• Skip to primary navigation
  • Skip to main content
  • Skip to footer
CUBE announces its acquisition of The HubCUBE announces its acquisition of The HubCUBE announces its acquisition of The Hub

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • View all products
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • Brochures
        • Find

        • Compliance Corner
        • Compliance Confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » SEC takes action on deficient cybersecurity procedures: how CUBE could have told a different story
The SEC has issued a number of actions for cybersecurity policy failures

September 8, 2021 | Ali Abbas

Estimated reading time: 4 minutes

SEC issues actions for deficient cybersecurity procedures

Here’s how CUBE would have done it differently.


Earlier this month, the US’ Securities and Exchange Commission (SEC) took punitive action against eight firms, issuing three actions across the organisations who had failed to properly implement their cybersecurity policies and procedures. The eight firms, all of which were broker dealers or investment advisory firms, had failed to adequately manage their policies. So, while policies were in existence – they had not been properly actioned.

These implementation failures led to a number of cybersecurity breaches, including the takeover of several email accounts, which in turn exposed the personal data of thousands of customers at each firm. In one instance, these failings continued over a time span of almost three years, during which time the personal identifying information (PII) of over 4,000 customers was exposed.

In another example, a firm discovered that email accounts had been taken over in January 2018 but failed to bolster its firm-wide security for cloud-based email until 2021. This meant that additional customer and client data was exposed in this latent, three year period.

The SEC also sanctioned a firm that waited two years after a cybersecurity breach had occurred to adopt written policies and procedures. And, once those policies and procedures were adopted, they were not fully implemented for a further three months.

Failure to act

These actions have a number of things in common, but at the heart of all three lies a failure of these financial institutions to act. As Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, commented:

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

The theme of action (or inaction, as the case may be) is one that I see burdening financial institutions on a daily basis. Regulatory compliance relies on action being taken; new regulations are enacted, new risks emerge, old technology becomes outdated, historical policies and procedures are no longer effective – all of these are events that should (in fact, must) trigger action.

Given the necessity for action, it is always interesting to see when financial institutions operate on the basis of inaction. When, in 2018, these companies realised that they had gaps in their policies and controls that were leaving them exposed to external risks, they failed to act. This failure in turn led to even more damage.

It does not seem uncommon, in fact, for some financial institutions to manage compliance – especially regulatory change – on a “heads buried in the sand” model. This is especially true when things get tough; gaps emerge, and cracks start to show, but some teams (as the SEC’s action clearly shows) are just hoping the problem will go away.

It has always puzzled me why these firms don’t work proactively to resolve their compliance problems – especially given that financial regulators almost always spot compliance-related deficiencies. Surely, if such firms chose action rather than inaction, they would have avoided regulatory fines. And, more than that, they would have avoided the reputational damage that comes with exposing customers’ PII to external sources.

How CUBE could have told a different story

When I see cases such as this, my immediate reaction is that if these firms had CUBE they wouldn’t now be contending with regulatory and reputational costs. In fact, if they had CUBE the gaps in their policies and controls would likely never have occurred. Here’s why:

CUBE automates much of the initial impact assessment when a regulatory change occurs. So, when a regulatory change is published, our customers are presented with a data set that enhances their understanding of the change. This means that implementing that change is then faster and more robust.

If we break this down, this means that if the recently-fined companies had CUBE, they would have been:

  • Alerted to any relevant regulatory change as soon as it happened.
  • Directed to the exact, updated section of the publication, with changes highlighted through red-lining comparison.
  • Presented with a conceptual classification of the regulatory update, through our Ontology.
  • Given an immediate understanding of the impact of the change on their business via automated mapping to their policies, controls, processes, business lines etc.
  • Shown where other items of regulatory content existed, that related to the change.

In essence, if the above companies had CUBE, the process would have been automated and cracks would never have started to show – let alone be picked up by the SEC. more than this, the compliance teams working within the companies would have had more time to focus on managing and implementing their regulatory obligations.

Regulatory fines are detrimental and sometimes crippling for firms. Loss of reputation can be debilitating. Neither cost is quick to recoup, especially with regard to reputation. What is far quicker is employing a purpose-build SaaS product that prevents the causes of such loss from ever occurring. It just makes sense.

Request a demo

Related resources
View all resources
Find out about recent anti money laundering crimes and how RegTech can help
Blogs

Poor AML policies and procedures cost banks millions

Sylvia Yarbough whispers to a colleague about the key to customer complaints
Blogs

Compliance Confessionals – The Policy on Policies

Lessons on how to reach good Governance at your firm
Blogs

‘G’ for Good Governance

Learn about the Financial Services and Markets Bill (FSMB)
Blogs

How the FSMB will transform UK financial markets


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US

envelope

Want CUBE updates and latest industry news sent straight to your inbox?

Sign up to our Newsletter here