Industry leaders say proposed rules from the U.S. Securities and Exchange Commission would set new cybersecurity requirements
The report highlights the SEC’s increased commitment to cybersecurity, holding more companies accountable, not only for egregious cybersecurity-related breaches, but also for misleading public statements about related risks and events. to cybersecurity. The report cites several recent cases in which the SEC took action because organizations failed to file suspicious activity reports (SARS) and disclosures, or provided misleading statements related to a cyberattack. These cases underscore the importance of classifying, escalating, and reporting actual or suspected incidents to senior company executives who are responsible for public reporting and regulatory reporting obligations.
On February 9, the SEC has proposed new reporting and record-keeping requirements for advisers and funds. Proposed rules include reporting significant cybersecurity incidents to the SEC within 48 hours, implementing written cybersecurity policies and procedures to minimize operational risks, and maintaining records to include copies of annual reviews. Documented cybersecurity policies and procedures in effect within the previous five years. Companies would also need board approval on cybersecurity policies and procedures.
Market makers and brokers are excluded from these proposed rules, but the SEC is considering expanding reporting requirements in the near future.
On March 9, the SEC released its proposed rules for public companies that include disclosure of any material cybersecurity incident within four days of its discovery, reporting of prior immaterial cybersecurity incidents that become material, and disclosure of policies and procedures to identify and manage cybersecurity risks. The proposed rules also require the board to oversee a company’s cybersecurity risk and the implementation of related policies.
Although the proposed rules do not mandate the deployment of continuous monitoring solutions, the SEC’s discussion of the required elements for both sets of proposed rules supports these solutions.
“Currently, most organizations lack continuous visibility into vulnerabilities in their vendor ecosystem,” said sachin bansal, commercial and legal director at SecurityScorecard. “Organizations need an automated, integrated, and collaborative approach to gaining this visibility — it’s crucial for business continuity and for adhering to new policies and procedures established by the SEC.”
In addition, third-party risk remains a key area of focus for the SEC, particularly for third parties who have access to confidential information or are essential to operations. The SEC is considering new measures that would require companies to identify service providers that may pose cybersecurity risks and hold organizations accountable for a service provider’s lack of cybersecurity measures. Therefore, companies may be held liable for data security incidents involving vendors and other third parties, which may impact disclosure obligations.
As evidenced by statements from the Biden administration May 2021 Executive Order on Improving the Nation’s Cybersecurity, these issues are a federal priority. The SEC’s growing cybersecurity oversight is also supported by other federal interagency collaborative efforts, including the Cybersecurity and Infrastructure Security Agency (CISA), the Financial Stability Oversight Council (FSOC), and public-private partnerships.
“Every organization faces cybersecurity risks,” said Michael Daniel, President and CEO, Cyber Threat Alliance. “It is important that publicly traded companies appropriately disclose this risk so that investors can make informed decisions; in turn, better informed decisions create the market incentive for greater security across the board. ecosystem. The Securities and Exchange Commission has clearly prioritized increasing the accuracy and volume of disclosures, and public companies (and those seeking to go public) should pay attention. the SEC over the past year, identifying major changes and updates. If you want the summary version, this document provides it.”
To access the full report, visit securityscorecard.com/sec-cyber-risk-update This report follows the March 2021“Status of Public Company Cyber Risk Disclosures.”
About the Cyber Threat Alliance
The Cyber Threat Alliance (CTA) is a 501(c)(6) nonprofit organization working to improve the cybersecurity of our global digital ecosystem. The CTA is the industry’s first formally organized group of cybersecurity practitioners who work together in good faith to share threat information and improve global defenses against advanced cyber adversaries. CTA’s mission is to facilitate the sharing of actionable intelligence and situational awareness on sophisticated cyber threats in order to improve the cyber defenses of its members, more effectively disrupt malicious cyber actors worldwide, and elevate the level of cybersecurity on the Internet and cyberspace. The alliance continues to grow globally, enriching both the quantity and quality of information shared on the platform. CTA is actively recruiting additional regional actors to improve information sharing to enable a safer future for all. For more information on CTA, please visit: https://www.cyberthreatalliance.org.
National Association of Corporate Directors
The National Association of Corporate Directors (NACD) empowers more than 23,000 directors to lead with confidence in the boardroom. As the recognized authority on boardroom best practices, NACD helps boards build investor and public confidence by ensuring today’s directors are well prepared for the challenges of tomorrow. World-class boards join NACD to improve performance, gain foresight and inspire confidence. Fostering collaboration among directors, investors, and corporate governance stakeholders, NACD has been setting the standard for responsible board leadership for 40 years. To learn more about NACD, visit www.NACDonline.org.
Backed by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital and others, SecurityScorecard is the global leader in cybersecurity ratings with over 12 million companies continuously assessed. Founded in 2013 by security and risk experts Dr. Alexander Yampolsky and Sam Kassoumeh, SecurityScorecard’s patented scoring technology is used by more than 30,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting and regulatory oversight. SecurityScorecard is the first cybersecurity assessment company to offer digital investigation and incident response services, providing a 360-degree approach to security prevention and response for its global customer and partner base . SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risks to their boards, employees and suppliers. Every organization has the universal right to its reliable and transparent Instant SecurityScorecard. For more information, visit securityscorecard.com or connect with us on LinkedIn.