In February 2022, the SEC published its proposed new rules for cyber risk management in the financial services sector, and final rules are expected soon.
The public comment period closed early in the summer, but a common theme by interested parties and industry commentators has centered around the rule’s requirement that investment advisers and funds disclose material cybersecurity incidents within 48-hours.
It’s a tight window. In many cases, 48-hours does not give firms enough time to detect and neutralize an event, let alone report effectively. According to a recent study, the average time to identify and contain a breach is 287 days.
Then there’s the question of risk. Many firms could find themselves having to disclose the details of exploited vulnerabilities in their IT infrastructures prior to those vulnerabilities being fixed. Furthermore, those teams with fewer cybersecurity experts on staff may also need more time to comply with the rule.
Funds and advisers will have to wait to see if the 48-hour incident reporting requirement is incorporated into the final rules. But if your firm is subject to the rules, you should prepare now.
Let’s look at three recommended actions your firm can take to get ready for the new SEC cyber incident disclosure rules.
ACTION 1: MONITOR FOR THREATS AND VULNERABILITIES
For the first time, one of the key requirements of the SEC ruling is that firms should continuously monitor their IT environments for threats and vulnerabilities.
Although continuous monitoring is the foundation of incident discovery and response, many firms lack an integrated platform for real-time monitoring, alerting, and remediation of cyberattacks. Instead, they rely on piecemeal solutions that monitor disparate systems and infrastructures, limiting insight and drowning IT teams in a sea of alerts.
It’s better to implement a next-generation security information and event management (SIEM). Using artificial intelligence, machine learning, and statistical analysis, a SIEM can filter out the noise and detect potential security risks or incidents that require attention – and may require reporting to the SEC.
ACTION 2: CREATE A RESPONSE PLAYBOOK
To mitigate risk and streamline the incident reporting process, develop a playbook that defines how you respond to common cyber events. In addition to helping you avoid an ad hoc response, a playbook can promote information sharing and rapid decision making.
Your playbook should specify clear roles, responsibilities, and procedures. Be sure to test your response strategies using tabletop exercises and capture response metrics, such as mean-time-to-detect, mean-time-to-repair, and mean-time-to-report. Then, use these insights to fine-tune your playbook and continuously enhance the accuracy and timeliness of your reporting process and capabilities.
ACTION 3: REPORTING
SEC rules require that firms report “significant” cyber incidents within 48-hours of discovery.
Significant, reportable cyber incidents can be grouped in two broad categories. One involves the interruption of critical operations. The other involves the exposure of confidential information such as customer data, employee data or business intelligence.
As mentioned above, reporting should be part of your broader incident response plan. In addition to documenting who will lead the response and which team members will perform which response actions, you need a process for reporting to not only the SEC but also your local FBI office as well as your board of directors.
Keeping good records is crucial, but you should also establish a cyber governance and reporting framework so that incident information can be communicated quickly to the board, the SEC, and law enforcement agencies.
Even though any disclosure to the SEC will take place under a confidential process, keep in mind that the rules require that cyber risks and incidents that occurred in the preceding two fiscal years must be publicly disclosed in brochures and registration statements to clients and the SEC.
TREAT EACH ACTION AS A BEST PRACTICE
With the actions described here, your organization will be able to detect, remediate, and report cyber threats in compliance with the new SEC rules within the 48-hour window. Even if the final rules differ slightly, each action is based on industry best practices and can have a measurable impact on your firm’s cybersecurity and data protection program, compliance, and continuity of operations.
