Rules Navigator

NSCP 2024: Panel discusses data security strategies and Reg S-P changes

Young businesswoman working on desk, logging in to her laptop and holding smartphone on hand with a security key lock icon on the screen.
Photo: Getty Images/ d3sign

Alexander Barzacanos

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Panelists at the annual gathering made key recommendations as firms prepare to comply with amendments to Regulation S-P.

AI and other sophisticated technologies have dramatically heightened the risk of catastrophic data breaches, both through inadvertent leaks and increasingly-sophisticated hacking strategies. Regulatory agencies have been going after firms and technology officers for being the victims of cyberattacks, and for failing to implement proper policies to prevent or detect them.

How compliance specialists best navigate an environment where these breaches seem like inevitabilities was the subject of a recent panel at the 2024 National Society of Compliance Professionals’ (NSCP) National Conference. Experts in the cybersecurity field shared their insights and recommendations with a room packed with compliance specialists and representatives from highly regulated industries.

The panelists enumerated best practices for handling data breaches, while conference participants were surveyed about their general experience with AI integration. The recent amendments to Regulation S-P were also discussed, and the challenges industry participants might face in maintaining compliance with its requirements.

Regulation S-P and the future of data privacy

As technological developments have increased threats to data security, regulators across the world have been playing catch-up to ensure user privacy. In the US, this has meant looming amendments to Regulation S-P, the SEC’s landmark data privacy rule first promulgated in 2000.

The update includes several new data protection requirements such as implementing incident response programs, notifying customers within 30 days of a data breach, and conducting oversight of vendor data use and security. The updates also add a host of additional data protection categories, such as biometric data.  

The updates to Reg S-P are planned to go into effect for large firms at the end of 2025, and in mid-2026 for smaller firms.

AI integration trends and risk management

During the panel, industry participants shared some intriguing self-reported statistics about how their companies were integrating AI into their business practices, and struggles they were facing.  

However, it was clear from poll results that companies are still cautious about rolling out AI functionality in general, and have yet to see dramatic improvements from the software they have been using.  

A majority (68%) of polled attendees said AI integration has not yet led to an efficiency boost, and most (86%) said their companies are not marketing their AI-capable technologies, a trend that might be influenced in part by the SEC’s strong stance against “AI-washing.”  

A minority (32%) reported the introduction of AI governance committees. The same goes for risk mitigation – only a small minority of attendees (12%) reported that their companies have adopted AI-related risk management policies and procedures.

An even smaller minority (8%) had policies and procedures in place to tackle failures in third party AI programs, which was considered a key area for improvement. This is increasingly exigent as RegTech companies, as well as other vendors, focus on implementing AI solutions.

With that data in mind, it seems like firms have a long way to go before the amendments to Reg S-P come into effect.

Risk mitigation and threat response

Panelists discussed the inevitability of a firm experiencing a cyberattack, quoting former Cisco CEO John Chambers: “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”

To this extent, the mantra of the day was “detect, respond, and recover.” The current focus on cybersecurity operations has moved away from absolute prevention, and towards risk mitigation, planning, and comprehensive threat response.  

This emphasis included putting in place a plan for reporting and recovery, which is highly time-critical. There could only be 24 hours to effectively respond to a breach­, and an attack could happen at 9pm on a Saturday.

The panelists similarly stressed having a good relationship with one’s local FBI office. The panelists noted that the FBI has the capacity to recover lost data under certain circumstances, but being able to escalate the issue it a timely fashion can require speaking to the right people at the right time.

Role of employees

Emphasis was also placed on educating clients and staff alike about cyber risks, with panelists noting that the weakest link in any cybersecurity line of defense is employees themselves.

Education, both internal and external, was highlighted as a necessary investment for all firms, especially during onboarding. And that goes for compliance officers too: a panelist noted how critical it was to do one’s own research, stay abreast of data protection trends, and not take security for granted.

Panelists also recommended that compliance officers maintain close relationships with IT staff. They stressed data breaches can be detected in good time, but there could be issues with how the situation is escalated through the corporate chain of command. This failure could lead to delays in reporting, and avoidable fines.

In general, knowing what data you have and why was another key exhortation to compliance officers. Central to that recommendation was not holding on to data for longer than it is useful, as this could create unnecessary risks.

And finally: “Advocate for data protection [at your company] … data is an asset,” a panelist said, noting that the most effective solutions are not always the cheapest.

“And don’t store your passwords in Microsoft Word,” he stressed.  

, , , , ,

You may also like