When a new rule or regulation comes into effect, organizations usually have one question: Does it apply to me?
For U.S. businesses in the health care industry and defense industry, the answer is rather simple. If the new rule covers health care providers or the defense department industrial base the answer is yes.
For EU businesses, the answer is also yes, since they are subject to the GDPR (General Data Protection Regulation).
However, for the new cybersecurity proposal published by the SEC (Securities and Exchange Commission), the answer may be far more difficult.
Who is covered?
There are two types of companies listed in the newest SEC proposed regulations.
The first includes broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.
These companies will be required to institute certain cybersecurity programs.
The second type includes public companies, and they are not required to institute certain types of cybersecurity programs, although they must disclose their SEC filings like the S-3, 8-K, 10-K, 10-Q forms.
This jigsaw puzzle regulatory regime is partially due to the industry itself. Despite massive cyber attacks and losses to criminal hackers, the SEC has fought these changes tooth and nail.
Some of these regulations were proposed years ago but have not been finalized. Times have changed. What has changed is what the customers or investors want.
Several studies have found that the majority of consumers listed data security and privacy as fundamental to their choice of providers. According to a Cisco report, that figure is as high as 95%.
Despite this, many companies insist that it’s not a top priority, so the new SEC proposal is not overzealous regulation but an essential step to push organizations into line with public sentiment.
What are the proposed rules?
The proposal issued by the SEC does not overhaul cybersecurity requirements. In fact, the requirements are quite basic and contain only six specific actions.
- Periodic assessments of cybersecurity risks associated with the entity’s information systems.
- A description of policy and procedures which are part of the firm’s cybersecurity strategy. This might include a list of controls designed to minimize user-related risks and prevent unauthorized access.
- Disclosures of the board’s oversight of cybersecurity risk, management’s role in assessing and managing such risk, management’s cybersecurity expertise.
- The implementation of measures designed to monitor the covered entity’s information systems.
- The implementation of measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities.
- The implementation of measures to detect, respond to, and recover from and report a cybersecurity incident to the appropriate authorities or individuals.
The question one should ask after looking at this list is not whether these elements are required, but why an organization wouldn’t implement them for their own benefit?
Business models change over time, but management often doesn’t. For example, compare Apple and Meta. Apple has always emphasized privacy and security. Its stock has increased fourfold since 2016.
Meta hasn’t. It has been hit by one regulatory inquiry after another, and its stock has barely moved in the same period.
The companies that grow are the ones whose models change with the times. Companies shackled to old models fail.
Volvo’s marketing campaign was based on safety. Lee Iacocca, the famous CEO of Chrysler derided it. Volvo sold cars. Chrysler did not. Iacocca had to produce a special advertisement to eat his words.
How you can prepare
In the past year, the financial industry regulators have produced a plethora of regulations or suggestions. These include regulations from the SEC, FTC (GLBA), and the NYDFS.
They all include basically the same things: a cybersecurity strategy with written policies and procedures, incident response plan and disclosures, and management or board commitment.
At IT Governance, we feel strongly that the best way to create these systems is to use a cybersecurity framework, the best of which is ISO 27001, the international standard for information security.
You can find out more about the benefits of ISO 27001 by downloading our free green paper: Cybersecurity and ISO 27001 – Reducing your cyber risk.
This guide explains the information security threats that your organizations face and demonstrates how the Standard can be used to bolster your defenses.