulations to mitigate investor risks associated with conflicts of interest related to broker-dealers (BDs) and investment advisers’ (IAs) utilization of predictive data analytics. These regulations may require BDs and IAs to address potential conflicts arising from predictive analytics and associated technologies.
In April 2023, the SEC issued guidelines mandating market entities to establish and evaluate policies targeting their security risks annually. Furthermore, in March 2022, the SEC proposed a new provision in the Advisers Act, necessitating experts to report significant security incidents impacting the firm, its clients, or personal bank clients. Notably, the SEC emphasized the scrutiny of advanced financial technology as a primary focus in its 2024 examination priorities, particularly among BDs and advisers adopting innovative practices.
The anticipated release date for these initiatives is April 2024.
Overview of the Study
On April 25, a presentation hosted by the organizations will reveal the complete findings of the cybersecurity benchmarking survey.
The survey included 308 financial services firms of various sizes, with 23% managing assets ranging from \(2 billion to \)10 billion, 15% overseeing under \(500 million, 14% handling between \)1 billion and \(2 billion, and 14% managing over \)20 billion in assets.
Additionally, the participating firms represented diverse business categories, with predominant responses from asset managers/non-alternatives (42%), broker-dealers (32%), and alternative investment advisors (11%).
