Proposed SEC Cyber Rules — What Security Organizations Need to Know

The SEC recently announced proposed cyber rules affecting registered investment advisers and funds, the first guidance since 2018. The ‘Proposed rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure’ helps by becoming more prescriptive in the newly proposed rules. The SEC is addressing observed shortcomings in incident reporting practices that range from incidents not being disclosed to disclosures that are, incomplete, late, or inconsistent with managed cyber risk. The proposed rules look to reduce unevenly interpreted self-regulatory guidance and replace with detailed regulatory changes that apply to registered investment advisers and funds. Here’s what you need to know.

Director Cybersecurity Expertise

The proposal would require companies to disclose the cyber expertise of directors of the company. If there is expertise, the company would be required to disclose the name of any such director and provide such detail as necessary to fully describe the nature of the director’s expertise. The proposed rule would introduce experience criteria such as

1. Whether the director has work experience in cybersecurity
2. Whether the director has any certifications or degrees
3. Whether the director has knowledge skills or other background in cybersecurity.

Governance

Companies would need to disclose how and how frequently the board is informed of and considers cyber risk, and how the board considers cyber risks as part of its business strategy, risk management, and financial oversight. Companies would need to disclose management’s cybersecurity expertise and its role in assessing and managing risk and implementing policies and procedures, including details on the company’s CISO such as internal reporting lines.

Risk Management & Reporting

Companies would be required to disclose whether they have policies and procedures for

1. Risk Assessment
2. 3rd Party Risk Management
3. Incident Response
4. Disaster Recovery

In addition, risk management shoud consider programmatic improvements in response to incidents, whether and how cybersecurity-related risks and incidents have affected operations or financial condition; and whether and how cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation.

Incident Reporting

New additions would require companies to disclose material cybersecurity incidents within four business days of the materiality determination, rather than the date of discovery. The disclosure must include

1. When the incident was discovered and its status
2. A description of the nature & scope
3. Whether any data was stolen, altered, accessed, or used for unauthorized purposes
4. The effect on operations
5. The companies remediation status

Key Takeaways

1. Comprehensive Documentation is Critical: The proposed SEC Cyber Ruling will enforce specific and measured practices. Having documentation including policies, standards, SOPs, etc. will ensure that you have a consistent way of completing core cybersecurity functions
2. Define Materiality Calculations for Incidents: Immediately calculating the impact on operations and finance based on an incident is a tall task. Ensuring that you have ways to measure systems, applications, assets, or data that may be impacted by an incident will be critical to defining the materiality for your organization
3. Leadership and Board Members Must Understand Cyber Impact: Cybersecurity expertise is a rare finding on current financial organization boards. It will be important to ensure that either your leadership can communicate security events clearly, or that organizations begin to identify additional directors to sit on the board to provide the necessary expertise to comply.

For any questions or comments on the analysis above — please contact:

Harry Baker, Senior Consultant — Harry.Baker@DayBlink.com

Justin Whitaker, Partner — Justin.Whitaker@DayBlink.com