DORA And Its Alignment to SEC Cyber Changes In 2023

Regulators seem to be getting closer and closer in their alignment of regs and guidance. I wanted to do a quick comparison to help those of my clients and followers with some of the key points as per the below blog;

Regulators both in the US and EU are constantly updating and rolling out new regulations to ensure people in their respective regions are safe when using digital devices and platforms. One of the recent regulations is the EU’s Digital Operations Resilience Act (DORA), which will require financial organizations to meet new information and communications technology (ICT) and cyber risk resilience criteria.

?

The U.S. Securities and Exchange Commission (SEC) also passed new regulations related to how organizations should disclose cyber breaches when they happen. In today’s article, we will explore how the DORA regulation aligns with the new changes made by the SEC. But first, let’s discuss a few details about these regulations.

?

The DORA Regulation (Digital Operations Resilience Act)

The Digital Operations Resilience Act (DORA) is a regulation enacted in the European Union (EU). The goal of this regulation is to enhance the cybersecurity and operational resilience of financial organizations and the third-party entities they collaborate with. DORA places specific requirements on these organizations to establish robust (ICT) systems and cyber risk management practices to ensure their users and clients are safer.

?

Key details of the DORA regulation

·????? Commencement Date: The DORA regulation was passed in November 2022.

·????? Regulatory Standards: The European Supervisory Authorities (ESAs) are tasked with developing regulatory standards to define and enforce the requirements of DORA. These standards are expected to be completed and issued in 2024.

·????? Enforceability: The enforcement of DORA is due to commence on January 17, 2025. Financial organizations operating in the EU should strive to achieve compliance with the regulation by this date.

·????? Risk Management Requirements: DORA emphasizes the following key risk management requirements for organizations:

• Establishing resilient ICT systems to reduce the likelihood and impact of risk events.
• Identifying ICT risks across the extended enterprise and continually monitoring the evolving risk environment.
• Implementing processes for the swift detection of potential risk events.
• Developing business continuity policies and disaster recovery plans to ensure resilience and recovery in the event of ICT-related incidents.
• Implementing processes that promote adaptability and growth in response to ICT incidents within and outside the organization.

·????? Incident Reporting Actions: DORA also imposes specific requirements for incident reporting. These include the following

• Implementing processes to detect and record ICT-related incidents.
• Organizing incident data according to DORA policies developed by ESAs.
• Reporting incidents to the relevant regulatory authorities in a format established by regulatory bodies.
• Reporting incidents and incident response data to customers and other affected stakeholders.

?

The New Securities and Exchange Commission SEC Rules

The U.S. Securities and Exchange Commission (SEC) introduced new rules governing the reporting of cybersecurity incidents. These rules represent a significant shift in the requirements for disclosing cyber breaches, especially for public companies. The new guidance, known as the "2023 Guidance," is an evolution of the SEC's earlier 2018 Guidance. It introduces more stringent disclosure obligations related to cybersecurity incidents and risk management.

?

Key details in the new SEC rules

·?????? Scope of Incident Disclosure: The new SEC rules narrow the scope of incident disclosure to focus on material cybersecurity incidents.

·?????? Delayed Disclosure: A limited delay is allowed for disclosing incidents that pose a substantial risk to national security or public safety.

·?????? Incident Reporting Format: Certain incident disclosures must be made on an amended Form 8-K/6-K rather than Form 10-Q/10-K/20-F.

·?????? Aggregation of Incidents: The aggregation of immaterial incidents is omitted for materiality analysis.

·?????? Streamlined Risk Management and Governance Disclosure: The rules simplify the disclosure requirements related to risk management, strategy, and governance.

·?????? Board Cybersecurity Expertise: The proposed requirement to disclose board cybersecurity expertise has been declined.

·?????? Risk Management and Strategy (Regulation S-K Item 106b): Organizations must describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. They must also explain how such risks may affect their business strategy, operations, or financial condition.

·?????? Governance (Regulation S-K Item 106c): Organizations must describe the role of the Board of Directors in overseeing cybersecurity and management's role in assessing and managing material cybersecurity risks.

·?????? Material Cybersecurity Incidents (Form 8-K Item 1.05): Organizations must disclose material cybersecurity incidents and provide details about their nature, scope, timing, and impact.

·?????? Foreign Private Issuers (Form 6-K): Foreign private issuers (FPIs) must promptly disclose material cybersecurity incidents publicized in a foreign jurisdiction.

?

How DORA aligns with the new SEC changes

Focus on Cybersecurity Enhancement

Both DORA and the SEC Cyber Changes demonstrate the critical need for strengthening cybersecurity practices and resilience. They recognize that the evolving landscape of cyber threats demands proactive measures to safeguard sensitive data and maintain the trust of stakeholders.

?

Incident Reporting

Alignment in incident reporting is evident as both regulations prioritize transparency in the event of cybersecurity incidents. DORA mandates the need for organizations to detect and report ICT-related incidents. It also requires organizations to notify the clients who might be affected by any cyberattack. This aligns with the SEC's requirement for disclosing cybersecurity incidents. The new SEC rules require organizations to disclose material cybersecurity incidents within four business days. These new rules also require organizations to provide detailed information about the nature of incidents, their scope, timing, and material or likely material impact.

?

Risk Management

Both regulations stress the importance of robust risk management processes. They recognize that proactive risk assessment and mitigation are crucial to enhancing cybersecurity resilience. DORA requires organizations to identify ICT risks across their extended enterprise, emphasizing the need for ongoing risk assessment and management.

?

The new SEC rules require organizations to describe their processes for assessing and managing material risks from cybersecurity threats. This focus on risk management aligns with DORA's requirements for identifying and mitigating risks within ICT systems.

?

Transparency and Accountability

Both DORA and the SEC Cyber Changes promote a culture of transparency and accountability. They emphasize the disclosure of cybersecurity incidents and risk management strategies to regulatory authorities and relevant stakeholders. DORA emphasizes reporting incidents to regulatory authorities, and the SEC rules require organizations to report incidents to relevant bodies, customers, and regulatory authorities.

?

Differences between DORA and SEC cyber changers

Despite the alignment between these two regulations, there are a couple of differences between these regulations that organizations need to be aware of. These include the following;

?

Jurisdiction and Applicability

DORA is specific to the European Union (EU) and primarily applies to financial organizations within the EU and their interactions with third parties. It is a regional regulation that targets a specific industry. The SEC Cyber Changes apply to publicly traded companies in the United States and span various industries, including finance, technology, healthcare, and more. The new SEC rules have a broader jurisdiction and apply to a wide range of organizations, not limited to the financial sector.

?

Disclosure Obligations

DORA places a strong emphasis on cyber risk resilience criteria and the establishment of resilient ICT systems. It mandates the development of processes for detecting risk events, business continuity policies, and adaptability in the face of ICT incidents. The SEC Cyber Changes introduce stricter disclosure obligations for material cybersecurity incidents. They narrow the scope of incident disclosure, allow for a limited delay in disclosures that pose substantial risks to national security or public safety, and streamline risk management and governance disclosure requirements.

?

Regulatory Authorities

DORA is enforced by the European Supervisory Authorities (ESAs) within the EU. These authorities are responsible for developing regulatory standards and providing guidance for organizations subject to DORA. The SEC rules are enforced by the U.S. Securities and Exchange Commission (SEC) in the United States. The SEC is responsible for overseeing and enforcing these rules for publicly traded companies in the U.S.

?

How to comply with the DORA and new SEC regulations

Depending on the region and industry of your company’s operations, here is what you need to do to comply with the DORA and new SEC regulations;

·?????? Understand Regulatory Requirements: Begin by comprehensively understanding the specific requirements outlined in both DORA and the SEC regulations. These requirements encompass areas like incident reporting, risk management, and governance.

·?????? Documentation and Policies: Develop and document robust cybersecurity policies, practices, and procedures that address the key components of both regulations. This includes risk assessments, incident response plans, and governance strategies.

·?????? Stay Informed: Continuously monitor updates and guidance provided by relevant regulatory authorities, such as European Supervisory Authorities (ESAs) for DORA and the SEC for the SEC regulations. Regulatory standards may evolve, and it's essential to stay up to date.

·?????? Invest in Cybersecurity Technology: Consider investing in cybersecurity tools and technologies that facilitate compliance with the requirements of both regulations. This may include risk monitoring, reporting, and governance solutions. Organize should also invest heavily in cybersecurity expertise.

·?????? Incident Response Plans: Develop or enhance your incident response plans to ensure timely and detailed reporting of material cybersecurity incidents. Adhere to the SEC's requirement to disclose such incidents within four business days.

·?????? Board Oversight: Ensure that the Board of Directors plays a clear and active oversight role in your organization's cybersecurity practices, as mandated by the SEC rules.

·?????? Risk Management: Implement and document processes for assessing, identifying, and managing material risks from cybersecurity threats. This may require engaging with third-party experts for strategy development.

·?????? Legal and Compliance Expertise: Engage legal and compliance experts who can provide guidance and ensure that your organization's practices align with both DORA and SEC regulations.

·?????? Regular Updates: Stay informed about developments and any adjustments to regulatory requirements. Cybersecurity regulations can evolve, and organizations must adapt to remain compliant.

?

Final thoughts

This article has covered all the essential details you need to know about the DORA and the new SEC regulations. DORA regulations introduce multiple compliance requirements for financial organizations operating in the EU. On the other hand, the new SEC laws apply to publicly traded companies in the United States and affect organizations in various industries, including finance, technology, healthcare, and more.

?

These two regulations share several similarities, particularly in the areas of incident reporting, risk management, transparency, and accountability. If your organization operates in the EU or the US, it is crucial to take note of these regulations in time to avoid the substantial consequences of non-compliance.

Please do get in touch if you want to discuss further.