Register now for FREE unlimited access to Reuters.com
Regulators in the United States have raised cybersecurity to a boardroom priority at financial services firms since Russia invaded Ukraine, posing a challenge for firms’ compliance teams to add the needed expertise in a highly competitive hiring sector. This problem is further intensified because two countries that produce a significant share of the global cyber-talent — Russia and China — have fallen under Western sanctions or “self-sanctions.”
“It’s a blazing hot market, and all the more insane with Russia waging cyber war — but even before that, the demand was there,” says Jack Kelly, CEO of The Compliance Search Group, a recruitment firm for compliance professionals. “It’s a huge, important area and there is a big gap [between] jobs that need to be filled and people available.”
A World Economic Forum study reported that prior to the Ukraine invasion there were more than 3 million unfilled positions globally for cybersecurity professionals — a number that is expected to grow in part due to the exodus of up to 70,000 technical workers now leaving Russia since the war began, the Associated Press has reported. Some of these professionals will eventually manage to work in new locations, but given screening and background check requirements for regulated finance firms, the shortage will continue and firms likely will be paying more to attract talent.
Register now for FREE unlimited access to Reuters.com
Top-level positions are even more of a challenge, said Kelly. Universities are turning out entry-level candidates to fill some positions but “experience counts most” in cybersecurity, and in the relatively new field it is in scarce supply.
Scrambling to stay ahead of the threat
For years, financial firms have been scrambling to find cyber-specialists to manage a boom in cyber-attacks. More recently, firms have also encountered new challenges to meet cyber-defense requirements of financial regulators. For example, the US Treasury Department tightened its rules on reporting breaches in November, though it struck prescriptive language on governance and cyber-defense management structure for banks, after firms objected.
On the other hand, the US Securities and Exchange Commission has held firm on a proposed rule change that was approved last month that requires investment firms to create designated cyber-defense representatives and written supervisory procedures for handling the task. Indeed, the trend for all financial regulators has been to nudge firms toward elevating their cyber-defense programs to a board-level concern.
“We’re calling on CEOs to bring together the leadership teams and make it a CEO-level priority,” says Jamie Hoxie, an assistant US attorney for cyber-crime in New Jersey. What this means, recruiting experts say, is that firms need to find top-level talent capable of operating at the highest levels of the firm, either as a designated staff cyber-executive or in a capacity as an advisor with clout. The additional layer of oversight will likely add to demand for top-tier cyber professionals.
Cyber-defense is “a quirky area”
Cyber-defense is “a quirky area” that has traditionally been managed by IT senior staff without much involvement by compliance, said Compliance Search Group’s Kelly, adding that compliance teams are looking to add expertise as regulatory requirements increase.
The SEC’s recent cyber-rules require regulated financial firms to report breaches quickly, create programs reasonably designed to protect firms, and, for SEC registrants, have documentation of incidents and the steps registrants have taken to shield data and systems when examiners inspect them. Finance firms have pushed back on the proposed rules as an unnecessary intrusion into an area that banks and brokers have under control.
The finance industry’s cyber-defenses have been effective in observing heightened “Shields Up” protection alerts in the first months of the Russian invasion, according to a recent report from cybersecurity firm BlueVoyant. Across all sectors “cyber-attacks to date are mostly contained within the geographical borders of the conflict area” surrounding Ukraine and Russia,” the report notes. The SEC also issued a risk alert for compliance teams to have controls in place to prepare for potential market risk.
The finance sector is the “most well prepared” after spending billions of dollars on cybersecurity and dedicating thousands of staffers to protect their networks, says Austin Berglass, BlueVoyant’s global head of professional services. Nevertheless, the threat remains that a cyber-event that could cripple some firms, he adds. “The sector is seeing a constant barrage of attacks on a daily basis,” explains Berglas, a former FBI special agent in cyber-defense. “Finance sees it all, and malicious actors are constantly scanning for vulnerabilities.”
US officials worry that some of those attacks could breach security at an important firm, especially during the Ukraine war, and have seen the need to regulate the finance industry’s cyber-defense capabilities to a higher standard and to push firms to hire top professionals who will have clout inside their firms.
Assistant US attorney Hoxie said the DOJ wants cybersecurity to be “a CEO-level priority both in the level of security on their network” and in “baking in security in the way tech is built — rather than today, when it often occurs by bolting it on or making it the responsibility of the user to configure technology.”
So, it remains likely that financial firms will struggle with scarce talent and the need for background checks that have become increasingly difficult in some countries, most notably China, which turns out nearly four times as many information- and computer-science graduates from its universities compared with US institutions. With new regulations and persistent cyber-attacks outpacing qualified candidates, the hiring gap continues to widen —and for small firms, it may be more efficient to outsource the job to companies like his, Berglas says.
“Compliance officers, especially at small firms, see only see a very narrow view of the world,” he adds. “That takes a lot of cyber professionals for firms, and there are just not enough of them to go around.”