In March 2022, the Securities Exchange Commission (SEC) outlined a new set of rules and amendments to try and further boost the financial sector’s security and strengthen defense against cyberattacks. The key aim of these proposals is to try and standardize the disclosure of cyberattack incidents to improve risk management and better inform investors across the whole sector.
Below you can find a closer look at the new guidelines and discover how these will affect the way you operate, your security obligations, and what you need to know to remain compliant with the SEC regulations.
The New SEC Guidelines
The new guidelines’ first element is all about cyberattack incident disclosure. It will require organizations to notify shareholders and the SEC in the event of a data breach or other unscheduled cyber event within four days of its occurrence. These new reporting guidelines will amend the existing Form 8-K. However, there is some confusion about what is and is not required to be disclosed.
A second proposal affects an organization’s requirements on Form 10-K, requiring them to include the responsibility for cybersecurity, as well as risk management and strategy, within the roles of the board of directors. Board members will also be required to disclose their cybersecurity experience, if applicable.
The first amendment around the disclosure of incidents has garnered the most attention, but the second could potentially have a more significant long-term impact. This places cybersecurity issues squarely at the board’s door, making it a vital part of any future business strategy. So, how do organizations go about complying with these new regulations?
What Organizations Need to Do
You need to have a cybersecurity incident response plan in place and make sure it is updated regularly. With just four business days to report any incident to the SEC, organizations need to be agile in their reporting, especially when most resources will be focused on minimizing the effects of the attack. It’s a good idea to trial run any incident response to measure response times.
Organizations should also try to develop straightforward internal reporting methods, offering staff training and clear language around reporting criteria so that everyone is invested, not just the relevant security officers. This is especially important now that board members are also required to be cyberattack literate.
Lastly, organizations need to ensure their security tools and applications, such as anti-malware software and encrypted email services, are up to date and effective. Don’t fall into the trap of assuming you are covered, even if you have invested in multiple controls. The only way to be sure your defenses are in place is to put them through rigorous and realistic testing. Unfortunately, many major security breaches happen in organizations where security tools are in place but fail to function as expected when required.
A Chance to Act
Rather than seeing these new guidelines as another burden or expense, you should instead view the new SEC proposals as an opportunity to further protect your business or organization. The threat of cyberattack is real and growing, and it is necessary that you do everything you can to address this before the worst happens.