Imminent New SEC Cyber Security Rules

Uploaded on 2023-11-20 in FREE TO VIEW, BUSINESS-Services-Financial

The U.S. Securities and Exchange Commission (SEC) is recognising the growing threat cyberattacks pose to the financial markets and investor interests. As a result, the regulatory body is taking a more proactive stance on cybersecurity. The imminent rule changes include stricter requirements for reporting, disclosure, and safeguarding sensitive financial and customer data.

Risk professionals across the US must have been high fiving at the acknowledgement that cybersecurity is not just an IT issue; it’s a fundamental business risk.  And yes, the new rules do place additional pressure on CISOs, whose role it is to identify, mitigate and manage cyber security risk.

But crucially, compliance with SEC rules also points to the fact that risk management must come from the top.  The very top. 

With increased regulatory scrutiny comes the requirement for improved accountability and governance. Companies are required by the Cyber Disclosure rule to describe the processes they have in place for assessing, identifying, and managing material cybersecurity risks as well as the material effects of risks from cybersecurity threats, including previous incidents. Crucially, what the cyber disclosure rule demands is board oversight. Responsibility does not rest solely with the CISO. The board must understand and engage with and manage cyber security risk.  

For the first time the board must be able to talk confidently and knowledgeably about cyber security and risk.  And rightly so. Cybersecurity incidents can significantly damage a company's reputation, causing a loss of investor trust. High-profile breaches can lead to lawsuits,  fines, and significant loss of market value. The SEC's rules focus on material disclosures that could impact an investor's decision. In the context of cybersecurity, it is crucial for senior leadership to recognise the materiality of cyber risks and ensure that these risks are accurately disclosed in financial reports and disclosures to investors. 

For many, this will require a dramatic shift in mindset. The idea that the board and the IT department can continue to operate in their respective silos has been destroyed.

Cyber risk is everybody’s department. Cybersecurity risks are complex and evolving. Effective, comprehensive risk management requires a strategic approach that can only be achieved with the involvement of senior leadership and the board. 

By requiring public companies to disclose cybersecurity-related information and by emphasizing the board's oversight role, the SEC's cyber disclosure rule is intended to break down the walls between IT and the boardroom.

CEOs, boards, and executive management must be actively involved in setting the cybersecurity agenda, ensuring compliance with regulatory requirements, and protecting the company's reputation and investor trust. It promotes a more holistic and transparent approach to cybersecurity, recognising it as a critical business risk that requires attention and understanding at all levels of the organization.

Miguel Clarke is  GRC and Cyber Security lead for Armor

Image: Expect Best

You Might Also Read: 

DORA: Compliance With The EU Digital Resilience Act:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Bridging The Gap Between Cybersecurity & Business Goals
Update: Sacked OpenAI Boss Is Reappointed »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

QinetiQ

QinetiQ

QinetiQ is one of the world's leading defence technology and security companies. Areas of activity include air, land, sea and space systems, weapons, robotics, C4ISR and cyber security.

Venafi

Venafi

Venafi is a world-class cyber-security company dedicated to protecting machine identities for our hyper-connected digital economy.

iTrinegy

iTrinegy

iTrinegy is a world leader in Application Risk Management offering solutions to mitigate all networked application deployment risks

Ikerlan

Ikerlan

Ikerlan is an R&D technology centre specialising in areas including embedded systems, industrial automation and industrial cybersecurity.

Crossword Cybersecurity

Crossword Cybersecurity

We work with research intensive European university partners to identify promising cyber security intellectual property from research that meets emerging real-world challenges.

Cybellum

Cybellum

Cybellum provides software risk assessment for DevOps and security executives, by detecting vulnerabilities automatically, without source code.

VADO Security Technologies

VADO Security Technologies

VADO Security enables the safe transfer of data between low & high security networks.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

Network Intelligence

Network Intelligence

Network Intelligence are a global cybersecurity provider offering services across 6 broad spectrums - Assessment, BCMS, GRC, Professional Services, MSSP & Training.

TrustGrid

TrustGrid

Trustgrid is a pioneer and leader in secure, cloud-native software-defined connectivity.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

Cybernatics

Cybernatics

Cybernatics is inspired by bringing together best-in-class innovations around Cybersecurity and Analytics. We offer tailored enterprise solutions to safeguard your organisations best interests.

Panoplia Digital Protection

Panoplia Digital Protection

Panoplia Digital Protection is a cutting-edge cybersecurity company that leverages the power of AI and ML to help businesses and consumers protect themselves against cyber threats.

Ionize

Ionize

Ionize offers solutions to help you uplift your capability across the full-spectrum of cyber security - assessment, remediation, monitoring, governance and ongoing education.