Imminent New SEC Cyber Security Rules

The U.S. Securities and Exchange Commission (SEC) is recognising the growing threat cyberattacks pose to the financial markets and investor interests. As a result, the regulatory body is taking a more proactive stance on cybersecurity. The imminent rule changes include stricter requirements for reporting, disclosure, and safeguarding sensitive financial and customer data.

Risk professionals across the US must have been high fiving at the acknowledgement that cybersecurity is not just an IT issue; it’s a fundamental business risk.  And yes, the new rules do place additional pressure on CISOs, whose role it is to identify, mitigate and manage cyber security risk.

But crucially, compliance with SEC rules also points to the fact that risk management must come from the top.  The very top. 

With increased regulatory scrutiny comes the requirement for improved accountability and governance. Companies are required by the Cyber Disclosure rule to describe the processes they have in place for assessing, identifying, and managing material cybersecurity risks as well as the material effects of risks from cybersecurity threats, including previous incidents. Crucially, what the cyber disclosure rule demands is board oversight. Responsibility does not rest solely with the CISO. The board must understand and engage with and manage cyber security risk.  

For the first time the board must be able to talk confidently and knowledgeably about cyber security and risk.  And rightly so. Cybersecurity incidents can significantly damage a company's reputation, causing a loss of investor trust. High-profile breaches can lead to lawsuits,  fines, and significant loss of market value. The SEC's rules focus on material disclosures that could impact an investor's decision. In the context of cybersecurity, it is crucial for senior leadership to recognise the materiality of cyber risks and ensure that these risks are accurately disclosed in financial reports and disclosures to investors. 

For many, this will require a dramatic shift in mindset. The idea that the board and the IT department can continue to operate in their respective silos has been destroyed.

Cyber risk is everybody’s department. Cybersecurity risks are complex and evolving. Effective, comprehensive risk management requires a strategic approach that can only be achieved with the involvement of senior leadership and the board. 

By requiring public companies to disclose cybersecurity-related information and by emphasizing the board's oversight role, the SEC's cyber disclosure rule is intended to break down the walls between IT and the boardroom.

CEOs, boards, and executive management must be actively involved in setting the cybersecurity agenda, ensuring compliance with regulatory requirements, and protecting the company's reputation and investor trust. It promotes a more holistic and transparent approach to cybersecurity, recognising it as a critical business risk that requires attention and understanding at all levels of the organization.

Miguel Clarke is  GRC and Cyber Security lead for Armor

Image: Expect Best

You Might Also Read: 

DORA: Compliance With The EU Digital Resilience Act:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Bridging The Gap Between Cybersecurity & Business Goals
Update: Sacked OpenAI Boss Is Reappointed »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Bulb Security

Bulb Security

Whether your internal red team or penetration testing team needs training, or you lack internal resources and need an outsourced penetration test, Bulb Security can help.

Cybernetica

Cybernetica

Cybernetica is an ICT company with activities in e-government, marine comms, data analysis and research in information security technologies.

ISARA Corp

ISARA Corp

ISARA Corporation is a security solutions company specializing in creating class-defining quantum-safe cryptography for today's computing ecosystems.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

Level Effect

Level Effect

Level Effect is developing new capabilities to bring a unique perspective on proactive network defense and advanced security analytics.

Nokia

Nokia

Nokia is a proven leader in fixed, mobile and IoT security offering capabilities that range from systems design to integration and support.

Connectria

Connectria

Connectria provides cloud hosting, remote monitoring, and compliant cloud security solutions and services to enterprises, medium and small businesses.

Raqmiyat

Raqmiyat

Raqmiyat provides end-to-end IT Services and business solutions including consultancy, digital transformation, infrastructure and cybersecurity.

DKBInnovative

DKBInnovative

DKBinnovative is a best-practice driven IT management firm that provides secure, reliable IT solutions to productivity-focused clients around the globe.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

Druva

Druva

Druva is the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10m guarantee.

Cybalt

Cybalt

Cybalt is a security services company that provides end-to-end security solutions to help clients achieve their business goals.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

Anetac

Anetac

Developed by seasoned cybersecurity experts, the Anetac Identity and Security Platform protects threat surface exploited via service accounts.