At a glance.
- US SEC cybersecurity rules may challenge investment sector.
- Major powers' offensive cyber capabilities compared.
SEC’s new cybersecurity rules could pose challenges for investment sector.
As we saw last week, on February 9th the US Securities and Exchange Commission (SEC) voted to propose a new batch of cybersecurity provisions for registered investment and business development firms and advisers. "Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets," SEC Chair Gary Gensler stated in a news release. The new rules require these firms to implement written cybersecurity procedures for addressing risks and incidents, disclose in marketing materials and regulatory filings any incidents from the past two fiscal years, and report any new incidents to the SEC within forty-eight hours. Many experts agree the rules should be a welcome change and are likely already being followed by many firms.
Padraic O’Reilly, co-founder and chief product officer for risk management and compliance firm CyberSaint Security, told SC Magazine, “This is a very reasonable announcement with respect to cyber hygiene in the PE [private equity] space. Generally, PE and investment firms are already bought in on cyber.” However, some insiders say the regulations could pose a challenge for firms accustomed to operating on a cybersecurity honors system. Terry Mason, director of HKA consultancy firm, explains “The alternative investment world has not operated under [cybersecurity] rules so much as guidance.” For many firms, the forty-eight hour reporting requirement could be the most challenging change. Ken Joseph, a managing director at consulting firm Kroll Holdings Inc, told the Wall Street Journal, “If the rule is adopted as written, they will also have to disclose that risk publicly to actual and potential clients.”
Report says Russian and Chinese military outpacing US in offensive cyber focus.
New data from London think tank the International Institute for Strategic Studies show that Russia and China have each dedicated more military forces to cyber effects than the United States. As C4ISRNet explains, “effects” are defined here as “actions to deny, degrade, disrupt or destroy as well as those conducted by proxies in conjunction with a government actor.” The institute’s Military Balance+ database is designed to assess international military trends, and the recent report shows that 33% of Russia’s military forces and 18.2% of China’s military forces are focused on cyber effects, compared to just 2.8% in the US. Russia has also dedicated a whopping 80% of its military personnel to cyberincident response, compared to just 29% in the US and 9.1% in China. “Russia is a highly capable cyber power. Cyber capabilities are part of a broader framework of information operations, and strategic documents generally refer to cyber security under the rubric of ‘information security,’” the report reads.