SEC proposed Rules for #Cybersecurity Incidents

Do organizations need to rethink their Cybersecurity strategy against the backdrop of SEC rules? Let us understand the various implications of SEC rules so that public companies can act upon the same.

Cyber security incidents, ransomware attacks, rising upfront costs, reputational damage the risks go on. SEC wanted to improve systems compliance and integrity of IT systems in the backdrop of rising cyber security risks and incidents. On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) acted and proposed rules on cybersecurity risk management, strategy, governance, and incident disclosure to manage cybersecurity risks[i].

SEC Chair Gary Gensler feels the new rules will strengthen investors’ ability to evaluate public companies cybersecurity practices and incident reporting. Investors wanted to know how issuers are managing the rising cyber security risks. The proposed rules will result in greater transparency and increased competition in the public funding industry.

Investors may ask what is new in the proposed rule as many SEC-registered companies already have adopted and implemented cybersecurity policies and procedures. The answer to that question is the additional prescriptive requirements compared to existing SEC cybersecurity guidance and rules related to safeguarding information such as Regulation S-P.

Why this law?

Cybersecurity incidents can cause operational disruptions. It can prevent public companies from executing their investment strategy; it can also stop investors from accessing an account. In both cases, the company stands to lose public confidence. Theft of intellectual property, confidential or proprietary information or client assets are other losses. Hence these new rules.

What are the new rules?

The new rules require organizations registered in US Stock Exchange to implement enhancements to their cybersecurity programs to support the following:

·??????Impose reporting and disclosure obligations relating to cybersecurity incidents. Public firms should be prepared for greater scrutiny of enterprise cybersecurity practices under the SEC and investors.

·??????Insist on periodic risk assessments, including the identification of risks related to service providers that receive adviser information or access adviser information systems.

·??????Mandate to detect, mitigate, and remediate cybersecurity threats (e.g., vulnerability assessments, scans, and training).

·??????Provide measures to detect, respond, recover from, and report cybersecurity incidents to SEC.

In all, the proposed rules expect advisers and funds to review and evaluate the design and effectiveness of their cybersecurity policies and procedures against increasing threats.

How do new rules impact IT systems?

The proposed rules give flexibility to the company to determine the person or group of people who implement and oversee the effectiveness of its cybersecurity.

Firms should provide security education, training, and awareness programs on an ongoing basis.

IT firms need specialized skills in technology, risk, compliance, and legal matters to implement a cybersecurity program.

The rules will require filing an 8K within 48 hours for determining the materiality of a cybersecurity incident:

·??????A brief description of the nature of the incident.

·??????Time of discovery.

·??????Impact of the incident on the registrant’s operations.

·??????Information on incident remediation.

·??????Information on data stolen, altered, accessed, or used for various purposes.

The way ahead for enterprises

A Juniper research finds the U.S. will become the target of more than 50% of worldwide cybercrimes in the next five years. As many mid-sized firms rely on cyber insurance to cover ransom costs, cyber insurers are hiking the premiums and insist on robust cybersecurity and compliance in place. It is therefore observed that enterprises that put in place strong cybersecurity policies and action plans can avoid costly cyber-insurance premiums.

Few cybersecurity practices that can potentially align an enterprise to comply with new SEC guidelines are hereunder:

Edge security: Edge computing has the potential to increase threats. Firms must opt for anti-malware, web filtering, next-gen firewalls, and intrusion prevention systems (IPS) to allow or refuse traffic based on IP addresses—functionalities built into SD-WAN.

Cybersecurity Mesh: According to Gartner, organizations adopting a cybersecurity mesh architecture could reduce the fiscal impact of security incidents by 90%[ii]. Cyber security mesh is highly recommended to take precautions from ransomware.

RPA: Security check management through segregating access, monitoring activities, data encryption, creating a zero-contact environment, and eliminating access to information by humans,’ firms can reduce the malicious requests and remain secure.

Blockchain: Centralized Blockchain solutions ensure there will not be a single copy of data to hold for ransom. As data written to a Blockchain cannot be changed by anyone, firms get the right protection.

By SBase Research Team

About SBase Technologies Inc.

SBase Technologies is a leading business transformation consultant offering tailored and personalized solutions to small and large enterprises to excel, innovate, and realize their ROI. Our niche capabilities revolve around three broad areas comprising Cloud Advisory, Engineering Transformation and Post Transformation innovation across cybersecurity, data, and application modernization.

References

[i] SEC, 2022. SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. SEC. https://www.sec.gov/news/press-release/2022-39?msclkid=49652fcfb5c211ec88aa3b8aea922daa

[ii] https://www.gartner.com/en/articles/the-top-8-cybersecurity-predictions-for-2021-2022