Major Information Security requirements proposed for SEC compliance

The Securities & Exchange Commission (SEC) has unveiled a detailed set of proposed rules designed to improve cybersecurity preparedness in the wake of rising threats against financial institutions. The rules require advisors and funds to implement written cybersecurity policies and procedures, disclose significant cyber incidents, and maintain cybersecurity records.  

Acting now to prepare your business for this fast-approaching deadline is vital for the financial health of your business. Working with a highly experienced and reputable IT business is absolutely crucial to protect your business. Safeguarding clients' data is one of the most valuable services you can provide to your clients. Give your clients added confidence by ensuring their data is secure by choosing an IT business with years of experience in the ever-changing security standards and risks faced in today's world.

Fortify IT Solutions will take the pressure off you and will ensure your information security program meets the seven actions to be developed, implemented, and maintained as outlined in the SEC’s new proposed Cybersecurity Risk Management Rules.

These seven actions will help you safeguard your business, maintain the trust of regulators and clients, and remain in compliance with the law.

These SEVEN ACTIONS are:

Action One: Establish Written Cybersecurity Plans, Policies, and Procedures

According to the SEC, firms must create cybersecurity plans, policies, and procedures. These plans, policies, and procedures are crucial to successful cybersecurity because they establish your workflow, responsibilities, and accountability. The SEC wants firms to create comprehensive policies, procedures, and plans. According to the SEC, these documents should be retrievable for two years and archived for five years. Start by identifying, prioritizing, and categorizing your company's unique cybersecurity risks and then aligning them with your business model. For example, if you rely on trading algorithms, you must have security policies and procedures for developing secure applications.


Action Two: Review, Document, and Enforce Access Management Best Practices

The SEC has previously specified what constitutes best practices for data access management. It has now been highly specific on this subject. The new SEC rules are the most prescriptive aspect of access management. It begins with an Acceptable Use Policy (AUP), which specifies the behaviors and limitations users agree to access data. Onboarding, offboarding, and at the beginning and end of projects, you should handle identities quickly. The last step is to terminate credentials when they are no longer needed. Users should only have the data they need to perform their duties. There needs to be a clear understanding of your systems, SaaS platforms, and data to ensure least-privilege access.


Action Three: Data Protection Policies and Technologies

The SEC sets specific guidelines for monitoring and protecting data from unauthorized access. Data confidentiality, integrity, and availability are safeguarded to maintain data at rest and in transit. Knowing about your data and where it is, is critical to protect it effectively. Is your data found in a data center, on multiple cloud environments, on Dropbox or Google Drive, in email, third-party systems, or email? If you recognize your data landscape, you can protect it effectively and communicate to regulators and clients whether data has remained safeguarded. If you keep data on third-party systems, you must tell clients and partners if any of it has been vulnerable.

The new SEC security requirements also mandate certain technologies and procedures to safeguard data. The following are some of these technologies and methods: 

  • Segmentation protects data centers, cloud environments, and networks by separating them according to their sensitivity or value to company continuity. 

  • Access controls for managing data access with tools and best practices. 

  • Threat detection and prevention by using automated tools and services, including security information and event management (SIEM) with machine learning (ML) and statistical analysis, detect and prevent threats. 

  • Vulnerability management assesses and remediates assessing vulnerabilities to detect malware, backdoors, hosts talking to botnet-infected systems, and web services that connect to malicious content. 

  • Data encryption ensures data is dencrypted on hard drives and in transit.

  • Utilize mobile device management tools or services to ensure that devices are properly configured, to keep sensitive data from devices, and to erase them if necessary remotely. 

  • User training to ensure employees are educated in fundamental cyber security habits, including password management, phishing detection, and more. Routine training services are extremely valuable. 

  • The SEC wants businesses to recognize and document their vendors and partners who may have data access. Vendors should be contractually required to maintain minimum cybersecurity standards and to report cyber incidents immediately. If a vendor system is breached, you must inform your clients which of your data has been compromised.


Action Four: Manage Cyber Threats and Vulnerabilities

The SEC now requires firms to deploy technology to monitor their IT environments for threats and vulnerabilities. Many firms lack the technology to monitor, alert, respond to, and remediate cyberattacks. Although some solutions might tackle these issues in specific scenarios, many do not. You must use established methodologies to determine what actions should be taken based on the information provided by the technology. You must also routinely test those procedures to ensure they perform as intended and determine when they need to be remediated.

You should conduct regular vulnerability scans and penetration tests to identify cyber risks, update applications with security patches, and protect against zero-day threats. Vulnerability management covers not just security patches but also hardware and software configuration. When using cloud security services, ensure they are turned on as required. It is not enough to have vulnerability and threat management policies; you must also prove to regulators and clients that you follow the correct procedures.


Action Five: Implement Cybersecurity Incident Response Planning and Recovery 

The SEC will require measures to detect, respond to, and recover from a cybersecurity incident as follows: 

Detect: A comprehensive platform to detect and respond to incidents in near real-time. An effective SIEM solution will leverage artificial intelligence (AI) to filter out the noise and focus on anomalous signals that require attention. 

Respond: Response plans will differ depending on your unique risks and business requirements. But you need a written plan for responding to common cyber events, such as stolen laptops and business email compromises to ransomware attacks. Having written plans will help you avoid a rushed and inadequate response. You can prevent escalation by specifying clear roles, responsibilities, and procedures. Conduct training exercises with clear response metrics to fine-tune your plan to prepare and respond when the inevitable cyber incident occurs. 

Recover: Rapid and complete recovery from a cybersecurity incident are critical for sustaining business continuity and maintaining regulator and client confidence. Experienced cyber security experts have fine-tuned the recovery processes through real-world experiences and can help you avoid or limit negative impacts on your business. 

When you outsource any IT platforms or data services to a vendor, you should be able to maintain operations even if those outsourced systems are interrupted by a cyber event. Start by documenting all of the service providers with access to your data. Then make sure you have written procedures for handling data on an alternative system or briefly sustaining processes manually. The goal is to maintain business continuity regardless of where your data resides.


Action Six: Report and Disclose Cybersecurity Incidents

The SEC will require that boards of directors be made aware of any data breaches and any changes to your environment resulting from those breaches. Firms will now have to report to the SEC and disclose any "significant" cyber incident to clients. The SEC defines a significant incident as any cyber event that results in substantial harm or disruption of critical operations for the adviser or its clients. This is one of the most significant elements of the SEC rules, as it calls for a level of transparency and process the SEC hasn't explicitly required in the past.

Reportable cyber incidents can be grouped into two broad categories. One involves the interruption of critical operations. The other involves the exposure of confidential information such as customer or employee data or business intelligence. 

Reporting of the event must occur within 48 hours after discovery. That means you need a detailed and tested process, with clear roles and responsibilities, so you can report promptly and accurately. 

Timely reporting should be part of your broader incident response plan. You should document who will lead the response and which team members will perform which aspects of the response actions. You should also have a process for reporting to the SEC, your local FBI office, and your board of directors. 

Reporting to the SEC will be handled through a confidential process. The SEC will also require that firms publicly disclose both cyber risks and cyber incidents to their clients and the SEC in brochures and registration statements. Disclosures must cover any incident that occurred in the preceding two fiscal years. 


Action Seven: Formalize Cybersecurity Responsibility and Accountability

A key goal of the new SEC rulemaking is strengthening responsibility and accountability for cyber risk management across an organization. This accountability extends to your board of directors. The board of directors is ultimately responsible for the strength and health of your cyber risk management program. Your board must now review and approve all cyber-related policies and procedures. They must be promptly notified of a cyber security breach, and it is vital to keep your board apprised of your cybersecurity posture, including all vendors that handle firm data. Your board will also be responsible for understanding the specific cyber risks in your market and the best practices for addressing them. 

The SEC is effectively formalizing cybersecurity best practices as policy and is charging investment advisers and funds with precise requirements to mitigate against cyberattacks and report cyber incidents as they occur. 

Links:

https://www.sec.gov/news/press-release/2022-39

https://www.sidley.com/en/insights/newsupdates/2022/03/newly-proposed-sec-cybersecurity-risk-management-and-governance-rules


Fortify IT Solutions has proven solutions to protect your business by keeping you in compliance with the December 2022 SEC requirements. Cyber attacks and data breaches can have devastating effects on your business.