Nearly 4 in 10 compliance professionals from asset management, investment adviser, and private markets firms have yet to evaluate Artificial Intelligence (AI) as a cybersecurity risk, according to the findings of a new survey. What’s more, a similar amount has concerns about how the Securities and Exchange Commission’s (SEC) new cybersecurity rules will be enforced.
These findings come from the 2024 Cybersecurity Benchmarking Survey—a joint project of the ACA Group, which is a governance, risk and compliance advisory firm in financial services, and the National Society of Compliance Professionals (NSCP).
ACA Aponix, part of the ACA Group, and the NSCP conduct the survey bi-annually to help firms better manage increasing expectations and uncertainty around cybersecurity risk. The survey was fielded in January and February among global compliance professionals from 308 financial services firms.
Notable findings from the 2024 survey include the following.
Regulatory preparedness and concerns: 44% of respondents surveyed said they are uncertain about how the SEC will enforce the rules, while 36% of compliance professionals cited concerns with complying with cyber-incident reporting requirements and timeframes.
AI risk management: While 38% of respondents have yet to identify AI as a cybersecurity risk, and 27% do not consider AI relevant to cybersecurity, roughly half (49%) said they are in the early stages of exploring AI as a tool for cybersecurity risk management.
Cybersecurity threats: Respondents cited the following as the top three cyber threats they are most concerned about:
- Payment fraud/business email compromise (70%);
- ransomware (67%); and
- privacy threats and risk to personal identifiable information (52%).
Notably, respondents indicated that they were least concerned about deepfakes, with just 5% citing them as a concern.
Cybersecurity preparedness: Nearly 8 in 10 (79%) compliance professionals expressed confidence in their firm’s ability to respond to a cyberbreach. Yet only 40% have done an external test of the firms’ response plan.
Cyber insurance: Approximately 83% are confident in their ability to respond to an unforeseen system outage. Most respondents (85%) who have cyber insurance say it is viewed as a key risk management tool.
Vendor cybersecurity: Finally, despite clear concerns over how vendor due diligence is performed, more than half (51%) of firms indicated that they have not renegotiated any vendor contracts with additional cybersecurity provisions in the last 24 months.
"Our survey findings underscore the critical importance of staying ahead of evolving cybersecurity threats,” observed Mike Pappacena, Partner at ACA Aponix. “As nearly half of the respondents express uncertainty about SEC enforcement, it's clear that regulatory compliance remains a top concern.”
SEC Rulemaking
To that end, in perusing the SEC’s pending regulatory guidance projects, the Commission currently has at least three projects that would address cybersecurity and AI risks to the securities markets.
In July 2023, the Commission proposed new rules to address what it describes as risks to investors from conflicts of interest associated with the use of predictive data analytics by broker-dealers (BDs) and investment advisers (IAs). Under this proposal, BDs and IAs would be required to take certain steps to address potential conflicts associated with their use of predictive data analytics and similar technologies.
In April 2023, the Commission proposed new guidance requiring market entities—other than certain types of small broker-dealers—to implement policies and procedures to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their policies and procedures.
And in March 2022, the SEC proposed a new rule under the Advisers Act to require advisers to report to the Commission significant cybersecurity incidents affecting the adviser, or its fund or private fund clients. The SEC also warned late last year that its 2024 exam priorities will include the use of emerging financial technology, particularly among broker-dealers and advisers offering new products and services or employing new technological practices.
Each of these projects show a target release date of April 2024.
About the Survey
The full cybersecurity benchmarking survey results will be released on April 25 during a webcast held by the organizations.
Among the 308 financial services firms that participated, all firm sizes were represented—with 23% of respondents managing between $2 billion and $10 billion in assets, 15% managing under $500 million, 14% managing between $1 billion and $2 billion, and 14% managing over $20 billion in assets.
In addition, responding firms belonged to varied business types, with most responses coming from asset managers/non-alternatives (42%), broker-dealers (32%), and alternative investment advisors (11%).
