Christian Scott, COO/CISO at Gotham Security, an Abacus Group Company

The alternative investment industry is a prime target for cyber breaches. February’s ransomware attack on global financial software firm ION Group was a warning to the wider sector. Russia-linked LockBit Ransomware-as-a-Service (RaaS) affiliate hackers disrupted trading activities in international markets, with firms forced to fall back on expensive, inefficient, and potentially non-compliant manual reporting methods. Not only do attacks like these put critical business operations under threat, but firms also risk falling foul of regulations if they lack a sufficient incident response plan. 

 To ensure that firms protect client assets and keep pace with evolving challenges, the Securities and Exchange Commission (SEC) has proposed new cybersecurity requirements for registered advisors and funds. Codifying previous guidance into non-negotiable rules, these requirements will cover every aspect of the security lifecycle and the specific processes a firm implements, encompassing written policies and procedures, transparent governance records, and the timely disclosure of all material cybersecurity incidents to regulators and investors. Failure to comply with the rules could carry significant financial, legal, and national security implications.

 The proposed SEC rules are expected to come into force in the coming months, following a notice and comment period. However, businesses should not drag their feet in making the necessary adjustments – the SEC has also introduced an extensive lookback period preceding the implementation of the rules, meaning that organisations should already be proving they are meeting these heightened demands.

For investment firms, regulatory developments such as these will help boost cyber resilience and client confidence in the safety of investments. However, with a clear expectation that firms should be well aligned to the requirements already, many will need to proactively step up their security oversight and strengthen their technologies, policies, end-user education, and incident response procedures. So, how can organisations prepare for enforcement and maintain compliance in a shifting regulatory landscape?

Changing demands

In today’s complex, fast-changing, and interconnected business environment, the alternative investment sector must continually take account of its evolving risk profile. Additionally, as more and more organisations shift towards more distributed and flexible ways of working, traditional protection perimeters are dissolving, rendering firms more vulnerable to cyber-attack.    

As such, the new SEC rules provide firms with additional instruction around very specific prescriptive requirements. Organisations need to implement and maintain robust written policies and procedures that closely align with ground-level security issues and industry best practices, such as the NIST Cybersecurity framework. Firms must also be ready to gather and present evidence that proves they are following these watertight policies and procedures on a day-to-day basis. With much less room for ambiguity or assumption, the SEC will scrutinise security policies for detail on how a firm is dealing with cyber risks. Documentation must therefore include comprehensive coverage for business continuity planning and incident response.

 As cyber risk management comes increasingly under the spotlight, firms need to ensure it is fully incorporated as a ‘business as usual’ process. This involves the continual tracking and categorisation of evolving vulnerabilities – not just from a technology perspective, but also from an administrative and physical standpoint. Regular risk assessments must include real-time threat and vulnerability management to detect, mitigate, and remediate cybersecurity risks.  

Another crucial aspect of the new rules is the need to report any ‘material’ cybersecurity incidents to investors and regulators within a 48-hour timeframe – a small window for busy investment firms. Meeting this tight deadline will require firms to quickly pull data from many different sources, as the SEC will demand to know what happened, how the incident was addressed, and its specific impacts. Teams will need to be assembled well in advance, working together seamlessly to record, process, summarise, and report key information in a squeezed timeframe.

Funds and advisors will also need to provide prospective and current investors with updated disclosures on previously disclosed cybersecurity incidents over the past two fiscal years. With security leaders increasingly being held to account over lack of disclosure, failure to report incidents at board level could even be considered an act of fraud. 

Keeping pace

Organisations must now take proactive steps to prepare and respond effectively to these upcoming regulatory changes. Cybersecurity policies, incident response, and continuity plans need to be written up and closely aligned with business objectives. These policies and procedures should be backed up with robust evidence that shows organisations are actually following the documentation – firms need to prove it, not just say it. Carefully thought-out policies will also provide the foundation for organisations to evolve their posture as cyber threats escalate and regulatory demands change.

 Robust cybersecurity risk assessments and continuous vulnerability management must also be in place. The first stage of mitigating a cyber risk is understanding the threat – and this requires in-depth real-time insights on how the attack surface is changing. Internal and external systems should be regularly scanned, and firms must integrate third-party and vendor risk assessments to identify any potential supply chain weaknesses.

 Network and cloud penetration testing is another key tenet of compliance. By imitating how an attacker would exploit a vantage point, organisations can check for any weak spots in their strategy before malicious actors attempt to gain an advantage. Due to the rise of ransomware, phishing, and other sophisticated cyber threats, social engineering testing should be conducted alongside conventional penetration testing to cover every attack vector.

It must also be remembered that security and compliance is the responsibility of every person in the organisation. End-user education is a necessity as regulations evolve, as is multi-layered training exercises. This means bringing in immersive simulations, tabletop exercises and real-world examples of security incidents to inform employees of the potential risks and the role they play in protecting the company.

 To successfully navigate the SEC cybersecurity rules – and prepare for future regulatory changes – alternative investment firms must ensure that security is woven into every part of the business. They can do this by establishing robust written policies and adhesion, conducting regular penetration testing and vulnerability scanning, and ensuring the ongoing education and training of employees.

Teresa Cameron, Finance Director at Clear Junction 

Over the last decade, the UK has embraced the fintech revolution with open arms. The remarkable growth and innovation in recent years has transformed the way financial services are delivered and accessed. In the UK, fintech accounts for around half of venture capital in the UK, and as we race to meet consumer demand, we’re seeing the development of new services flood the market: from digital wallets to AI chatbots, biometrics and touch IDs.

London is recognised globally as a crucial hub for fintech innovation, yet with this great power comes great responsibility. Both the FTX and SVB collapses dented trust in fintech, and this has translated into a dip in venture capital investment in the industry, which declined globally by 30%.

2022 was called fintech’s year of reckoning, but 2023 stands as the year to rebuild and we need to recognise that regulation is not a scary word. Now is our chance to be part of the next evolution in fintech, that will solidify it as an accredited and stable industry. By leading the charge now, we can make sure we have a say on what the future of fintech will look like.

Sustainable practices = sustainable growth

The Financial Conduct Authority (FCA) is set to implement its Consumer Duty in the upcoming months. Whereas before, the FCA has broadly been reactive, this will be the first time that the FCA will be formally setting out regulation and will have a proactively structured programme.

One of the most important aspects is to make sure that financial services put the interests of their customers at the heart of their business operations. This means a higher standard of protection across the industry and providing consumers with transparent information, as well as making sure that staff are trained and held accountable.

This is a huge step to regain trust in the industry right now and help raise the bar in what we can offer consumers. Change begins from the inside and by closely working with regulators and adhering to their guidelines, fintechs in the UK can benefit from the increased trust and confidence in the digital currency ecosystem. This approach not only protects consumers and investors but also means that we can bolster the legitimacy and viability of digital currencies as an alternative to traditional financial systems.

Regtech Revolution

It’s estimated that globally $2trillion is laundered annually, and the threat of financial criminals continues to rise as they become more sophisticated and utilise new technology, either through payments, open banking, or crypto. This, twinned with new global regulations and increasing compliance costs, means the need for innovative solutions in the regtech industry has never been greater.

We’ve seen an explosion in AI and machine learning (ML) tech to help better protect customers, and they have completely transformed the regtech space. These technologies can be used to analyse vast amounts of data and identify patterns that may indicate fraudulent activities. The algorithms can detect anomalies, flag suspicious transactions, and continuously learn from new data to improve fraud detection capabilities over time. That’s not to say that its completely fool proof. Continuous monitoring, regular updates, and staying abreast of emerging fraud trends will also be crucial.

At the same time, as the regulatory landscape becomes more complex and we see new rules develop over time, this tech will help fintechs mitigate risk management practices and maintain compliance in an efficient and cost-effective manner.

CBDCs and decentralized finance 

Central bank digital currencies (CBDC) have been a hot topic of conversation, with pilot initiatives underway globally. Most recently the European Central Bank is currently said to start with proposed legislation in the next several weeks and here in the UK the Bank of England is also blueprinting plans for the ‘Britcoin.’

Digital currency backed by a central bank has been heralded to be a safe and stable means of payment and less volatile than crypto. However, some are concerned over privacy and anonymity surrounding a state-owned currency.

Tom Mutton, who is leading the Britcoin charge, has stated that the BoE never sought to make the digital pound anonymous, and that privacy will be a top priority. Under the Bank’s proposals, consumers would engage with the digital pound through private sector providers. With the increasing integration of digital currencies into mainstream operations, in the UK and abroad, both the government and financial institutions are showing growing interest in making sure there is a stable foundation of regulation as it develops.

Following regulations can pave the way for digital currency companies to tap into traditional banking services, which is crucial for their growth and overall success. Banks tend to be cautious about partnering with digital currency companies due to perceived risks associated with the industry. However, when these companies demonstrate compliance with regulations, it helps alleviate those concerns and makes banks more willing to collaborate.

We are at the beginning of a new age in the fintech space, and it’s an exciting place to be. We, as financial intuitions, have an opportunity to help write the next chapter. It is a long road to map out ahead, but we need to look for sustainable, long-term practices because, ultimately, that equals sustainable long-term growth, and fundamentally means survival for the industry.