Update Aug 16, 2023: On July 26th, the SEC officially released newly adopted rules on disclosing any data breaches and cyber incidents for any company under SEC jurisdiction and regulation, including foreign private issuers. The rules require disclosure of any cyber incident four days after the registrant (the affected entity) finds the incident to be a material incident, meaning it can affect shareholders and investors. Registrants will also have to detail any processes that pertain to "assessing, identifying, and managing material risks from cybersecurity threats." This includes oversight from the board of directors as well as describing management role and expertise in assessing and managing cybersecurity risks. For more details, see the SEC's press release here.
As the U.S. Securities and Exchange Commission (SEC) continues to develop new regulations aimed at protecting consumers and investors, organizations of all sizes must prepare themselves for the evolving compliance landscape.
On March 15, 2022, the Cyber Incident Reporting for Critical Infrastructures Act of 2022 (CIRCIA) was signed into law. The bill says that public companies experiencing cyberattacks are required to report them. Moreover, they have also proposed various financial and tax incentives, so those companies maintain their cybersecurity posture.
Additional SEC proposals from February and March 2022 and 2023 expand on this, including requirements for public companies, market entities, and registered investment funds and advisers to disclose their cybersecurity measures and address their risks by improving transparency and strengthening their cybersecurity posture.
Traditionally, regulations of this kind are reserved for larger organizations, but the new proposals would apply to covered entities of all sizes. Before these regulations are put into place, companies should be prepared. Here’s what you need to know about the SEC proposals and what you can do to ready your organization for what’s coming.
These SEC proposals build on disclosure guidance from 2011 and 2018, as well as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and include more descriptive language for covered entities to follow.
In February and March 2022, the SEC published proposed amendments to previous guidelines, requiring registered investment advisers and funds, as well as public companies, to report on significant cybersecurity incidents, as well as to retroactively disclose both reported and unreported incidents.
The proposals also included requirements on cybersecurity measures and risk assessment. Covered entities should be able to describe what they do to identify and manage cybersecurity risks. Plus, their policies and procedures should be able to explain how cybersecurity measures are tied to key parts of their business strategy and financial operations.
In March 2023, the SEC proposed new requirements for market entities as well. With the exception of small broker-dealers, market entities covered by the proposal include companies and other types of organizations that participate in the market.
Proposed requirements include implementing procedures and policies to address cybersecurity risks that market entities might face, as well as conducting an annual review and assessment of how effective their measures have been. The periodic assessment should include:
- The level of sensitivity and importance of information used in business operations.
- The amount of personal information included.
- How the information is accessed, stored, transferred, and monitored.
- Access controls and malware protection being used.
- What effect a cybersecurity incident could potentially have on an organization and other relevant affected parties.
Reports should also take into account any changes in the cybersecurity landscape during the time that is being reviewed and address how these changes have been considered in the evaluation.
Entities would also have to add measures designed to identify, respond, mitigate, and recover from vulnerabilities and threats, including monitoring their information systems and the service providers who work with these systems.
As the SEC states in its latest proposal, organizations that rely on information systems to conduct business open themselves to cybersecurity risks. This isn’t isolated to the business itself but also extends from vulnerabilities created by service providers, business partners, and employee error. Information systems connect organizations, meaning the fall of one can lead to issues in many others. The financial industry is being attacked and compromised at greater rates, and the fallout is costly. According to IBM’s 2022 Cost of a Data Breach report, the average cost of a breach in the financial industry was $5.97 million.
Prevention isn't enough anymore. The SEC is placing a big focus on recovery, remediation, detection, and governance. Incident response is becoming more important, and more time-sensitive requirements are being proposed for response and disclosures. The reality is, the faster an organization can respond, the lower the impact.
Recommendations from the SEC should be loud and clear by now: Disclosing incidents, mitigating risk, and acting quickly are important for any organization. While the proposed requirements have focused mostly on public companies and market entities, it stands to reason that this will continue to grow and change as the regulatory landscape takes shape. FINRA has already released guidelines for small firms.
First, having detection and response in place is a must. Mandatory disclosure means you need to be able to detect and respond to threats quickly. Failure to do so won’t only put your organization and users at risk, it may also result in fines and penalties in the future.
Then, to allow for quick response and recovery, you need to have the organizational infrastructure to pull it off. In other words, there needs to be a cybersecurity framework in place, accountability, and a standard order of operations. Not only do you need cybersecurity experts, you also need leadership on board and the right communications plan in place. This aligns with the proposed new requirements for proper governance.
What does this mean for smaller organizations that may not have the necessary internal expertise and resources to implement all the new requirements? They need to partner up – for two reasons – 1] it’s virtually impossible to tackle such a complex task alone 2] it’s just too expensive. Outsource where you can with cybersecurity tasks and responsibilities, especially if you’re a company that has little cybersecurity in place.
As SEC chair Gary Gensler puts it, entities need to have “protections fit for a digital age.” Today, that looks like comprehensive cyber resiliency, including detection, response, and remediation measures.
SolCyber can serve as your partner in creating a fully managed security program. The burden shouldn’t be on your IT department to figure everything out. We addressed several proposals in this article alone, but that’s just scratching the surface! Our Foundational Coverage helps you achieve cyber resiliency through ransomware assessment and training, practical vulnerability management, endpoint detection and response, advanced email protection, and more.
We also provide key partnerships with Converge and Surefire to offer cyber insurance and incident response (IR). Our Foundational Coverage gives you the cyber resiliency necessary to be compliant, and cyber insurance can help you achieve smarter risk management. Our work with Surefire means we can prepare an IR plan that fits your security posture.
Be prepared for regulatory changes instead of being caught off-guard. to learn more about how SolCyber can help you achieve cyber resilience.
Follow us on the following social platforms!