# Opener

What You Need to Know About the SEC’s Proposed Cybersecurity Regulations

Published by Axio

As an organization specializing in risk management, we’ve seen the devastating consequences of cyber-attacks. Readiness and the ability to minimize the consequences of the inevitable event are keys to survival. From day one, Axio’s vision was to solve cyber risk by ensuring that the impact of successful attacks would never end an organization’s existence, let alone impact it more substantially than any other known and managed risk.

Cyber risk understanding and spending on security controls increasingly go hand in hand now, yet the connection wasn’t always apparent before. Board and C-Level executives were typically left in the dark about the financial impact of potential cyber events, and cybersecurity was positioned as a technical problem for technical stakeholders.

Not anymore.

While we fully recognize that many folks shudder at the mention of increased regulation, we know first-hand from our collaboration with thousands of organizations over the past few years that the Securities and Exchange Commission’s proposed new cybersecurity regulations can significantly and positively impact publicly traded companies and organizations in the financial sector.

Now’s the time to understand the proposed regulations and take steps to ensure you are ready when compliance becomes necessary. Below we summarize what you need to know.

What are the proposed SEC cybersecurity regulations?

For publicly traded companies

  • The SEC’s proposed regulations would require publicly traded companies to:
  • Establish written cybersecurity policies and procedures.
  • Implement controls to prevent unauthorized access to systems and data.
  • Conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities.
  • Implement measures to detect, respond to, and recover from cyber incidents.
  • Disclose material cybersecurity risks and incidents in a timely manner.
  • Maintain records relating to cybersecurity policies and procedures.

For registered investment advisors

The SEC’s proposed regulations aim to enhance the cybersecurity practices of registered investment companies and business development companies. The proposed rules require these companies to establish written policies and procedures that address several key areas, including:

  • Annual Risk Assessment: Companies must conduct an annual assessment of their cybersecurity risk profile, including an evaluation of the potential impact of a cyber-attack on the company’s operations and clients.
  • Data Protection: Companies must establish procedures for protecting sensitive data, including customer data and intellectual property, and responding to data breaches.
  • Incident Response: Companies must establish a plan for responding to cyber incidents, including procedures for notifying clients and regulators.
  • Vendor Management: Companies must have policies and procedures for vetting and managing third-party vendors with access to sensitive information.
  • Training and Awareness: Companies must regularly train employees on cybersecurity risks and best practices.

Steps you can take to comply with the new rules

  1. Conduct a Risk Assessment: An annual assessment of your cybersecurity risk profile is the bare minimum, and having a risk management platform to enable a continuous process is optimal. This ultimately needs to include an evaluation of the potential impact of a cyber-attack on your operations and clients. An assessment should be thorough and should involve input from multiple stakeholders, including IT, legal, and compliance.
  2. Develop Written Policies and Procedures: You’ll need to establish written policies and procedures addressing the proposed regulations’ key areas. These policies and procedures should be tailored to your specific business and regularly reviewed and updated.
  3. Implement Data Protection Measures: You’ll need to establish procedures for protecting sensitive data, including customer data and intellectual property, and responding to data breaches. This may involve implementing encryption, access controls, and other security measures.
  4. Establish an Incident Response Plan: You’ll need to establish a plan for responding to cyber incidents, including procedures for notifying clients and regulators. This plan should be regularly tested and updated as needed.
  5. Manage Third-Party Vendors: You’ll need to have policies and procedures for vetting and managing third-party vendors with access to sensitive information. This may involve conducting due diligence on vendors, establishing contractual requirements, and monitoring vendor compliance.
  6. Provide Training and Awareness: You’ll need to train employees regularly on cybersecurity risks and best practices. This may include training on phishing scams, password security, and social engineering tactics.

Who is affected by the proposed SEC regulations?

The impact of these proposed regulations will be felt by multiple stakeholders. This isn’t just a cybersecurity issue that can be dealt with in a technical manner but a wide-reaching paradigm shift for the entire business community.

So, what will change?

  • Investors- will be able to make more prudent decisions on capital allocation during their due diligence process.
  • Boards of Directors- will demand easy-to-understand cybersecurity reporting.
  • C-level Executives- will treat cybersecurity as a business operational risk, giving the CISO not only a seat at the table but an opportunity to showcase how their decisions affect the entire enterprise.
  • Security teams- will be scrutinized closely and will have to strengthen their risk assessment and reporting of improvements.

What you can do now to prepare for SEC’s cybersecurity regulations

Invest in a risk management platform

Axio was formed on the basis that cybersecurity is a problem that should be understood and managed from both a business and financial standpoint. Companies can better protect themselves and their clients from cyber threats by taking proactive measures to comply with these regulations. . We strongly encourage all companies to take cybersecurity seriously and to invest in proactive risk management measures. Cyber threats will only become more sophisticated and more prevalent in the years to come, and companies that fail to take these threats seriously are putting their clients and their reputation at risk.

Include cyber risk quantification as part of your cybersecurity strategy

When new threats and vulnerabilities are made public, security leaders can use cyber risk quantification to model the potential impact (or lack thereof) within their organization and more effectively determine whether to take mitigating actions should. The notion of impact is what enables risk reduction. This new language of cybersecurity has already been praised by insurers who would ultimately like to ensure more sustainable and appropriate cyber insurance coverage.

Empower board members with cyber risk knowledge and reporting

Boards should be talking with management to ensure clarity on new reporting requirements for incidents and cyber risk mitigation governance. All directors should seek to understand and mitigate cyber risk by leveraging expert advice from experienced risk management professionals. External advisors can evaluate the board’s expertise and recommend additional training for the full board or designated cyber experts.

Work with a cyber resilience expert

If you are unsure about how to best protect your company’s data and systems, consider working with a trusted cybersecurity expert who can help you assess your risks and develop a comprehensive security plan.

Ultimately, cybersecurity is a team effort. It requires collaboration between IT, legal, compliance, and other stakeholders to develop a comprehensive security strategy that addresses your business’s unique risks and needs. By working together and staying vigilant, we can help protect you from the growing threat of cyber-attacks.

 

Related cybersecurity press releases from the SEC:

 

2023

2022

  • SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
  • SEC Proposes Rules on Cybersecurity Risk Management and Amendments for Registered Investment Advisers and Funds