Enhancing Incident Response: Key Tactics Amid SEC Changes

The following article was written by  by Christian Scott, Chief Operating Officer (COO) Gotham Security, an Abacus Group company

Having a robust incident response strategy is a non-negotiable requirement for organizations in financial services today. In recent years, how incident response is handled has changed significantly due to a large shift to public cloud solutions as well as a change to a new hybrid work environment. Techniques, including third-party supply chain attacks, MFA bypass attacks, and generative AI impersonation attacks, have become increasingly sophisticated, making it more difficult for firms to defend themselves from malicious actors. These sophisticated attacks, paired with the aforementioned changes in workplace technologies, have highlighted the shortcomings of traditional security approaches that previously emphasized security at the network perimeter.

Security incidents are an ever-present risk in this increasingly complex technology environment and threat landscape. But when they do happen, firms must be prepared to swiftly identify, contain, and mitigate those security incidents.

This urgency is compounded by the evolving regulatory environment. The Securities and Exchange Commission’s (SEC) recent amendments to Regulation S-P, which governs the treatment of non-public personal information by certain financial institutions, highlight the necessity for comprehensive measures to protect customer information. These amendments have a number of requirements, including that financial institutions must notify affected individuals within 30 days if their sensitive information has been accessed, or used without authorization. These amendments also require firms to develop and maintain written policies pertinent to an incident response program that detects, responds to, and recovers from unauthorized access to customer information.

Putting a Plan in Place

Given the heightened regulations, it is crucial that financial services companies, especially alternative investment firms, adopt an incident response strategy that’s beyond the basics, doesn’t assume the network perimeter is secure, and considers modern threats like business email compromise (BEC) attacks.

To address the SEC amendments and ensure they are well prepared for future regulatory change, the first step is developing a comprehensive incident response plan that meets the new requirements, together with other existing regulations. This plan should outline procedures for detecting, responding to, and recovering from security incidents, and include protocols for assessing and containing incidents, enforcing data retention policies, and proper oversight for service providers.

Clear documentation and communication of these procedures ensure all team members understand their roles and responsibilities during an incident, minimizing confusion and delays. Regular incident

Continuous threat detection and response across endpoints, cloud systems and traditional network infrastructure is essential for early identification and swift response to security containment of malicious actors attempting to gain a foothold into company systems.

Enhanced end-user security awareness covering the latest malicious actor techniques like generative AI impersonation and social engineering testing are important keystones to ensure your organization can respond to modern threats.

Organizations with limited budgets can leverage free resources provided by agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the Center for Internet Security (CIS) in the US, or the European Union Agency for Cybersecurity (ENISA) in the EU. These resources offer valuable materials for developing incident response plans and conducting security assessments. Additionally, collaborating with industry peers and participating in information-sharing initiatives can provide insights and best practices for enhancing incident response capabilities, and ensuring compliance with expanded safeguards and data retention requirements.

Staying informed on regulatory requirements is another critical practice. Financial institutions must keep abreast of regional and international regulations. For instance, the European Union has comprehensive incident response and breach notification requirements that will apply in 2025. The trend set by the SEC is likely to influence other regions, including the EU, to adopt similar regulations, making it imperative for firms to stay ahead of regulatory developments.

Continuous improvement is key to maintaining an effective incident response strategy; therefore, incident response plans should be routinely updated and tested with a cybersecurity partner, especially when important technology systems for the company change.

Adapting to New Threats

The SEC's amendments to Regulation S-P represent a significant step toward enhancing data security in the financial sector. By implementing best practices and staying informed on regulatory requirements, firms can effectively protect sensitive customer information and mitigate the impact of security incidents. The future of incident response lies in adaptability, continuous improvement, and constant vigilance, particularly as the actions of the SEC suggest a broader trend that other regions, including the EU, are likely to follow, emphasizing the global importance of a robust and consistent approach to ongoing and emerging threats.