Recent efforts by regulators to toughen cybersecurity demands on financial firms will strengthen industry resilience, says Moody’s Investors Service in a new report.
On Feb. 9, the U.S. Securities and Exchange Commission (SEC) proposed rules for the investment industry that would require registered investment advisers (RIAs) and funds to adopt cyber risk management programs, to provide disclosure to investors and to notify the SEC of cyber breaches in a timely way.
According to Moody’s, if the proposed new rules are adopted, they “would improve the cyber resilience of the wealth management and funds industries against cybersecurity threats and attacks.”
The rating agency said the proposed new rules address cybersecurity preparedness directly, whereas the existing rules use operational controls and risk-management requirements to set expectations.
“The proposed rules raise compliance standards by formalizing what large firms are already doing,” Moody’s said. “We believe the rules would be manageable for most companies from a cost and operational perspective.”
However, for smaller firms, the agency said the proposed rules could bite into their already shrinking profit margins, which is “one of the factors driving the increasing pace of consolidation within the wealth management sector.”
Additionally, Moody’s said the timely notification requirements will enable the SEC to identify and assess potential systemic risks to financial markets. (Last week, the Investment Industry Regulatory Organization of Canada also published new guidance on complying with its requirements for reporting cyber breaches).
In a separate report, Moody’s noted that both U.S. and European regulators have warned financial firms of rising cyber risks, particularly as geopolitical tensions escalate over Ukraine.
“Rising cyber threats are credit negative for banks, which inherently face high cyber risk given their role in financial markets and as custodians of customers’ data and wealth. However, heightened regulatory focus on banks’ cyber resilience is positive and will facilitate enhanced coordination and preparedness,” the agency said.
Moody’s said the increased regulatory focus on cybersecurity is also in line with its view that governments and regulators are taking a greater role in confronting the threat: “Cyberattacks are no longer being viewed as just a business problem, but increasingly as a national security challenge.”