At a glance.
- Singapore advances plans to license penetration testers and managed security service providers.
- SEC disclosure rules may weigh heavily on small advisors.
Security service licensing in Singapore.
The Cyber Security Agency of Singapore this week released its framework for licensing cybersecurity providers:
"The intent of the framework is to better safeguard consumers’ interests and address the information asymmetry between consumers and cybersecurity service providers. At the same time, the regulatory regime is also envisaged to improve service providers’ standards and standing over time. For a start, CSA will license two types of cybersecurity service providers, namely those providing penetration testing and managed security operations centre monitoring services. These two services are prioritised because service providers performing such services can have significant access into their clients’ computer systems and sensitive information. In the event that the access is abused, the client’s operations could be disrupted. In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape."
The Register explains it as an attempt to make "outfits that can rummage around inside customer systems...prove they're up to the job - and accountable."
SEC cyber reporting rules may be particularly onerous for smaller advisors.
A piece in Barron's looks at the US Securities and Exchange Commission rules on disclosure of cyber incidents, and it sees them as likely to be especially burdensome for smaller financial advisors. The Investment Adviser Association (IAA), while if broadly supports the intent of the disclosure rules, sees the possibility that they may have a disproportionate impact on some of its members. The group commented: “We believe that the commission severely underestimates the costs and burdens that would be imposed on investment advisors, particularly smaller firms, by certain elements of the proposal. Advisors will likely need to increase their budgets for cybersecurity support staff and vendors with technical expertise in response to any new rules, even if they have existing cybersecurity policies and procedures, because the commission’s proposed requirements are much more granular and prescriptive,” The forty-eight-hour deadline for reporting an incident is seen as particularly challenging.