Cyber Incident Response: Complying With New SEC Rules
The SEC has proposed new rules that formalize cybersecurity best practices as SEC policy. The agency is charging investment advisers and funds with clear requirements to mitigate against cyberattacks and report cyber incidents as they occur. While the rules haven’t yet been implemented, the final rules aren’t likely to differ substantially from the published proposal. So, the time for firms to begin preparing is now.
Key aspects of the rules cover implementation of cybersecurity incident response plans and recovery procedures. Let’s take an in-depth look.
Central to the SEC rulemaking is the cybersecurity framework established by the National Institute of Standards and Technology (NIST). The framework includes five core functions: identify, protect, detect, respond and recover.
The SEC won’t require firms to definitively adopt the framework. But it does use NIST language in its rulemaking, so it’s wise for firms to become familiar with the NIST guidelines and consult them as they develop their cyber policies.
Cybersecurity Trifecta: Identify, Act, Remediate
The SEC focuses on three of the five NIST functions. Specifically, the agency will “require advisers and funds to have measures to detect, respond to and recover from a cybersecurity incident.” In particular, the SEC is calling for these measures:
Detect – You can no longer rely on piecemeal solutions for threat detection. Rather, you need a comprehensive platform to detect and respond to incidents in near real time. An effective solution for security information and event management (SIEM) will leverage artificial intelligence (AI) to filter out the noise and home in on anomalous signals that requires attention.
Respond – Your response plan will differ depending on your unique risks and business requirements. But you need a playbook for responding to common cyber events, from stolen laptops to ransomware attacks. A playbook will help you avoid the shortcomings of ad hoc response and escalation, specifying clear roles, responsibilities and procedures. Conduct tabletop exercises, with clear response metrics, to fine-tune your playbook so that you’re prepared when the inevitable cyber incident occurs.
Recover – Rapid and complete recovery is essential for sustaining business continuity and maintaining regulator and client confidence. This is an area where it pays to consult a proven cybersecurity partner. An experienced cyber expert has fine-tuned recovery processes through real-world experiences with many firms. Consider carefully whether you want to go it alone and be forced to learn from mistakes that could negatively impact your business – or benefit from the knowledge and best practices of a trusted adviser.
Note that if you outsource any IT platforms or data services to a vendor, you must be able to continue operations even if their systems are interrupted by a cyber event. Start by documenting service providers that have access to your data. Then make sure you have procedures for handling data on an alternative system or briefly sustaining processes manually.
With its new rules, the SEC is enforcing what many organizations already know are today’s cybersecurity requirements. It will become imperative for you to identify, protect against, and mitigate cyber risk in a more focused and formal way. But taking action to comply with the new SEC rules will strengthen your cyber programs and reinforce both client and regulator confidence. The time to begin is now.