Imminent New SEC Cyber Security Rules

Uploaded on 2023-11-20 in FREE TO VIEW, BUSINESS-Services-Financial

The U.S. Securities and Exchange Commission (SEC) is recognising the growing threat cyberattacks pose to the financial markets and investor interests. As a result, the regulatory body is taking a more proactive stance on cybersecurity. The imminent rule changes include stricter requirements for reporting, disclosure, and safeguarding sensitive financial and customer data.

Risk professionals across the US must have been high fiving at the acknowledgement that cybersecurity is not just an IT issue; it’s a fundamental business risk.  And yes, the new rules do place additional pressure on CISOs, whose role it is to identify, mitigate and manage cyber security risk.

But crucially, compliance with SEC rules also points to the fact that risk management must come from the top.  The very top. 

With increased regulatory scrutiny comes the requirement for improved accountability and governance. Companies are required by the Cyber Disclosure rule to describe the processes they have in place for assessing, identifying, and managing material cybersecurity risks as well as the material effects of risks from cybersecurity threats, including previous incidents. Crucially, what the cyber disclosure rule demands is board oversight. Responsibility does not rest solely with the CISO. The board must understand and engage with and manage cyber security risk.  

For the first time the board must be able to talk confidently and knowledgeably about cyber security and risk.  And rightly so. Cybersecurity incidents can significantly damage a company's reputation, causing a loss of investor trust. High-profile breaches can lead to lawsuits,  fines, and significant loss of market value. The SEC's rules focus on material disclosures that could impact an investor's decision. In the context of cybersecurity, it is crucial for senior leadership to recognise the materiality of cyber risks and ensure that these risks are accurately disclosed in financial reports and disclosures to investors. 

For many, this will require a dramatic shift in mindset. The idea that the board and the IT department can continue to operate in their respective silos has been destroyed.

Cyber risk is everybody’s department. Cybersecurity risks are complex and evolving. Effective, comprehensive risk management requires a strategic approach that can only be achieved with the involvement of senior leadership and the board. 

By requiring public companies to disclose cybersecurity-related information and by emphasizing the board's oversight role, the SEC's cyber disclosure rule is intended to break down the walls between IT and the boardroom.

CEOs, boards, and executive management must be actively involved in setting the cybersecurity agenda, ensuring compliance with regulatory requirements, and protecting the company's reputation and investor trust. It promotes a more holistic and transparent approach to cybersecurity, recognising it as a critical business risk that requires attention and understanding at all levels of the organization.

Miguel Clarke is  GRC and Cyber Security lead for Armor

Image: Expect Best

You Might Also Read: 

DORA: Compliance With The EU Digital Resilience Act:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Bridging The Gap Between Cybersecurity & Business Goals
Update: Sacked OpenAI Boss Is Reappointed »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

International Conference on Information Systems Security & Privacy (ICISSP)

International Conference on Information Systems Security & Privacy (ICISSP)

The ICISSP event is a meeting point for researchers and practitioners to address security and privacy challenges concerning information systems.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Seculert

Seculert

The Seculert Attack Detection & Analytics Platform combines machine-learning based analytics and threat intelligence to automatically detect cyber attacks inside the network.

Arkose Labs

Arkose Labs

Arkose Labs' Fraud and Abuse Platform combines Telemetry and adaptive Enforcement Challenges to break down the ROI of fraudsters and protect digital businesses.

GuardSight

GuardSight

GuardSight is a provider of specialized cybersecurity services to safeguard businesses, government, and remote workers against sophisticated cyber threats.

Indevis

Indevis

Indevis provides IT security, datacenter and network solutions, accompanied by professional consulting, management and support services.

Seigur

Seigur

Seigur is an IT consultancy business providing flexible legal and cyber security services for IT and data privacy programmes.

BAE Systems

BAE Systems

BAE Systems develop, engineer, manufacture, and support products and systems to deliver military capability, protect national security, and keep critical information and infrastructure secure.

WireGuard

WireGuard

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs).

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.

Robosoft Technologies

Robosoft Technologies

Robosoft Technologies is a full-service digital transformation partner. We provide end-to-end digital transformation services in areas including cybersecurity.

Tamnoon

Tamnoon

Tamnoon is the Managed Cloud Detection and Response platform that helps you turn CNAPP and CSPM alerts into action and fortify your cloud security posture.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.

Aurascape AI

Aurascape AI

Aurascape is working on advanced cybersecurity solutions powered by grounds-up generative AI architecture.

Iron EagleX

Iron EagleX

Iron EagleX deliver engineering solutions in cloud computing, big data, cyber, and machine learning technologies to US Government customers.

Identifly

Identifly

Identifly is the leading Australian independent identity consultancy and partner in Australia, helping enterprises implement large scale identity security projects fast.