A few days ago, the U.S. Securities Exchange Commission (SEC) updated its guidance to public companies for disclosure of cybersecurity risks and incidents. The SEC’s interpretation essentially creates a new regulatory disclosure category for cyber security incidents.

The UK’s Financial Conduct Authority (FCA) also firmly includes cyber security in its regulatory compliance agenda and outlines specific expectations for disclosure of incidents. Similarly, the Monetary Authority of Singapore (MAS) has taken decisive action towards placing cyber security at the top of its agenda by setting up an international advisory panel and appointing its first Chief Cyber Security Officer to drive regulatory standards compliance for the financial services market.

What does this increased focus on cyber security measures mean as the financial services industry continues to incorporate and use cloud based infrastructure? Is it sending the industry a message to stop and lock everything in our own cupboard to keep it secure?

This global trend to make cyber security a regulatory matter is a clear reflection of the actual threat to undisturbed, continuous operation of the global financial markets. Some parts of the market see intervention by the regulators in such matters as an “additional burden”, “over-regulation,” or an “unwelcome distraction” to generating revenue.

I would argue that many parts of the market still struggle to transition their own firms to a state such that regulatory focus is no longer required to drive change in how they manage such systemic risks. Thus, such intervention should be welcomed so market participants can engage and collaborate on how the market operates and mitigates risk. In a world rife with cyber security threats, we are far away from the required cultural shift within the financial services markets—a shift from “brushing issues under the rug” to a culture of proactive disclosure and management of issues faced in day-to-day operations. 

This trend is an opportunity for financial services firms of all sizes to better manage cyber threats as technology changes, regardless of whether regulators place additional reporting requirements on them. It is an opportunity to be transparent and make the appropriate adjustments early enough to protect the business (and ultimately the customer) and secure its future, to proactively apply best practices across the market. That opportunity is where managing an effective transition to cloud technology should focus.

All financial services firms should ask themselves if they can afford to:

1. Consider protection of their vital infrastructure and business operations a lower priority than the big players in the financial markets. Is the threat less important for a small broker or asset manager than a large global bank just because the SEC, FCA, or MAS has not placed reporting requirements on those firms?
2. Take on the cost of managing the evolving cyber security threats alone

The answer to these questions is clearly no. Financial services firms should focus on their core strengths. That is whether they be large firms, with significant IT capacity that choose to retain control and build cloud solutions in house, or smaller firms that cannot afford or choose not to do so.

Of course, retaining infrastructure in house alone does not guarantee more control, as these projects often lack a clear understanding of the following:

1. Criticality of business processes being transitioned
2. Types of data that support those processes
3. Ways in which that data is managed within relevant IT systems
4. Level of risk associated with those business processes and prioritisation of defences

The option for a firm to build its own infrastructure often comes at high cost and can itself become an actual burden to doing business, as opposed to items such as the regulatory reporting requirements being a burden. The issue is therefore not the regulation but the way it is operationalised in the cloud environment. In such cases, the inherent value of moving services to the cloud is greatly diminished.

Therefore, it is critical to follow a clear path of:

1. Understanding the business focus of the services being transitioned and the value and risks of doing so;
2. Partnering with best of breed vendors that can support the technology;
3. Shifting the focus of in-house capabilities and resources to governance of the technology environment and precious data, based on risk environments and ever-changing business priorities;
4. Ensuring all internal stakeholders have the appropriate proactive oversight of how to manage risks in this setup, so nothing is a surprise