Cyberattacks continue to make headlines as vulnerabilities like Log4J abound. But what does a cyber breach actually cost an organization? According to Kaspersky, approximately $1.09M for an enterprise or $101K for SMBs as of 2020, compared to $1.41M and $108K respectively in 2019.
Both the magnitude and gravamen of these potential liabilities are driving more and more investment advisers to take cybersecurity compliance seriously. However, because cybersecurity is a multi-factorial challenge involving technological, operational, governance, and compliance issues, it requires a multidisciplinary approach. For many emerging and mature managers, they lack the resources to fully meet these challenges and, as a result, fail to meet the prevailing requirements surrounding cybersecurity compliance.
All this begs a larger question: How does an investment management firm determine what is a responsible spend and quantify a realistic budget in creating, administering, and maturing a cybersecurity program that is appropriately scaled and designed to meet its unique cybersecurity risk profile?
Some recent trends are beginning to answer this question.
Areas Impacting Cyber Budgets:
Earlier this year, the Securities and Exchange Commission voted 3-1 in proposing new cybersecurity compliance, reporting and disclosure rules for the investment management industry. As a result, the substance, complexity, frequency and sophistication of the deliverables required to demonstrate a model cybersecurity program have evolved, especially in the following areas:
- Increasing regulatory pressures – Certain compliance regulations dictate security budget allocations, which require CISOs to allocate budget on cybersecurity tools and expertise.
- Greater deliverables – This includes increased cybersecurity incident reporting, registrant policy reporting, past oversights, and annual reporting and certain proxy disclosure about an organization’s cyber expertise, if any.
- Operational due diligence – Institutional investors and allocators expect a clear demonstration of the policies, procedures, and controls that make up a firm's cybersecurity program.
In response to these changes—not to mention other factors like a broadening cyber threat landscape within a larger decentralized workforce and even geopolitical challenges—organizations are making big changes to their cyber budgets. According to a Kapersky survey of 600 business IT staff:
- 88% of respondents said their business intends to include cybersecurity protection and prevention in 2022 budgets
- 85% are increasing cyber budgets by 50% in the next year
- 28% of respondents said their company will continue their annual investment of $25–50K per year in cyber insurance
But what goes into creating a cyber budget? And how should enterprises prioritize it next to other needs?
Cyber Budget Break Down
From a Regulatory Standpoint
- Underlying IT infrastructure
- The underlying IT infrastructure is the foundation of any cybersecurity program. A cybersecurity program will be shaped and designed around the underlying IT infrastructure and a firm’s network. Public clouds (Microsoft, AWS, Google, etc.) are generally accepted as an ideal construct from which an investment adviser can design and create an optimal IT infrastructure. As the major public cloud providers are constantly innovating and improving their offerings, the end user receives the benefits of this “passive innovation.”
- Governance structure
- Each investment management firm is unique and therefore must determine what type of governance structure and/or controls are reasonable and achievable within its resources, staff, and operations. This could include:
- Appointing a cyber security manager or other individual who is empowered and accountable to oversee the various cyber security controls
- Determining whether to outsource and/or co-source some or all the cybersecurity services
- Adopting a cyber security framework and creating appropriately scaled policies and procedures that are centralized in a cybersecurity program manual or policy/policies
- Each investment management firm is unique and therefore must determine what type of governance structure and/or controls are reasonable and achievable within its resources, staff, and operations. This could include:
- Technological Controls
- Advanced Threat Protection solutions
- Managed Detection and Response (“MDR”)
- Continuous Vulnerability Scanning
- Digital forensics and incident response
- Penetration testing
- Operational and Non-Technological Controls
- Conduct periodic cybersecurity assessments
- Employee security awareness education and training
- Vendor management
- Incident response, business continuity, and disaster recovery
- Data classification methodology
- BYOD policies
- Acceptable Use Policies
Like many organizations, investment advisers are working to identify, design and implement an appropriately scaled suite of cybersecurity services (i.e., a “Cybersecurity Program”) that will meet both the current legal and regulatory compliance requirements and the standards set by the prevailing cybersecurity frameworks. Cybersecurity compliance remains nascent and fluid and will continue to evolve and mature. In the meantime, as investment advisers toe the line, the foregoing considerations on spending and designing a model cybersecurity compliance program should be part of the determinations.
To learn more about Align's Managed IT and Cyber services, visit here.
