Written by Travis DeForge, Director of Offensive Cybersecurity at Abacus Group
The U.S. Securities and Exchange Commission (SEC) has significantly strengthened its approach to regulating the financial technology environment. With the announcement of the Cyber and Emerging Technologies Unit (CETU), replacing the former Crypto Assets and Cyber Unit, the agency has signaled a broadening of its existing focus beyond cryptocurrency, reflecting the growing impact of new and emerging threats in the financial services sector today. But what does it mean for firms?
The creation of the CETU is likely to have far-reaching implications for financial services firms. Its strong focus on AI and machine learning is particularly noteworthy, given that Signicat’s 2024 "Battle Against AI-Driven Identity Fraud" report found that AI-powered fraud constitutes 42.5% of all fraud attempts detected in the financial and payments sector. This should give financial services firms pause for thought. While AI offers tremendous potential for innovation and efficiency, it also presents new opportunities for bad actors intent on doing harm. Therefore, regulatory bodies such as the SEC will put precautionary measures in place.
The CETU's interest in social media and dark web monitoring also heralds a new frontier in regulatory oversight. Financial firms may need to invest in new tools and processes to identify their risk posture and monitor and protect against fraudulent activities on these platforms. To ensure they are fully aligned, they should also consider partnering with expert vendors to search for fake social media accounts, or issue takedown requests, for example.
Additionally, the emphasis on preventing retail brokerage account takeovers indicates increased scrutiny on data security and access controls - areas that firms will need to prioritize in their cybersecurity strategies. Requirements to conduct penetration testing on associated web and mobile applications and underlying APIs may also intensify. Many firms are conducting such activities already, but we would expect the emphasis to change from an ‘annual need’ to a fiercer ‘every major release’ necessity.
Crucially, financial services firms will need to be proactive in their response to better understand areas where they may need to tighten their approach to cybersecurity and compliance. Conducting comprehensive risk assessments of current technology use, particularly AI and machine learning, must be a priority. This should be coupled with greater investment in robust cybersecurity infrastructure, with a focus on areas like data loss prevention and secure AI implementation.
Firms would also be well advised to engage an experienced red team or cybersecurity firm to conduct advanced social engineering tests. These could include sophisticated techniques like voice cloning, device code phishing and deepfakes to identify and address vulnerabilities that might not be apparent through more traditional testing methods.
Data governance practices will need to be reviewed and updated, ensuring proper classification and loss prevention measures have been implemented, especially when deploying AI systems. In light of the CETU's focus on retail brokerage account takeovers, strengthening the security of customer-facing applications and APIs should be a top priority.
Staying informed about upcoming rule changes and new SEC priorities will be equally vital for ensuring timely compliance. This may require dedicating resources to monitoring regulatory developments and quickly implementing necessary changes.
Developing robust incident response plans will be another critical step. Organizations need clear protocols for responding to and reporting potential security breaches or fraudulent activities. These plans should be regularly reviewed and updated to ensure new threats and regulatory requirements are efficiently addressed.
The creation of the CETU reflects a wider trend in financial regulation towards more proactive and technology-focused oversight that will only continue to grow. Financial services firms should anticipate more prescriptive regulations in the future, with rules potentially becoming more specific and demanding in terms of cybersecurity and technology implementation requirements.
The formation of the CETU also demonstrates that the SEC is aiming to keep pace with rapid technological advancements. This is likely to lead to more frequent updates in regulatory expectations, requiring firms to be more agile in their compliance efforts. The SEC will be closely watching the approach and impact of other regulatory frameworks, such as the EU's Digital Operational Resilience Act (DORA), which already imposes a requirement for threat-led penetration testing on financial institutions.
With new technologies and threats emerging continuously, firms need to be prepared for regulations becoming ever more stringent, with a flexible and forward-thinking approach to compliance and risk management. Embracing technological innovation in fast-changing areas like AI while prioritizing security and compliance will be key to success in the post-CETU world. Firms that adapt quickly and effectively to the changes will be best positioned to thrive in the face of growing technological complexity and regulatory scrutiny.
At Abacus Group we understand all this, and we have the capability and expertise to help you build a defense that adapts in line with ever evolving regulation and threats. Contact us to get started.
Lorem ipsum dolor sit amet, consectetur adipiscing elit
These Stories on Disaster Recovery
.jpg)
Founded in 2008, Abacus Group is an innovative, award-winning IT and Cybersecurity managed service provider offering an enterprise integrated platform specifically designed for the unique needs of the financial services industry.
