SEC Proposes New Cybersecurity Requirements, But Are They Actually New?

Earlier this year, the SEC (Securities and Exchange Commission) issued a proposal that would impose new cybersecurity requirements on a range of organizations.

Under the plans, broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, and other entities would be required to issue an annual report containing:

  1. A cybersecurity risk assessment
  2. A list of controls designed to minimize risks and prevent unauthorized access
  3. Measures designed to monitor and protect the information systems from unauthorized access or use
  4. An incident response process and plan

The plans, announced in March 2023, might seem like a major step forward in cybersecurity legislation. However, such concepts have been part of good cybersecurity hygiene and the SEC reporting system for many years.

In this blog, we look at each of the four requirements and explain how they fit in to an effective cybersecurity program.

Risk assessments

The NIST Guide for Conducting Risk Assessments (SP 800-30) was first published in September 2012. Meanwhile, the ISO 31000 risk management guidelines date back to 2009.

Both are based on the same process and focus on cybersecurity hygiene, requiring organizations to identify their most valuable assets and determine the best way to protect them.

Not all information is valuable. Organizations need to allocate their cybersecurity budgets to protect the most valuable information with the most appropriate protections and controls. To do this, they need to pinpoint where their own risks are through a risk assessment.

The concept of risk-based controls is now the international standard. Some earlier laws such as HIPAA (Health Insurance Portability and Accountability Act) are lists of controls that must be adopted.

List of controls

Organizations must choose controls that will minimize risk and prevent unauthorized access.

NIST SP 800-53 Revision 5 offers hundreds of controls to choose from. Elsewhere, NIST 800-171 and ISO 27002:2022 offer lists of some of the most widely used controls.

The SEC’s proposed regulation does not contain a set of controls, leaving it to individual organizations to identify and adopt appropriate measures.

Monitoring your controls

The third requirement is rather obvious – to monitor the controls you have adopted.

Organizations need measures to detect, mitigate, and remediate any cybersecurity threats to and vulnerabilities in their information systems.

There are many ways to do this, and some excellent applications to help. Often the problem is that there is too much information and businesses miss the signal for the noise.

IT systems are remarkably resilient, which often leads organizations to conclude that since it isn’t broken, they don’t need to fix it. This is certainly not the mantra of criminal hackers. They are constantly probing our systems for vulnerabilities, and we should too.

Incident response

Incident response has been a standard part of cybersecurity since at least 2011, when the SEC issued guidance for listed organizations that had experienced a material cybersecurity incident.

In 2018, the SEC issued further guidance on disclosure of cybersecurity incidents, and by 2020, almost every U.S. state had passed laws that required a cybersecurity incident report.

This guidance was strengthened in 2022, when the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) was signed into law.

It therefore shouldn’t come as a surprise that the SEC would require management policies and procedures that include measures designed to detect, respond to, and recover from a cybersecurity incident.

One of the main aims of an incident response process, like most other cybersecurity requirements, is to help organizations save money. The longer a security incident drags on, the more disruption it will cause and the greater the damage will be.

A good incident response plan helps minimize damage, improve recovery time, restore business operations, and avoid high costs.

Legislating against disaster

Whether the SEC’s proposal contains any meaningful new guidance on cybersecurity, it’s clear that governments must do something to address cyber crime.

The costs associated with security breaches are staggering. According to a Statista report, organizations around the world lost $8.44 trillion last year, as they dealt with compromised data, lost productivity, mitigation, and reputational damage.

Those costs are only expected to increase as business becomes increasingly digitized. The same report estimates that the global cost of cyber crime could rise to almost $24 trillion by 2027.

U.S. organizations in particular, which incur the biggest costs related to cyber crime, must consider the risks that they face. If they suffer a data breach, a SEC fine is one of the least damaging consequences.

Fines are designed to encourage organizations to institute adequate cybersecurity measures and protect people’s personal information. Should they fail to do that, they will experience far harsher punishments in the form of a potentially crippling cyber attack.