Some thoughts on cybersecurity

Lately, I’ve spent an decent amount of time with auditors. If you work in a regulated industry like finance, you know the drill: the endless reviews, the questions that make you question your own life choices, and the faint (or not-so-faint) undertone of suspicion. Cyber risk is no longer something companies can ignore. In fact, it might be the biggest risk we face in the financial services industry. Regulators have caught up and admittedly doint a surpringly good job and asking good questions. Modern cyber threats are relentless, sophisticated, and constantly evolving. Keeping up requires an insane level of expertise, infrastructure, and vigilance. Maintaining all of that in-house is no longer realistic the vast majority of companies. The auditors know it, the boards know it, and (if they’re being honest) the regulators know it too. So, what’s the solution? Outsourcing. Hand off your cybersecurity to specialized firms that live and breathe this stuff. They can invest in scalable solutions, hire experts who dream in code, and stay on top of the latest threats. It’s the only way for most companies to meet the regulators’ expectations. But here’s where it gets weird. If you want to outsource a licensed process in banking—like payments or lending—you’re walking into a minefield of regulatory scrutiny. Selection criteria, contract obligations, monitoring—you name it. Yet when it comes to cybersecurity providers, the same scrutiny evaporates. Think about it. These cybersecurity firms are the gatekeepers to our most sensitive assets. If they mess up, it’s not just an inconvenience; it’s potentially catastrophic. And yet, they’re sitting outside the regulatory spotlight. They’re allowed to operate in a space where the stakes are highest, with far less oversight than the rest of us face for far smaller risks. Regulators are effectively nudging us toward these third-party solutions—they know we can’t do it alone—while giving those third parties a free pass. If the expectation is that most of the industry will rely on these external players, shouldn’t they be held to the same rigorous standards we are? This isn’t to say cybersecurity firms are irresponsible. Most are brilliant at what they do. But as the industry’s reliance on them grows, so does the risk of a weak link in the chain. It’s time to ask some hard questions: Who’s auditing the auditors of our digital defenses? And why aren’t they in the same regulatory playbook as the rest of us? I know that you cannot delegate responsibility in the regulators world view but that is just writing on the wall because you cannot enforce it. Currently you have to hope that they are doing their job right - which is in their own interest - and otherwise you just have to take it on the chin.