Don't Forget to Share this Post
Managing Cyber Threats and Protecting Data: Complying With New SEC Rules
By ECI |
Thursday, June 30th, 2022
The SEC has a three-part mission: protect investors; maintain fair, orderly and efficient markets; and facilitate capital formation. Cybersecurity affects each of these three aspects.
In light of that fact, the agency has proposed new rules around cyber risk management for investment advisers and funds. In this blog, we take a close look at proposed rules for managing cyber vulnerabilities and threats, and for implementing policies and tools to protect data.
Cybersecurity Vulnerabilities and Threats
The SEC is setting the expectation that firms should deploy technology to continuously monitor their IT environments for threats and vulnerabilities. It’s the first time the SEC has done this, and it’s a significant development.
Many firms lack an integrated platform for monitoring, alerting about, responding to, and remediating cyberattacks. They might use piecemeal solutions that address some of these needs in some contexts. But few address threats and vulnerabilities in the comprehensive fashion the SEC is calling for.
In addition to implementing robust technology tools, you need established processes for taking action based on the insights those solutions provide. And you need to test those processes to ensure they’ll function as desired when remediation is necessary.
Conduct vulnerability scans and penetration tests on a regular basis to identify cyber risks. Also regularly update applications with security patches to protect against zero-day threats. Note that vulnerability management covers not just security patches but also hardware and software configuration. For instance, make sure security services in your cloud environments are turned on.
Data Protection Policies and Technologies
The SEC also lays out specific parameters for monitoring and protecting data from unauthorized access. The goal is to maintain data confidentiality, integrity and availability.
Achieving this objective will require a careful inventory of your data and a clear understanding of where it resides. Do you maintain data in a datacenter? Across multiple cloud environments? In Dropbox or on Google Drive? In email? On vendor systems? Understanding your data landscape will enable you to protect it effectively – and allow you to communicate to regulators and clients whether data has remained protected.
The new SEC rules also prescribe technologies and methodologies for protecting data. These include:
Threat detection and prevention – Deploy automated tools and services – including security information and event management (SIEM) based on machine learning (ML) and statistical analysis – to detect and prevent threats.
Vulnerability management – Leverage vulnerability assessment and remediation to uncover malware, backdoors, hosts communicating with botnet-infected systems, and webservices linking to malicious content.
Access controls – Employ tools and best-practice methodologies to manage data access.
Data encryption – Encrypt data both on hard drives and traversing networks.
User training – Make sure employees are well-versed in managing passwords, recognizing and responding to phishing attacks, and other basics of cyber hygiene. Training services can help.
Finally, the SEC wants firms to document vendors and partners who have access to data. You should contractually require vendors to meet minimum cybersecurity standards and to promptly report cyber incidents. If a vendor system is penetrated, you have an obligation to report to clients which of your data has been affected.
The methodologies described here for managing cyber threats and protecting data will help your organization comply with the new rules the SEC has proposed. But even if the SEC’s final rules differ slightly, your firm should still implement these best practices to protect it against data breach and business disruption.
Want to learn more? Download our in-depth white paper, “New SEC Rules for Cybersecurity Risk Management: How Investment Advisers and Funds Should Respond Today.”
In light of that fact, the agency has proposed new rules around cyber risk management for investment advisers and funds. In this blog, we take a close look at proposed rules for managing cyber vulnerabilities and threats, and for implementing policies and tools to protect data.
Cybersecurity Vulnerabilities and Threats
The SEC is setting the expectation that firms should deploy technology to continuously monitor their IT environments for threats and vulnerabilities. It’s the first time the SEC has done this, and it’s a significant development.
Many firms lack an integrated platform for monitoring, alerting about, responding to, and remediating cyberattacks. They might use piecemeal solutions that address some of these needs in some contexts. But few address threats and vulnerabilities in the comprehensive fashion the SEC is calling for.
In addition to implementing robust technology tools, you need established processes for taking action based on the insights those solutions provide. And you need to test those processes to ensure they’ll function as desired when remediation is necessary.
Conduct vulnerability scans and penetration tests on a regular basis to identify cyber risks. Also regularly update applications with security patches to protect against zero-day threats. Note that vulnerability management covers not just security patches but also hardware and software configuration. For instance, make sure security services in your cloud environments are turned on.
Data Protection Policies and Technologies
The SEC also lays out specific parameters for monitoring and protecting data from unauthorized access. The goal is to maintain data confidentiality, integrity and availability.
Achieving this objective will require a careful inventory of your data and a clear understanding of where it resides. Do you maintain data in a datacenter? Across multiple cloud environments? In Dropbox or on Google Drive? In email? On vendor systems? Understanding your data landscape will enable you to protect it effectively – and allow you to communicate to regulators and clients whether data has remained protected.
The new SEC rules also prescribe technologies and methodologies for protecting data. These include:
Threat detection and prevention – Deploy automated tools and services – including security information and event management (SIEM) based on machine learning (ML) and statistical analysis – to detect and prevent threats.
Vulnerability management – Leverage vulnerability assessment and remediation to uncover malware, backdoors, hosts communicating with botnet-infected systems, and webservices linking to malicious content.
Access controls – Employ tools and best-practice methodologies to manage data access.
Data encryption – Encrypt data both on hard drives and traversing networks.
User training – Make sure employees are well-versed in managing passwords, recognizing and responding to phishing attacks, and other basics of cyber hygiene. Training services can help.
Finally, the SEC wants firms to document vendors and partners who have access to data. You should contractually require vendors to meet minimum cybersecurity standards and to promptly report cyber incidents. If a vendor system is penetrated, you have an obligation to report to clients which of your data has been affected.
The methodologies described here for managing cyber threats and protecting data will help your organization comply with the new rules the SEC has proposed. But even if the SEC’s final rules differ slightly, your firm should still implement these best practices to protect it against data breach and business disruption.
Want to learn more? Download our in-depth white paper, “New SEC Rules for Cybersecurity Risk Management: How Investment Advisers and Funds Should Respond Today.”
Don't Forget to Share this Post
