GRC Viewpoint

The U.S SEC Has Proposed new rules Regarding Incident Management and Cyber Security

In an official release in March 2022, the U.S Securities and Exchanges Commission has made an update to the ‘Proposed Cybersecurity Rules.’ The proposal is known to contain extensive explanations about the proposed new requirements, which predominantly consist of the latest procedural requirements along with cyber security controls.

The multiple new requirements for disclosure and management of cyber security incidents and risk deal with critical aspects, including Cybersecurity Policies and Procedures, Yearly Reviews, Board and Fund Reviews, Risk and incident disclosure, and related topics.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.

As proposed, the rules could be one of the most significant pieces of cybersecurity requirements in the organization’s history and drive awareness and maturity in a segment of the financial and capital markets that has been trailing behind larger financial institutions such as banks and insurance companies”. This is what the official statement from the SEC Chair Gary Gensler said.

READ MORE: New Directives in Place by the SEC that deal with the Investment Advisers and Cyber Security

It is certainly a timely move by the SEC. However, considering the significant lack of cybersecurity maturity, resources, or processes outside of financial service firms and big industries, it might be a daunting task for enterprises to strictly implement the proposed recommendations.

The SEC has always requested firms to disclose details about material cybersecurity incidents. Now, the recently proposed rules make it mandatory for enterprises to maintain highly robust procedures and protocols. Moreover, the firms have to adhere to the 4-day reporting deadline.

The proposal clearly states that the recovery plans and incident response approaches should include strategies to identify and remediate risks, safeguard sensitive data, maintain operations and collaborate with external and internal stakeholders along with reporting incidents to the SEC.

Related Articles

Latest Articles