CellTrust Blog

Selecting a technology partner with a profound understanding of cybersecurity and the threat landscape

CellTrust  |   February 28, 2025

Increased scrutiny of cybersecurity compliance

It’s been culminating for years, and with the latest release in June 2024 of the recent SEC Cybersecurity Compliance and Disclosure Interpretations (C&DIs), regulated entities should be in no doubt that the responsibility for cybersecurity lies firmly in the boardroom.
 

The SEC now requires market entities to implement policies and procedures reasonably designed to address cybersecurity risks and review and assess their design and effectiveness at least annually.
 

Regulation S-K Item 106 asks for a description of cybersecurity processes and how they have been integrated into the entity’s risk management system. Further, they must disclose the use of assessors, consultants, auditors, or other third parties in connection with cybersecurity processes. They must also clarify the processes in place to oversee and identify material risks from cybersecurity threats associated with the use of any third-party service provider.
 

Additionally, entities are required to clarify whether any risks from cybersecurity threats, including any derived from a previous cybersecurity incident, have materially affected or could reasonably materially affect the entity’s business operations, strategy, or finances and, if so, how.
 

“While cybersecurity best practices are continually evolving, third-party technology providers for the financial services sector must be ready to effectively adopt the latest industry standards to stay current and be able to provide meaningful responses to the customers’ due diligence requests for vendor risk management.” – Kevin Moshir, CellTrust Co-founder and COO

 

Increased attacks on third-party technology providers

In FINRA’s recent guidance in September 2024 on cybersecurity advisory third-party provider risks, they observed a significant increase in the number of cybersecurity incidents experienced by third-party providers used by FINRA member firms. Upon review, they determined that vulnerabilities in legitimate system management tools and technology products used by third-party providers were targeted.
 

The 2024 threat landscape across third-party provider platforms included data breaches with ransomware, resulting in leaked customer data, and Zero Day vulnerabilities that exploited access to company data before patching could occur.
 

Several Zero Day attacks resulted in full-blown extortion and ransom events, and ultimately, the exposure of firm and customer data and the threat of possible follow-on identity theft of individuals.
 

Further, weather-related outages were exploited through social engineering and third-party provider impersonation campaigns. Threat actors impersonating a third-party provider claimed they would correct the outage with a fix but instead loaded malware onto computers to steal credentials.
 

Cybersecurity due diligence and accountability

In the 2025 FINRA Annual Regulatory Oversight Report, FINRA restated the obligation enterprises have to establish and maintain a written supervisory system for any activities or functions third-party vendors perform. The supervisory system should be designed to achieve compliance with applicable securities laws and regulations. FINRA provided a helpful list of “effective practices” to used when conducting third-party technology partner due diligence and risk assessment.
 

Verifying the cybersecurity readiness of your third-party technology partner

As you begin conducting due diligence on any third-party technology partner, it is essential that their information security strategy, policies and culture value confidentiality, integrity and availability.
 

CellTrust stays up to date with multiple cybersecurity frameworks including, the National Institute of Standards and Technology (NIST) and NIST SP 800-53, which influence our security posture and annual review:

  • NIST SP 800-53 includes controls for the development of secure and resilient information systems, providing operational, technical, and management standards and guidelines that information systems should use to maintain confidentiality, integrity, and availability
  • The standards and guidelines from NIST incorporate a multi-tiered approach to risk management through these controls
  • The controls are set forth in three classes indicating impact: low, moderate, and high
  • Incident response and breach notification
  • As required by cybersecurity best practices and many international, federal, state, and local laws, should a breach occur, CellTrust immediately stands up a dedicated CellTrust Incident Response Team and notifies the customer. The CellTrust Incident Response Team will then support the customer and their stakeholders, including insurance agencies and the relevant international, federal, state, and local government agencies governing the specific breach.

 

Our next blog post: What should be in your Mobile Communications compliance cybersecurity checklist?

 

Spend 15 minutes with one of our solutions engineers to explore how CellTrust SL2 mobile compliance capture solution can help your organization meet SEC, CFTC, FINRA, FCA, MiFID II and other compliance requirements.
 

Helpful links:

https://www.sec.gov/newsroom/press-releases/2023-52
https://www.sec.gov/newsroom/press-releases/2023-139
https://www.finra.org/rules-guidance/guidance/cybersecurity-advisory-third-party-provider-risks
https://www.finra.org/rules-guidance/guidance/reports/2025-finra-annual-regulatory-oversight-report/third-party-risk
https://www.finra.org/rules-guidance/notices/21-29
https://www.finra.org/rules-guidance/notices/05-48
 
 

#security #cybersecuritycompliance #SEC #FINRA #datasecurity #MicrosoftIntelligentSecurityAssociation