skip to Main Content

Regulatory Cyber Assessments

Technology and connectivity are intertwined with every organization’s daily operations. The impact of a data breach or cyber intrusion has tangible ramifications for society. As a result, more governmental bodies are developing guidelines, rules, and consequences for custodians of critical data. Evolver offers multiple resources for organizations to protect their customers, their employees, and their bottom line in the face of cyber threats.

Securities & Exchange Commission

The SEC has recently proposed rules for investment advisors, fund managers and public companies, as detailed in announcements dated in February 2022 and March 2022. The rules will have wide reaching impacts across the financial arena and public companies, placing greater responsibilities on companies reporting on their cybersecurity risk. The rules indicate a new normal for public companies, private equity firms, and fund managers. This will require more disclosure detail in reference to their cybersecurity posture. It also means tighter time frames in which to acknowledge and address cybersecurity incidents.

Department of Labor

The U.S. Department of Labor issued guidance in 2021 aimed at plan sponsors, plan fiduciaries, record keepers and plan participants of employee benefit plans under the Employee Retirement Income Security Act of 1974 (ERISA). With the guidance, DOL is signaling to plan fiduciaries a new spectrum of responsibilities in managing cyber risk and protecting plan beneficiaries. It’s important that fiduciaries be familiar with the guidance and develop a proper incident response plan to meet compliance standards in the event of a cybersecurity breach.

Transportation Security Administration

The Department of Homeland Security issued new Security Directives in late 2021 relating to the Transportation Security Administration (TSA)’s oversight of higher-risk freight railroads, passenger rail, and rail transit. Owners and operators within TSA’s jurisdiction are directed to identify cybersecurity coordinators, report cyber incidents to CISA within 24 hours, develop and implement an incident response plan, and complete cybersecurity vulnerability assessments. TSA followed with additional guidance for aviation security programs that also require designation of cybersecurity coordinators and a requirement to report to CISA within 24 hours.

New Cyber Rules from the SEC As regulatory bodies expand the definition of a “material” cybersecurity incident, modern companies now need to consider cyber operations as vital to their day-to-day as they would legal counsel or financial services. Cyber providers brought into the operations ecosystem also need a good handle on defining risk, analyzing it, and translating it in terms of material impact.

Evolver’s own cyber operations and risk management teams have been working since before the latest regulation wave to help customers properly define risk, implement the proper safeguards, and document how risk has been assessed and mitigated. This keeps customers compliant with regulations and prevents uncertainty for stakeholders, ensuring they can prevent worst-case scenarios and withstand global events like a worldwide infectious ransomware event or systemic data breaches.
Read the Primer
Escalating Cyber Regulations In the past two years, both the Department of Labor and the Transportation Security Administration have enacted new guidance and standards for entities operating within their jurisdictions. Labor has identified vulnerabilities affecting American workers’ retirement plans, including private pension plans and defined contribution plans. Meanwhile, TSA is focusing on maintaining the integrity of the country’s rail and airfare systems.

Compliance within new guidance keeps organizations from significant liabilities in the event of cyber breaches that impact peoples’ financial and physical safety. It’s important for organizations to be familiar with the specific requirements set by new regulations. Once these are reviewed, organizations need to perform the proper self assessments and set up thorough plans that will withstand scrutiny and protect from worst-case cyber scenarios.
Read the Summary

Rules on cybersecurity disclosure and practices from the Securities and Exchange Commission

Public companies will need to use 8K disclosures to:

  • Report material cybersecurity incidents within four business days of the incident being discovered, as well as disclose whether previously unreported incidents have added up to a material incident
  • Provide updates in public filings on previously reported incidents
  • Provide more detail on corporate board members’ experience with cybersecurity and their role in implementing cybersecurity policies
  • Report on the company’s procedures and policy for identifying cyber risk and managing it

Financial advisors and fund managers are required to:

  • Adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
  • Report significant cybersecurity incidents to the Commission on proposed Form ADV-C;
  • Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
  • Maintain, make, and retain certain cybersecurity-related books and records.

Whether you need help with a single element or a full cyber response plan, we can help.

Evolver offers a full package of services to support regulatory responses, including these pending SEC rules. You can contact our team to learn more about our solutions, including policy & documentation development, risk management, threat analysis, and disclosure support. You can also learn more about all of Evolver’s cybersecurity offerings on our services page.

Department of Labor Guidance

There are more than 140 million participants in either private pension plans or defined contribution plans covering assets estimated at over $9.3 trillion. The Employee Retirement Income Security Act of 1974 (ERISA) requires plan fiduciaries to engage in risk mitigation to protect these assets.

In April of 2021, the U.S. Department of Labor released guidance in the form of:

 

Below is a beginning overview of DOL's Cybersecurity Program Best Practices. Contact Evolver for a full review of DOL requirements for retirement plan fiduciaries.

Whether you need help with a single element or a full cyber response plan, we can help.

Evolver offers a full package of services to support regulatory responses, including fiduciary requirements from the DOL. You can contact our team to learn more about our solutions, including policy & documentation development, risk management, threat analysis, and disclosure support. You can also learn more about all of Evolver’s cybersecurity offerings on our services page.

Documented & Formal Cybersecurity Program

A sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity, or availability of stored nonpublic information. Under the program, the organization fully implements well-documented information security policies, procedures, guidelines, and standards to protect the security of the IT infrastructure and data stored on the system

Annual Risk Assessments

A Risk Assessment is an effort to identify, estimate, and prioritize information system risks. IT threats are constantly changing, so it is important to design a manageable, effective risk assessment schedule. Organizations should codify the risk assessment’s scope, methodology, and frequency.

Third Party Audits

Having an independent auditor assess an organization’s security controls provides a clear, unbiased report of existing risks, vulnerabilities, and weaknesses.

CISO Delegation

For a cybersecurity program to be effective, it must be managed at the senior executive level and executed by qualified personnel. As a senior executive, the Chief Information Security Officer (CISO) would generally establish and maintain the vision, strategy, and operation of the cybersecurity program which is performed by qualified personnel.

Access Control Procedures

Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to IT systems and data. It mainly consists of two components: authentication and authorization.

Cloud Data Review

Cloud computing presents many unique security issues and challenges. In the cloud, data is stored with a third-party provider and accessed over the internet. This means visibility and control over that data is limited. Organizations must understand the security posture of the cloud service provider in order to make sound decisions on using the service.

Security Awareness Training

Employees are often an organization’s weakest link for cybersecurity. A comprehensive cybersecurity security awareness program sets clear cybersecurity expectations for all employees and educates everyone to recognize attack vectors, help prevent cyber-related incidents, and respond to a potential threat. Since identity theft is a leading cause of fraudulent distributions, it should be considered a key topic of training, which should focus on current trends to exploit unauthorized access to systems.

Secure Development Life Cycle (SDLC)

A secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort.

Business Resiliency & Disaster Recovery

Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data. The core components of a program include the Business Continuity Plan, Disaster Recovery Plan, and Incident Response Plan.

New TSA Security Directives

TSA is increasing the cybersecurity of the transportation sector through Security Directives, appropriately tailored regulations, and voluntary engagement with key stakeholders. In developing its approach, including these new Security Directives, TSA sought input from industry stakeholders and federal partners, including the Department’s Cybersecurity and Infrastructure Security Agency (CISA), which provided expert guidance on cybersecurity threats to the transportation network and countermeasures to defend against them.

The TSA Security Directives announced in 2021 target higher-risk freight railroads, passenger rail, and rail transit, based on a determination that these requirements need to be issued immediately to protect transportation security. These Directives require owners and operators to:

  1. designate a cybersecurity coordinator;
  2. report cybersecurity incidents to CISA within 24 hours;
  3. develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption; and,
  4. complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

Further, TSA recently updated its aviation security programs to require that airport and airline operators implement the first two provisions above. TSA intends to expand the requirements for the aviation sector and issue guidance to smaller operators. TSA also expects to initiate a rule-making process for certain surface transportation entities to increase their cybersecurity resiliency.

Whether you need help with a single element or a full cyber response plan, we can help.

Evolver offers a full package of services to support regulatory responses, including ongoing expansion of DHS directives. You can contact our team to learn more about our solutions, including policy & documentation development, risk management, threat analysis, and disclosure support. You can also learn more about all of Evolver’s cybersecurity offerings on our services page.

Contact Evolver

Your Name
Organization
Phone Number
Message
User Privacy
Evolver, LLC will only use your information for the stated purpose of this contact form. You can view our privacy policy for further details on our approach to user data on our Privacy Policy and Privacy Shield pages.
Back To Top