Regulatory Cyber Assessments

Empowering Organizations to Navigate a Complex Web of Compliance Requirements

Technology and connectivity are intertwined with every organization’s daily operations. The impact of a data breach or cyber intrusion has tangible ramifications for society. As a result, more governmental bodies are developing guidelines, rules, and consequences for custodians of critical data. Evolver offers multiple resources for organizations to protect their customers, their employees, and their bottom line in the face of cyber threats.

The Securities and Exchange Commission

The SEC has recently proposed rules for investment advisors, fund managers and public companies, as detailed in announcements dated in February 2022 and March 2022. The rules will have wide reaching impacts across the financial arena and public companies, placing greater responsibilities on companies reporting on their cybersecurity risk. The rules indicate a new normal for public companies, private equity firms, and fund managers. This will require more disclosure detail in reference to their cybersecurity posture. It also means tighter time frames in which to acknowledge and address cybersecurity incidents.

Department of Labor

The U.S. Department of Labor issued guidance in 2021 aimed at plan sponsors, plan fiduciaries, record keepers and plan participants of employee benefit plans under the Employee Retirement Income Security Act of 1974 (ERISA). With the guidance, DOL is signaling to plan fiduciaries a new spectrum of responsibilities in managing cyber risk and protecting plan beneficiaries. It’s important that fiduciaries be familiar with the guidance and develop a proper incident response plan to meet compliance standards in the event of a cybersecurity breach.

Department of Transportation

The Department of Homeland Security issued new Security Directives in late 2021 relating to the Transportation Security Administration (TSA)’s oversight of higher-risk freight railroads, passenger rail, and rail transit. Owners and operators within TSA’s jurisdiction are directed to identify cybersecurity coordinators, report cyber incidents to CISA within 24 hours, develop and implement an incident response plan, and complete cybersecurity vulnerability assessments. TSA followed with additional guidance for aviation security programs that also require designation of cybersecurity coordinators and a requirement to report to CISA within 24 hours.

New Cyber Rules from the SEC

As regulatory bodies expand the definition of a “material” cybersecurity incident, modern companies now need to consider cyber operations as vital to their day-to-day as they would legal counsel or financial services. Cyber providers brought into the operations ecosystem also need a good handle on defining risk, and translating it in terms of material impact.

Evolver’s own cyber operations and risk management teams have been working since before the latest regulation wave to help customers properly define risk, implement the proper safeguards, and document how risk has been assessed and mitigated. This keeps customers compliant with regulations and prevents uncertainty for stakeholders, ensuring they can prevent worst-case scenarios and withstand global events like a worldwide infectious ransomware event or systemic data breaches.

Escalating Cyber Regulations

In the past two years, both the Department of Labor and the Transportation Security Administration have enacted new guidance and standards for entities operating within their jurisdictions. Labor has identified vulnerabilities affecting American workers’ retirement plans, including private pension plans and defined contribution plans. Meanwhile, TSA is focusing on maintaining the integrity of the country’s rail and airfare systems.

Compliance within new guidance keeps organizations from significant liabilities in the event of cyber breaches that impact peoples’ financial and physical safety. It’s important for organizations to be familiar with the specific requirements set by new regulations. Once these are reviewed, organizations need to perform the proper self assessments and set up thorough plans that will withstand scrutiny and protect from worst-case cyber scenarios.

Contact

Request more information