The SEC has recently proposed rules for investment advisors, fund managers and public companies, as detailed in announcements dated in February 2022 and March 2022. The rules will have wide reaching impacts across the financial arena and public companies, placing greater responsibilities on companies reporting on their cybersecurity risk.
The rules indicate a new normal for public companies, private equity firms, and fund managers. This will require more disclosure detail in reference to their cybersecurity posture. It also means tighter time frames in which to acknowledge and address cybersecurity incidents, a requirement for a comprehensive plan to address cyber and a material communication of risk, and more involvement from corporate leaders in ensuring preparedness
Public companies will need to use 8K disclosures to:
- Report material cybersecurity incidents within four business days of the incident being discovered, as well as disclose whether previously unreported incidents have added up to a material incident
- Provide updates in public filings on previously reported incidents
- Provide more detail on corporate board members’ experience with cybersecurity and their role in implementing cybersecurity policies
- Report on the company’s procedures and policy for identifying cyber risk and managing it
Financial advisors and fund managers are required to:
- Adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
- Report significant cybersecurity incidents to the Commission on proposed Form ADV-C;
- Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
- Maintain, make, and retain certain cybersecurity-related books and records.
The SEC is engaging now, following years of increasing cyber-attacks on companies of all categories. A recent 2022 Check Point Security Report stated that overall cyber-attacks have increased globally. Corporate networks had been particularly hard hit, suffering a 50 percent uptick from the previous year. The events of COVID-19, growing economic instability, and an increased focus on cyber warfare in Europe has put the business community on notice for increased security risk.
Evolver provides cybersecurity clients with modern protection every day, supporting hundreds of end users across the Federal government, local municipalities, and private businesses. Learn more about our cyber operations, risk management solutions, and auditing services.
As regulatory bodies expand the definition of a “material” cybersecurity incident, modern companies now need to consider cyber operations as vital to their day-to-day as they would legal counsel or financial services. Cyber providers brought into the operations ecosystem also need a good handle on defining risk, analyzing it, and translating it in terms of material impact.
Evolver’s own cyber operations and risk management teams have been working since before the latest regulation wave to help customers properly define risk, implement the proper safeguards, and document how risk has been assessed and mitigated. This keeps customers compliant with regulations and prevents uncertainty for stakeholders, ensuring they can prevent worst-case scenarios and withstand global events like a worldwide infectious ransomware event or systemic data breaches.
