How the SEC Cybersecurity Risk Management Ruling May Affect You

The US Securities and Exchange Commission (SEC) proposed a new ruling (available here) to standardize and improve public companies’ cybersecurity measures.

What is the SEC’s proposed cybersecurity ruling?

In April 2023, a new rule is expected to go into place by the SEC for publicly traded companies. The proposed rule change is designed to strengthen the cybersecurity measures of companies regulated by the SEC. As part of its oversight of the financial markets, the SEC has issued these regulations for firms under its jurisdiction.

The three main components of the rule change include:

Cybersecurity Response/Reporting: Any cybersecurity incident determined to be “material” must be reported within four business days.

The SEC requires companies to disclose material cybersecurity risks and incidents to investors. Companies must disclose the risks and incidents in their public filings, such as annual reports and registration statements, as well as in their earnings releases and other public statements.

Cyber Risk Strategy and Management: You must clearly communicate and proactively manage your risk by defining your company’s policies and procedures and risk management strategies that ensure protection from cybersecurity threats. The company must demonstrate that cybersecurity is part of its financial planning and business strategy.

The SEC requires registered investment advisers, broker-dealers, and other entities to establish and maintain written policies and procedures designed to protect against cybersecurity threats. These policies and procedures must include measures to safeguard information and systems from unauthorized access, respond to cybersecurity incidents, and manage the risks associated with third-party service providers.

Cyber Governance: Increase the board’s governance of cybersecurity risk. Ensure management is adequately assessing and managing cybersecurity risk. Must disclose any member of the committee who has expertise in cybersecurity.

In addition, the SEC will also conduct periodic examinations of registered entities to assess their compliance with cybersecurity regulations and guidelines. These examinations include assessments of firms’ cybersecurity policies and procedures, risk management practices, and incident response plans.

CRI Advantage offers an answer to these new compliance rules

The proposed SEC cybersecurity rule change is intended to increase the resilience of regulated companies against cyber threats, and to improve transparency and accountability in the event of a cybersecurity incident.

Book a consultation with us. We can show you how our solutions will meet the SEC’s new requirements.