SEC Proposes New Cybersecurity Rules and Incident Disclosure Requirements

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) published an update to its proposed cybersecurity rules for investment advisers, registered investment companies, and business development companies (funds), expanding key aspects of the requirements to all public companies. The proposal provides extensive explanations of the proposed new requirements which consists largely of new procedural requirements and cybersecurity controls.

SEC Chair Gary Gensler commented that, “the proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.” As proposed, the rules could be one of the most significant pieces of cybersecurity requirements in the organization’s history, and drive awareness and maturity in a segment of the financial and capital markets that has been trailing behind larger financial institutions such as banks and insurance companies.

Core Requirements of the SEC Proposal

The SEC proposal includes multiple new requirements regarding management and disclosures of cybersecurity risk and incidents. The main proposed new requirements include:

• Cybersecurity Policies and Procedures: The proposal includes the requirement that investment funds and advisors have written cybersecurity policies and procedures designed to reduce risk to investors and clients.
• Annual Reviews: Organizations will be required to review these policies and procedures at least annually, testing their effectiveness and documenting the review process.
• Fund Board Reviews: Fund boards will be required to approve cybersecurity policies and procedures and to review the reports generated as part of the annual review process.
• Risk and Incident Disclosures: Organizations (including public companies) will be required to disclose cybersecurity risks to investors and clients and to report “significant” cybersecurity incidents to the SEC within 48 hours.
  • “Material cybersecurity incidents” on Form 8-K
  • Updates regarding previously reported cybersecurity incidents on Forms 10-K and 10-Q
• Board Member Cybersecurity Expertise: Disclose whether any board member has cybersecurity expertise in proxy statements and annual reports.

Specific Cybersecurity Risk Management Requirements

The primary requirement included in this proposal is that advisors and funds document their cybersecurity risks policies and procedures. The SEC proposal dives deeper into this by outlining the following areas that should be covered in these policies and procedures:

• Risk Assessment: Funds and advisors will be required to identify and document potential cybersecurity risks to their systems and the potential impacts of a cybersecurity incident. This includes identifying supply-chain and third-party risks inherited from vendors and service providers with access to the fund’s or advisor’s systems.
• User Security and Access: Access to sensitive data and systems should be managed in line with cybersecurity best practices. This includes the use of multi-factor authentication (MFA), password expiration, implementation of the principle of least privilege, and securing remote access to corporate systems.
• Information Protection: Data should be classified and protected in accordance with its sensitivity. This includes protecting data at rest and in transit, implementing access controls and malware protection, and managing third-party risk to sensitive data.
• Threat and Vulnerability Management: Ongoing monitoring to detect potential cyber threats and vulnerabilities that pose a risk to corporate systems and investors’ sensitive data. This includes tracking vulnerability feeds and implementing a strategy for rapid vulnerability remediation.
• Cybersecurity Incident Response and Recovery: Incident response and recovery plans should include strategies to detect and remediate risks, maintain operations, protect sensitive data, collaborate with internal and external stakeholders, and report incidents to the Commission.

To prepare for the new regulation, organizations should:

• Identify new core responsibilities (compliance management, documentation, etc.) and ensure management and board level awareness and reporting
• Perform an inventory of its existing policies and procedures and compare them to proposed requirements
• Review existing contracts with service providers to ensure that they meet compliance requirements and supply chain risks are well understood and documented
• Develop and test an incident response strategy, including simulations and/or tabletop exercises for all stakeholders (incident response team, executives, etc.)

Key Takeaways

Despite the SEC having long required companies to disclose information about material cybersecurity incidents, the proposed rules require companies to maintain far more robust protocols and procedures, as well as adhering to the four-day reporting deadline. Given the lack of cybersecurity maturity, process, and resources outside of large industries and financial services companies, many may find it challenging to comply with the proposed rules.

Cybersecurity Awareness and Enablement. The proposes rules reemphasizes past SEC guidance regarding the board’s involvement in understanding and overseeing cybersecurity risk and mitigation strategies and plans. Companies should routinely test their incident response plans and procedures with management and board members via tabletop exercises, so they may better understand their roles and responsibilities before, during, and after an incident.

Establishing Cybersecurity Standards. Companies should consider performing a gap assessment of their cybersecurity programs against known industry standards in preparation for future incidents and disclosures.

Incident Response Planning and Procedures. As currently proposed, the four-day reporting clock starts from the time that materiality is determined and not the time the incident is identified. Companies should review their incident response plans to ensure they include escalation paths to the executive teams responsible for assessing materiality.

Incident Reporting Standards. While incidents may be specific in nature, certain aspects of a disclosure are likely to be the consistent from incident to incident. Companies should consider developing templates in advance, to streamline internal and external communications.

Transparent Disclosures with Supporting Evidence. It is expected that the SEC will scrutinize cybersecurity disclosures and may enforce actions concerning deficiencies. Companies should ensure that their disclosures are supported by evidence and documentation, and where possible, reviewed and/or prepared by an objective third-party firm which specializes in incident response.

Defining and Establishing Materiality Thresholds. Companies should engage in threat modeling exercises to evaluate the various cybersecurity risks facing they face and assess the operational, financial, and reputational impact of each type of incident. Understanding these factors prior to an incident can help companies pre-establish thresholds for materiality, allowing the organization to focus its resources on response and recovery in the event of an incident.

Next Steps for the SEC Proposal

The SEC is currently soliciting and collecting public feedback on the proposed requirements published in this rule. Once the feedback period has concluded, the Commission will analyze the responses and potentially include them in the next draft of the rule. Like many in the cybersecurity community, we welcome these changes and believe they are necessary to help to increase the maturity and overall security posture of a major segment of our economy, and ultimately national security.

We’re incredibly passionate about tipping the balance of power in the good guys’ favor by openly sharing our knowledge and experiences with the internet community. To keep up with our research and cryptography content, make sure to subscribe to our blog in the page footer below.