What new cybersecurity regulations did 2022 bring for SEC registered RIAs?
2022 was a very busy year for cybersecurity with the SEC. The Securities and Exchange Commission (SEC) released a series of proposed regulations that would significantly increase SEC oversight of public companies’ cybersecurity-related matters. The new rules call for greater transparency in how organizations operate with regard to their cyber security policies and procedures, decision-making processes, as well as an oversight role from the Board regarding all aspects related to cyber security.
The SEC’s unveiling of these guidelines indicates the heightened importance it places on cybersecurity. In fact, no other federal agency has taken such a firm stance in requiring public corporations and their Boards to uphold certain standards related to cybersecurity. One significant requirement is that companies must have Board oversight when reviewing, assessing, and enacting policies/procedures regarding cybersecurity matters. Additionally, all organizations must divulge any ‘material’ cyber incidents as well as provide follow-up information about them in an ongoing manner. Further, organizations will be required to start actively testing for vulnerabilities on their networks.
The comment period for the proposed rules concluded on May 9, 2022 with a flurry of comments being submitted. Organizations and their respective boards should prepare now due to the potentially drastic changes that may come into play once they are settled upon.
Those changes are expected to take effect Q1 2023.
What crucial requirements must be met once the new regulations are officially adopted?
If the SEC adopts rules similar to their proposed form, the key obligations include:
- The SEC demands that you report any and all material cybersecurity incidents within a period of 4 days.
- Actively and Proactively performing vulnerability scans and penetration tests on your firm’s network
- Report any incidents that, when combined with other events, become noteworthy “as a whole”; (whatever that means)
- Periodically disclose updates on previous incidents in SEC reports;
- Describe the company’s cybersecurity risk management system
- Elucidate how the Board supervises and manages cyber risk for their organization.
- Disclose the Board members’ knowledge of cyber security.
What modifications are being made to the current regulations?
Companies and their senior management will be held to a much higher standard. The new regulations dictate that businesses must form suitable cybersecurity procedures, tell shareholders about these practices in public filings, reveal how the leading team oversees such programs efficiently, and report any cyber incidents in a manner that distributes sufficient information to investors.
If you have heard me speak in the past, one topic I always touch on is just how nebulous the SEC’s cybersecurity regulations can be. Hopefully, with the new regulations, the rules will be set in stone and more transparent than ever before; though they might come with a few extra obligations. Unfortunately, existing guidelines have made it difficult for companies to comprehend cybersecurity standards properly – but these forthcoming requirements should help rectify that issue substantially.
The SEC has made it clear that they expect more detailed and comprehensive documentation of cybersecurity threats, as well as timely incident reports and proof of proactive vulnerability audits.
What should your firm be doing?
If you have never performed a cybersecurity audit, now is the time. You simply cannot put it off any longer without being in violation. The SEC assumes you are doing audits and I assure you your clients expect you to be doing cybersecurity audits. I expect that the SEC will use the new regulations to rack noncompliant firms over the coals to make an example.
Because of that, companies should take proactive steps to review and revise their cybersecurity and risk management documents as soon as possible, taking into account any changes in technology infrastructure, mergers or acquisitions that may have occurred recently, an update of the threat landscape, and any lessons gleaned from security incidents. While these systems can take a while to refresh, beginning this process and producing that documentation now will ensure better protection against future threats.
To meet all the new regulations about board oversight, boards need to be fully educated and trained on their responsibilities concerning cybersecurity and risk management. To ensure that your board can effectively fulfill these duties, determine whether full or partial board decision-making will take charge of this task. Furthermore, guarantee that everyone involved has been properly briefed so they understand company policies and procedures before approving them. If you don’t have expertise on your board, you will need to hire an expert, such as MTradecraft, to fill that spot.
All companies must have an incident response plan in place. However, with the new proposed rules coming into effect shortly, we recommend you review and refresh your existing plans to ensure they are up-to-date. Your designated incident response team should be familiar with this timeline to help decide when it is necessary to escalate any significant or material incidents requiring senior leadership or Board approval. Without a clear escalation policy in place for such cases, your business could face consequences if left unprepared.
According to the SEC, organizations have just four days to report any material incident. This reporting window is shorter than other single U.S. law or regulation! To ensure that your Board of Directors are knowledgeable on how best to respond in an emergency and take necessary actions, they must be educated on an organization’s incident response plan and then participate in simulated exercises such as a tabletop exercise.
Establish precisely what materiality means for your organization. Senior leadership and legal staff should make the final call on whether an incident is deemed to be of sufficient importance that it needs to be reported within four days. When developing both the incident response plan and normal operating environment, ensure you have procedures in place which allow for rapid escalation to senior management or the legal team who will ultimately decide if something is considered ‘material’.
The new regulations are not going to be easy.
They will significantly change your operations and drastically cut into the budget of many firms. Unfortunately, you no longer have an option. The SEC doesn’t care if you are Goldman Sachs or Jim Bob Jones, “Work-From-Home-Financial-Planner”; cybersecurity is a requirement for everyone.