One of the most significant cybersecurity events in history is about to take place in the financial services industry in the form of new regulations.
New rules from the U.S. Securities and Exchange Commission (SEC) will have a major impact on companies that provide financial services and, if adopted, could have a significant impact on cybersecurity culture.
SEC New Proposal
A new SEC proposal would mandate full cybersecurity transparency and accountability at the highest levels of business leadership, including the board of directors, for all publicly traded companies. Companies are required to report significant cybersecurity events on Form 8-K.
It must also disclose the company’s policies and practices for managing cybersecurity risks and how management participates in their implementation.
The process used by the company’s board of directors to oversee cybersecurity risks and the cybersecurity expertise of board members should also be disclosed.
This proposal goes a long way in helping cybersecurity risks and strategies become a board-level conversation. It also helps increase corporate spending on cybersecurity and drive demand for cybersecurity knowledge at the board level. It also highlights the importance of including her CISO in these board-level conversations and decisions.
dig into the details
On March 23, 2022, the SEC submitted proposals to improve and standardize disclosures by publicly traded companies required to comply with the reporting requirements of the Securities Exchange Act of 1934. This requirement covers cybersecurity risk management, strategy, governance, and incident reporting. Significant cybersecurity events must be reported, cybersecurity policies and procedures must be disclosed regularly, and the board must oversee cybersecurity risks.
After these SEC requirements become law, if a financial institution concludes that a serious cybersecurity incident has occurred, it will disclose it within four business days. Form 8-K reports that companies must file with the SEC to announce material events that shareholders need to know must be amended as part of the disclosure process. The new plan also mandates disclosure of a number of previously unreported individual cybersecurity incidents.
Your Policy Exposed
New plans for risk management, strategy, and governance disclosure go even further than the incident reporting section of the proposal. Public sector cybersecurity risk management policies and practices will be identified in this section of the proposal. Companies should also disclose how the board oversees cybersecurity risks.
In addition, companies should disclose the role of management in assessing cybersecurity risks and implementing company policies and procedures. This process is similar to posting your organization’s “report card” online for public review and comment.
Under the new regulations, businesses will be required to disclose policies and processes for identifying and managing risks from cybersecurity attacks. If nothing is done, the SEC will record it and can have serious consequences such as fines and penalties for violations. Companies should also state whether cybersecurity is part of their corporate strategy, financial planning, and capital allocation.
Last but not least, new regulations require directors with cybersecurity expertise to declare in their annual reports and proxy statements. Boards need internal and external cybersecurity subject matter experts (SMEs). Her SMEs externally should provide expertise and her SMEs internal should provide organizational knowledge.
Cybersecurity: A Leadership Imperative
The gap in cybersecurity armor is created by humans. The only way to deal with this reality is to make staff an integral part of the solution rather than the problem. The board of directors is usually at the top of the organizational structure. This is where you should start paying attention to the new rules. You also need to provide your employees with ongoing training and new technology.
One of the most important fiduciary responsibilities of directors and officers today is cybersecurity. Boards must ensure that cybersecurity guidelines and practices are followed. Leaders must establish and foster a culture of risk awareness across the company. This allows for better decision making.
Compliance on the horizon
Whether we realize it or not, the financial services sector is essential to all of us. It must be strengthened and protected.
New regulations are emerging in light of this fact and compliance is not voluntary. Businesses must align their policies and procedures with the SEC and other international regulatory bodies to make the digital world safer for both investors and consumers.
About the author:
Michael Brown is the Field CISO for Financial Services at Fortinet, a cybersecurity company.
He specializes in cybersecurity regulation, ESG impact, SD-WAN, SD-Branch, Zero Trust, low-latency electronic transaction security, SASE, and multi-cloud solutions.