Join now for FREE unlimited access to Reuters.com
Regulators in the United States have raised cybersecurity as a priority on the boardrooms of financial services firms since Russia invaded Ukraine, posing a challenge for corporate compliance teams to add the expertise needed in a highly competitive hiring industry. This problem is further compounded by the fact that two countries that produce a significant share of the world’s cyber talent – Russia and China – have fallen under Western sanctions or “self-sanctions”.
“It’s a hot market, and all the crazier given that Russia is waging a cyber war – but even before that the demand was there,” says Jack Kelly, CEO of The Compliance Search Group, a professional recruitment firm. conformity. “It’s a huge and important area and there’s a big gap [between] vacancies and people available.
A study by the World Economic Forum reported that before the invasion of Ukraine, there were more than 3 million vacancies worldwide for cybersecurity professionals – a number that is expected to increase in part due to the invasion of Ukraine. exodus of up to 70,000 technical workers now leaving Russia since the war. began, the Associated Press reported. Some of these professionals will eventually find success working in new locations, but given the screening and background check requirements of regulated financial firms, the shortage will continue and companies will likely pay more to attract talent.
High-level positions are even more difficult, Kelly said. Universities offer entry-level candidates to fill some positions, but “experience matters most” when it comes to cybersecurity, and in the relatively new field, it’s rare.
For years, financial firms have struggled to find cyber specialists to handle a boom in cyber attacks. More recently, companies have also encountered new challenges in meeting the cyber defense requirements of financial regulators. For example, the US Treasury Department tightened its breach reporting rules in November, although it adopted prescriptive language on cyber defense governance and management structure for banks, after companies opposites.
Meanwhile, the U.S. Securities and Exchange Commission has firmly stuck to a proposed rule change that was approved last month that requires investment firms to create designated cyber defense representatives and supervision written to manage the task. Indeed, the trend for all financial regulators has been to push companies to elevate their cyber defense programs to board level.
“We’re calling on CEOs to bring leadership teams together and make this a priority at the CEO level,” says Jamie Hoxie, assistant U.S. cybercrime attorney in New Jersey. According to recruitment experts, this means that companies must find high-level talent capable of operating at the highest levels of the company, either as a designated cyber executive or as an influential advisor. The additional level of surveillance will likely increase the demand for high profile cyber professionals.
Cyber defense is “a quirky area” that has historically been handled by IT executives with little involvement from compliance, said Kelly of the Compliance Search Group, adding that compliance teams are looking to add expertise as requirements grow. regulations increase.
Recent SEC cyber rules require regulated financial firms to promptly report breaches, create programs reasonably designed to protect businesses, and, for SEC registrants, have documentation of incidents and steps registrants have taken to protect data and systems when inspected by examiners. Financial firms have pushed back against the proposed rules as an unnecessary intrusion into an area that banks and brokers control.
The financial sector’s cyber defenses were effective in observing increased “Shields Up” protection alerts during the first months of the Russian invasion, according to a recent report by cybersecurity firm BlueVoyant. Across all industries, “cyberattacks to date are primarily contained within the geographic boundaries of the conflict zone ‘surrounding Ukraine and Russia,’ the report notes. The SEC has also issued a risk alert for teams have controls in place to prepare for potential market risk.
The financial industry is the “most prepared” after spending billions of dollars on cybersecurity and dedicating thousands of employees to protecting their networks, says Austin Berglass, global head of professional services at BlueVoyant. Nevertheless, the threat remains that of a cyber event that could cripple some businesses, he adds. “The sector experiences a constant barrage of attacks on a daily basis,” says Berglas, a former FBI cyber defense special agent. “Finance sees everything, and malicious actors are constantly looking for vulnerabilities.”
US officials are concerned that some of these attacks could compromise the security of an important business, particularly during the war in Ukraine, and have seen the need to regulate the cyber defense capabilities of the financial sector at a higher level and to push companies to hire high-level professionals who have influence within their companies.
Assistant U.S. Attorney Hoxie said the DOJ wants cybersecurity to be “a priority at the CEO level, both in the level of security of their network” and in “security in the way the technology is built – rather than today, when it often occurs by bolting”. or entrusting the user with the responsibility of configuring the technology. »
Thus, it remains likely that financial firms will struggle with scarce talent and the need for background checks that have become increasingly difficult in some countries, notably China, which produces nearly four times as many science graduates. information and computer science from its universities. compared to American institutions. With new regulations and persistent cyberattacks that overwhelm qualified applicants, the hiring gap continues to widen — and for smaller businesses, it may be more efficient to outsource work to companies like his, says Berglas.
“Compliance managers, especially in smaller companies, have a very narrow view of the world,” he adds. “It takes a lot of cyber professionals for businesses, and there just aren’t enough for everyone.”
The opinions expressed are those of the author. They do not reflect the views of Reuters News, which is committed to integrity, independence and freedom from bias by principles of trust. Thomson Reuters Institute is owned by Thomson Reuters and operates independently of Reuters News.