Updated on April 20, 2022
On March 9, the US Securities and Exchange Commission (SEC) issued proposed rules regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. SEC Chair Gary Gensler highlighted in the press release that “Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs. Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner. I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”
At Arctic Wolf, we see these proposed rules as another major step forward in cybersecurity risk management, and one that aligns closely with our goals and solutions. Risk management is essential in helping organizations define and contextualize their attack surface coverage; learn the risk priorities in their environment; and gain advice on remediation actions to ensure that they are benchmarking against configuration best practices and continually hardening their security posture. Arctic Wolf® Managed Risk delivers all this through their Concierge Security® team of industry-leading security experts.
Original Post: February 25, 2002
On February 9, the U.S. Securities and Exchange Commission (SEC) issued proposed rules regarding cybersecurity risk management for investment advisers, registered investment companies, and business development companies. It’s no surprise that the SEC is taking a more active role in this, given their continued interest in cybersecurity issues and high-profile ransomware attacks. This proposal highlights the SEC’s views on best practices for cybersecurity risk management, which resonates beyond the investment industry.
Additionally, it complements President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which is meant to harden the security posture of federal agencies. This Executive Order was drafted in response to high-profile ransomware attacks in both the public and private sectors, such as the SolarWinds breach.
However, as it is not legislation, the Executive Order can only apply to government agencies and federal contractors, not the private sector. That’s why these proposed rules from the SEC are so crucial.
Together, they play a pivotal role in the continuing evolution of cybersecurity—placing an emphasis on proactive vs. reactive cybersecurity, as well as addressing the need for constant and consistent monitoring of attack surfaces.
Key Takeaways from the SEC’s Proposed Rules
Reporting of Significant Cybersecurity Incidents
Investment firms would be required to file an incident report “promptly, but in no event more than 48 hours, after having a reasonable basis to conclude” that a cybersecurity incident has occurred or is occurring. They would also be required to amend previous reports within 48 hours after obtaining new material information, or if a previous report becomes materially inaccurate.
Disclosure of Cybersecurity Risks and Incidents
The proposed enhancement to the fundamentals of the cybersecurity-related disclosures outlined in the 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures will help investment firms better understand the effectiveness of governing the cybersecurity risk.
Investment firms would have to adhere to new recordkeeping requirements for cybersecurity-related records.
Adoption of Written Requirements
The SEC’s proposed rules will be voted on this April. If they pass, investment advisers, companies, and funds will be required to have formally written policies and procedures in place to address cyber risk. The SEC’s rules would also require the annual evaluation, review and approval of these policies and procedures. Managed Detection and Response (MDR) solutions can help these investment firms more easily get in—and stay in—compliance.
Achieve Compliance with Arctic Wolf
Arctic Wolf believes that the solution lies not in more tools, but in effectively managed security operations. We are encouraged to see the industry moving toward best practices in cyber risk management and an overall hardening of cybersecurity. However, we also recognize that these changes may be out of reach for organizations due to budget limitations and security staff shortages.
Arctic Wolf provides 24×7 threat monitoring and continuous internal, external, and web application vulnerability management. Arctic Wolf security operations solutions are delivered using our Concierge Security delivery model. This approach tailors our platform and services to your business and your security needs. We pair you with a team of security experts who not only monitor the data but also learn about your organization and its unique requirements to optimize our solutions for maximum effectiveness in your environment. We do all this while also building and executing a custom security journey that meets your organization’s specific goals and objectives.
Our Concierge Security® Team takes a comprehensive approach to digital risk. We start with the basic task of taking inventory of your software, assets, and accounts. Then we scan for vulnerabilities and benchmark against configuration best practices. Once we have that full perspective, we proactively advise you on how to prioritize your remediation actions to ensure that you continually harden your security posture.
At Arctic Wolf, we see these proposed rules as a major step forward in cybersecurity risk management, and one that aligns closely with our goals and solutions. This is a great move, and we applaud both President Biden’s Executive Order and the proposed rules from the SEC. But orders and rules don’t protect your data. You can only mitigate cyber risk by taking action. We believe the easiest way to get started is to work with an expert in security operations.