days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Preparing for New SEC Cybersecurity Rules
The latest update of the SEC’s rulemaking agenda indicates it will finalize new rules around cyber risk management for funds and investment advisors in the spring of 2023. The rules, first proposed in early 2022, will be implemented immediately but will likely be phased in over a period of months this year.
What will the directive mean for cybersecurity in your firm? Let’s look at the most significant aspects of the new rules – along with the actions your enterprise should take now to comply.
CORE ASPECTS OF CYBER RISK MANAGEMENT
The SEC’s proposed new rules were complex and spelled out in a 224-page document. The organization intends to finalize those rules with almost no changes. That’s no surprise, because the guidance reflects cybersecurity best practices – and what every firm should be doing to protect its data and its business.
The new rules require investment advisers and funds to address cyber risk management in seven key areas:
1. Cybersecurity plans, policies, and procedures – Under the new rules, firms must establish and document a robust cyber risk plan and formalize their cybersecurity policies and procedures. Make sure such documentation is easily retrievable. You’ll need to review policies and procedures at least annually and update them based on business changes that affect cyber risk.
2. Access management – Following best practices for data access is no longer just a recommendation but is now SEC policy. You’ll need to create and enforce an acceptable use policy (AUP), as well as policies for passwords, least-privilege access, and remote access. Multifactor authentication (MFA) is now table stakes.
3. Data protection policies and technologies – The SEC rules require that firms monitor and protect data against unauthorized access. Safeguard data based on its sensitivity and importance to your operations. Protect data where it’s stored and as it’s transmitted, leveraging methods such as encryption, network segmentation, and automated threat detection. Also document which vendors have access to your data and require them to meet cybersecurity standards and report cyber incidents.
4. Threat and vulnerability management – You’ll need to perform regular vulnerability scans, and track, prioritize, and remediate known vulnerabilities. Update software promptly as patches become available. Make sure applications and devices are configured properly and conduct regular penetration testing to confirm security settings.
5. Incident response – The SEC rules require that firms develop and document an incident response plan and recovery procedure. Your plan should include metrics for the speed and effectiveness of your response. Test the response plan and fine-tune it based on results. Also determine how you’ll manage data if the vendor systems you rely on become unavailable.
6. Reporting and disclosure – A major new requirement is greater cybersecurity transparency and reporting of cyber incidents. You’ll need to report any significant incident to the SEC. You’ll also need to publicly disclose cyber risks and incidents from the previous two fiscal years to both the SEC and your clients.
7. Cybersecurity responsibilities and accountability – Another big rule change is formalization of cybersecurity accountability. Boards of directors must now review and approve cybersecurity policies and procedures. They must also understand and address cyber threats in the marketplace. Going forward, you’ll need to inform boards about any vendors that handle your sensitive data and alert them of any cyber incidents.
WHERE YOU SHOULD START WITH SEC COMPLIANCE
Your firm will need to address all seven pillars of the new SEC rules. But there are four areas where you’ll want to take action now:
Cyber assessment – Start by assessing your existing cyber risks, policies, and protections. Score yourself against all aspects of the SEC rules, identify any gaps, and put in place a formal plan to close those gaps in 2023.
Data protection – The SEC is trying to create accountability around how firms protect investor data. It wants firms to have a clear picture of where their data is stored and strong controls around who has access to it. That will require a layered approach that applies multiple technologies and techniques to protect data.
Vulnerability management – Many firms have policies for how they manage vulnerabilities, but they don’t always keep up with security patches. SEC regulators will want to see that your firm’s actions around vulnerability management align with your stated policies.
Cyber governance – Many firms implement disparate pieces of cybersecurity but lack a comprehensive cyber strategy. The SEC wants firms to engage in end-to-end cyber risk management. Develop clear policies, conduct tabletop exercises, measure the results, and document your progress toward stronger security.
Whether you’re still relying on security basics like antivirus and firewalls, or you’ve already deployed advanced security layers, the time to take action on SEC compliance is now. You never know when a cyber breach could occur, and you never know when the SEC could come calling. Very possibly, those two events will go hand in hand.
The fact is, the new SEC rules for cyber risk management reflect cybersecurity best practices. These are the policies, procedures, and technologies you should be implementing to protect your business-critical data and retain the confidence of your clients. Taking the time and effort to comply with the new SEC rules now is actually investing in the current and future success of your business.
For more details on how to position your firm to comply with the incoming SEC rules, download our SEC whitepaper.