On January 24, 2022, Chairperson Gary Gensler said the Securities and Exchange Commission (SEC) might extend regulatory responsibility for cyber-risk management by requiring third-party providers to have adequate safeguards in place to protect investors and ensure key services for them are not disrupted.
He also added that regulators are intensifying their efforts to strengthen cybersecurity hygiene and incident reporting disclosures, enhance disclosures made to clients and customers regarding data breaches, and enhance existing cyber risk disclosure requirements for firms to increase the transparency of their cybersecurity practices.
“Cybersecurity is an emerging risk with which public issuers increasingly must contend,” Gensler said. “A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.”
In order to meet these expectations, the team at Core Compliance & Legal Services, Inc. SM (“Core Compliance”) recommends preforming a comprehensive risk assessment, with a focus on cybersecurity risks.
When you conduct your next cybersecurity risk assessment, it’s important to focus on the same areas SEC examiners will. Make certain your written policies and procedures adequately address these areas of concern.
- Data loss prevention. Include a set of tools and processes your firm has in place to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users.
- Access rights and controls. Determine and identify appropriate users for organization systems based on job responsibilities, and the controls in place to limit access to authorized users.
- Document internal and external communication policies and procedures to provide timely information to senior management, employees, clients, and regulators.
- Managing operational risk. Clearly state policies and procedures in place to monitor employees in a work-from-home environment necessitated by COVID and other unexpected challenges.
- Incident response. Document your firm’s level of preparedness in the event of account intrusions, ransomware attacks, and similar security gaps.
- Vendor oversight. Written policies and procedures should address the preparedness of third-party providers to deal with their own cybersecurity challenges and how any breakdown might affect your customers.
- Event disclosure. Document how your firm discloses breaches and other vulnerabilities before the full scope of the incident is known.
- Employee engagement. Provide information on the timing and scope of training sessions to ensure management and employees understand their individual roles and responsibilities in cybersecurity.
- Business recovery. Address this growing area of concern for the SEC with policies and procedures that outline what steps are in place to protect investors when business is interrupted under any circumstance.
Core Compliance Can Help
Cybersecurity is a serious business that can have devastating effects on employees and investors without effective policies and procedures in place. Core Compliance can assist in conducting cybersecurity risk assessments that can help your firm address regulatory changes and concerns SEC examiners are certain to have. The team at Core Compliance can help your firm navigate the fluid market and understand the evolving vulnerabilities of cybersecurity with your program. For assistance and/or guidance with a cybersecurity risk assessment, contact us here or at (619) 268-0020.