Nearly four in ten compliance professionals working at asset management, investment advisory and private markets firms have yet to rate artificial intelligence (AI) as a tool, according to new survey results. a cybersecurity risk. Additionally, a similar amount raises concerns about how the Securities and Exchange Commission’s (SEC) new cybersecurity rules will be enforced.
These findings come from the 2024 Cybersecurity Benchmarking Survey, a joint project of the ACA Group, a financial services governance, risk and compliance consultancy, and the National Society of Compliance Professionals (NSCP).
ACA Aponix, part of the ACA Group, and the NSCP conduct this survey twice a year to help businesses better manage rising expectations and uncertainty around cybersecurity risks. The survey was conducted in January and February among global compliance professionals from 308 financial services companies.
Notable results from the 2024 survey include the following.
Regulatory Readiness and Concerns: 44% of respondents said they were unsure how the SEC would enforce the rules, while 36% of compliance professionals expressed concerns about meeting cyber incident reporting requirements and deadlines.
AI risk management: While 38% of respondents have not yet identified AI as a cybersecurity risk and 27% do not consider AI relevant to cybersecurity, about half (49%) said they do. in the early stages of exploring AI as a cybersecurity risk management tool.
Cybersecurity threats: Respondents cited the following top three cyber threats that concern them the most:
- Payment fraud/business email compromise (70%);
- ransomware (67%); And
- Privacy threats and risks to personally identifiable information (52%).
Notably, respondents indicated they were least concerned about deepfakes, with only 5% citing them as a cause for concern.
Cybersecurity preparation: Nearly 8 in 10 (79%) compliance professionals expressed confidence in their organization’s ability to respond to a cyberattack. However, only 40% of them have carried out an external test of the companies’ response plan.
Cyber insurance: About 83% are confident in their ability to respond to an unexpected system outage. Most respondents (85%) who have cyber insurance say it is considered a key risk management tool.
Supplier Cybersecurity: Finally, despite clear concerns about how supplier due diligence is carried out, more than half (51%) of companies reported that they had not renegotiated any supplier contracts that included additional due diligence provisions. cybersecurity in the last 24 months.
“Our survey results highlight the critical importance of staying ahead of evolving cybersecurity threats,” observed Mike Pappacena, partner at ACA Aponix. “While nearly half of respondents express uncertainty about SEC enforcement, it is clear that regulatory compliance remains a major concern.”
SEC rulemaking
To this end, looking through the SEC’s ongoing draft regulatory guidance, the Commission currently has at least three drafts that would address cybersecurity and AI risks to the securities markets.
In July 2023, the Commission new rules proposed to address what it describes as investor risks related to conflicts of interest associated with the use of predictive data analytics by broker-dealers (BDs) and investment advisors (IAs). Under this proposal, project directors and implementing agencies would be required to take certain steps to resolve potential conflicts associated with their use of predictive data analytics and similar technologies.
In April 2023, the Commission new directions proposed require market entities – other than certain types of small broker-dealers – to implement policies and procedures to address their cybersecurity risks and, at least annually, to review and evaluate the design and effectiveness of their policies and procedures.
And in March 2022, the SEC proposed a new rule under the Advisers Act, to require advisers to report to the Commission significant cybersecurity incidents affecting the adviser or its fund or private fund clients. The SEC also warned late last year that its Priorities for the 2024 exams will include the use of emerging financial technologies, particularly among broker-dealers and advisors offering new products and services or employing new technology practices.
Each of these projects has a target release date of April 2024.
About the survey
The full results of the cybersecurity benchmarking survey will be released on April 25 during a webcast hosted by the organizations.
Among the 308 financial services companies that participated, all company sizes were represented: 23% of respondents managed between $2 billion and $10 billion in assets, 15% managed less than $500 million, 14% managed between $1 billion and $2 billion and 14% managing over $20 billion in assets.
Additionally, the companies surveyed were of varying business types, with most responses coming from asset/non-alternative managers (42%), broker-dealers (32%), and alternative investment advisors (11%).