E-PROCUREMENT
toggle menu
by Derive Technologies,

Any business worth their salt has read the cyber landscape of the last few years and shored up their digital defenses to protect against attacks. The practice of cybersecurity protection, however, is soon to transition from a best practice into a requirement after the U.S. Securities and Exchange Commission (SEC) recently proposed a comprehensive set of cybersecurity requirements that could have far-reaching implications for businesses across the financial sector.

These new rules encompass three key areas that we’ll go into greater detail below: the Cybersecurity Risk Management Rule, Regulation Systems Compliance and Integrity (SCI) Amendments, and Regulation S-P Amendments. This blog provides a description of each key area, the potential impact on financial institutions, and potential enforcement risks businesses should be aware of when adopting these new policies.

The frequency and severity of cybersecurity attacks increases by the day. Although the SEC’s proposed requirements may seem daunting, they’re ultimately in the best interest of every institution. Afterall the cost of implementing and maintaining these changes will be dwarfed by the financial loss, not to mention the reputational damage, that results from a cyberattack.

Read more below to stay up-to-speed and thoughtfully prepare for these regulatory changes to ensure the security and stability of your everyday operations.

The Cybersecurity Risk Management Rule

The Cybersecurity Risk Management Rule is the meat and potatoes of the SEC’s proposed requirements. It’s ultimate goal is to establish a comprehensive cybersecurity framework for Market Entities and Covered Entities, including national securities exchanges and associations, registered and exempt clearing agencies, and SEC-registered entities that exceed certain thresholds such as broker-dealers, investment advisers, and investment companies.

The Risk Management Rule includes detailed guidelines designed to establish, maintain, and enforce policies and procedures to proactively address cybersecurity risks. Every year businesses would be required to review and assess policies and procedures, update and incorporate any changes in cybersecurity risks, and prepare a detailed report of their cybersecurity infrastructure.

The recipe for this report is comprised of a long list of detailed ingredients including:

  • Periodic risk assessments
  • Controls to minimize user-related risks and prevent unauthorized access
  • Monitoring of information systems, including detailed oversight of any service providers
  • Measures to detect, mitigate, and remediate threats and vulnerabilities

One of the biggest points to note is that businesses would need to create detailed action plans that explain how their business is equipped to detect, respond to, and recover from any cybersecurity incidents, along with detailed documentation for each step.

The goal is to bolster proactive cybersecurity efforts to avoid attacks altogether. In the event, however, that an entity does unfortunately fall victim to an attack, the Risk Management Rule also outlines reactive measures. This includes specific guidelines for notification and reporting that would require written notice to the SEC within 48 hours of an attack that includes information about the incident, the business’ response, and a plan for recovery.

As far as public disclosures, the Rule would require affected entities to fill our a specific form that covers cybersecurity risks, as well as any significant cybersecurity incidents that have occurred during the current or previous calendar years. Lastly, record-keeping has been more deeply defined and requires that businesses should preserve all records related to cybersecurity compliance.

Regulation SCI and Regulation S-P Amendments

In addition to all of the new requirements detailed in the Cybersecurity Risk Management Rule, the SEC has also proposed amendments to two existing regulations in an effort to expand their scope: Regulation Systems Compliance and Integrity (aka Reg SCI) and Regulation S-P.

Regulation SCI currently focuses on self-regulatory organizations, large alternative trading systems, plan processors, and certain clearing agencies. The proposed amendments intend to extend the rule to include registered broker-dealers that exceed specific asset or activity thresholds, registered security-based swap data repositories, and exempt clearing agencies.

In line with the Risk Management Rule outlined above, the Reg-SCI amendments would introduce new requirements that seek to further bolster cybersecurity defenses, like oversight of third-party providers, expanded business continuity plans, comprehensive disaster recovery plans, detailed measures for preventing unauthorized access, increased frequency of penetration testing, and additional reporting requirements to the Commission.

On the other hand, the SEC’s proposed amendments to Regulation S-P (also known as the “Safeguards Rule”), requires brokers, dealers, investment companies, and investment advisers to adopt written policies and procedures to safeguard customer records and information. They also introduce new requirements such as an incident response program that detects, responds to, and recovers from unauthorized access or use of customer information.

In the event of a data breach involving sensitive customer information, affected entities would be required to notify their affected customers. The scope of information covered by the Safeguards Rule would also be expanded to include all customer information, and the rule would be extended to transfer agents registered with the SEC or another appropriate regulatory agency. Finally, covered institutions would need to maintain written records that document their compliance with the safeguards and disposal rules.

These proposed amendments to existing regulations, as well as the introduction of the Cybersecurity Risk Management Rule, indicate a significant expansion in the SEC's management of cybersecurity and system integrity.

Impact of the SEC’s Proposed Rules

If these amendments go into effect, they would represent a significant expansion of the SEC’s oversight the cybersecurity and system integrity of regulated entities.

Existing regulations tend to focus on specific risks, such as protecting customer information under Regulation S-P or preventing identity theft under Regulation S-ID. They also target specific market, generally larger-scale participants, like the entities covered by Regulation SCI. The new rules, however, which introduces SEC-mandated incident response requirements, aim to dictate more comprehensive cybersecurity programs that cover a wider range of market participants.

The shorter story is that there is a far greater level of detail required than ever before. These amendments introduce numerous new terms and concepts that organizations will need to learn and adopt. They also impose standardized notices and disclosures via new forms that will need to be filed with the commission.

The first thought most c-suite execs will have when reviewing the over 1,200 total pages of new guidance and explanation is that all of these proposals will – to put it bluntly – cost more money. The SEC, however, aims to assuage these fears by detailing how cost estimates are likely significantly lower than expected, with only $14,531.54 per Covered Entity in average internal costs and $3,472 per Covered Entity in external costs. Compared to the financial and reputational cost of a cybersecurity attack, that’s a great deal!

Overall, covered entities should expect a far greater scrutiny of overall cybersecurity health and practices, and for the the SEC to more frequently enforce cases involving policy and procedure requirements. While these new amendments would require more upfront work and costs for organizations to better bolster their cyber defenses, those efforts will ultimately help prevent far costlier cybersecurity attacks, and costly enforcement cases from the SEC if not in good standing.

Conclusion

In short, these proposed cybersecurity rules are a significant expansion of the SEC’s regulatory oversight and has the potential to impact a broad range of market participants. As these rules introduce more stringent requirements and standards for managing cybersecurity risks, businesses must stay informed and be prepared to act in order to stay in compliance with the SEC.

By partnering with an experienced cybersecurity provider like Derive, businesses can ensure they are well-equipped to navigate the complex landscape of evolving regulations by implementing robust, tailored security measures that meet the unique needs of their organization.

Don't leave your cybersecurity to chance. Reach out to Derive today to learn more about how our team of experts can help improve your cybersecurity practices and better protect your business from ever-evolving cyber threats.

SOURCES

https://www.sec.gov/news/press-release/2023-52

https://www.davispolk.com/insights/client-update/sec-proposes-sweeping-new-package-cybersecurity-requirements-regulated

AUTHOR

Derive Technologies

contact

back

Book a Free Consultation

Please complete the form below to get in touch with a Derive solutions specialist

Please fill out this field.
Please fill out this field.
Please fill out this field.
Please fill out this field.
Please fill out this field.
Please fill out this field.
Please fill out this field.
Please fill out this field.
Please validate captcha.

blog

25
Sep

Critical Issues for Datacenter Managers – Hybrid Multi-cloud Environments

25.09.2023
Today's datacenter managers are tasked with providing the underlying computational, networking, and storage infrastructure necessary to support a wide array of business services and applications for internal and external users. All of this must be...
25
Sep

Understanding Pros and Cons of Hybrid Multi-Cloud Platforms 101

25.09.2023
Derive's Datacenter Practice Lead, Heman Yung, discusses important aspects of hybrid multi-cloud platforms—strengths as well as potential challenges. Q: What is a hybrid multi-cloud platform? A hybrid multi-cloud platform is a combination of...
17
Aug

How to Prevent Internal IT Security Threats

17.08.2023
When companies think about preventing IT security threats, they automatically visualize hackers shrouded in hoodies writing malware code. However, organizations should keep in mind their own employees.  While some insider threats originate from...
17
Aug

How Emerging AI Creates Cybersecurity Risk

17.08.2023
Almost as soon as generative artificial intelligence (AI) technologies, such as ChatGPT, came on the scene, the public began to imagine dystopian scenarios. Critics of emerging AI warned of ChatGPT’s ability to create deep fakes. The comedian...
28
Jul

Transformative Advances in Healthcare Technology

28.07.2023
Technology as a whole continues to evolve rapidly and the healthcare arena is certainly no exception. In this blog we look at selected areas of advancements with commentary by Derive’s VP of Business Development, Bill...
27
Jul

Securing Mobile Devices for Remote Work: 10 Cybersecurity Tips for Businesses Prioritizing Protection

27.07.2023
In today's digital landscape, remote work has increasingly become the norm for businesses in every industry. As more employees work from home, the security of their mobile devices, particularly phones, has become a critical concern for...
10
Jul

What the SEC’s New Cybsercurity Requirements Mean For You

10.07.2023
Any business worth their salt has read the cyber landscape of the last few years and shored up their digital defenses to protect against attacks. The practice of cybersecurity protection, however, is soon to transition from a best practice into a...
21
Jun

How to Improve Your SMB’s Resiliency

21.06.2023
While the goal of IT security is to prevent cyberattacks, small and medium-sized businesses (SMBs) need to be prepared to recover quickly if a breach is successful. Rapid recovery lessens the economic and reputational impact of a breach. Resilient...
01
Jun

How to Improve Your Healthcare Organization’s Security Awareness

01.06.2023
Because healthcare organizations are often targeted by ransomware attacks through phishing emails, promoting security awareness is crucial. Hackers send emails to hospitals and medical centers that seem to come from co-workers or authority figures....
01
Jun

How Healthcare Organizations Can Create a Cybersecurity Framework

01.06.2023
As the target of ransomware and other types of cyberattacks, healthcare organizations need to follow a cybersecurity framework that prevents breaches and the resulting loss of patient data. A Cybersecurity Framework (CSF) is a set of guidelines and...
01
Jun

Top 3 Cyberthreats Faced by Healthcare Providers

01.06.2023
Today, no type of business or organization is exempt from cybersecurity risk. Healthcare providers find themselves targeted by advanced threats because the information in electronic health records (EHRs) is valuable. Hackers can sell patient...
01
Jun

5 Ways to Strengthen Your SMB’s Security Posture 

01.06.2023
Small and medium-sized businesses (SMBs) often lack the resources needed to adopt a strong security posture. Given the unrelenting escalation of cyberattacks, SMBs can’t afford to skimp on security. With attacks potentially costing companies...
22
May

3 Ways a Healthcare Tablet Can Improve Patient Care

22.05.2023
From admission to discharge, healthcare professionals rely on accurate data to deliver quality care. Positive patient identification, medication tracking, and staff communication are just a few of the crucial workflows hinging on dependable data...
17
May

Learning Models and Generative AI in Managed Cybersecurity Services

17.05.2023
As businesses big and small across the healthcare industry become increasingly reliant on technology to optimize and deliver patient care, effective managed cybersecurity services (outsourced management of security procedures and systems) have never...
16
Nov

Baseline Security Practices for the Modern SMB

16.11.2022
Baseline Security Practices for the Modern SMB Cyberattacks around the world are continuing to escalate in both frequency and severity, exacerbated by current global events. Ransomware attacks in particular are an ever-growing threat vector, with the...
17
Oct

5 Reasons Healthcare Cybersecurity Is Crucial

17.10.2022
5 Reasons Healthcare Cybersecurity Is Crucial Healthcare cybersecurity has never been more important. With cybersecurity attacks rising in frequency and severity in recent years, catalyzed by the Covid-19 pandemic and the ongoing war in Ukraine,...
01
Jun

Derive Tech's 3 Most Critical Cybersecurity Services for Enterprise Businesses

01.06.2022
Derive Tech's 3 Most Critical Cybersecurity Services for Enterprise Businesses Now more than ever businesses big and small are racing to fortify their cybersecurity defenses to protect themselves against online threats. Russian cyberattacks have...
01
Jun

Everything You Need to Know About Enterprise Cyberattacks in 2022

01.06.2022
Everything You Need to Know About Enterprise Cyberattacks in 2022 Cybersecurity threats against enterprise businesses, particularly sophisticated and high-value ransomware attacks, are growing more prevalent by the day…and largely originate...
25
Mar

Creating an Unbreakable Cold Chain for Proper Vaccine Storage

25.03.2020
Now more than ever, cold storage is the key to safeguarding vaccine efficacy. Temperature-sensitive medications like the top COVID-19 vaccines require careful tracking since even the smallest deviation above approved storage temperatures can...
04
Mar

How Hospitals are Increasing Asset Availability to Handle High Patient Volume

04.03.2020
Increased patient volume has long been a prevalent issue in healthcare. With every flu season, hospitals nationwide have adapted and converted facilities to accommodate a swell of patients. While COVID-19 hospitalizations have been in a...
17
Feb

Three Technologies Curbing the Prevalence of Healthcare Misidentification

17.02.2020
An estimated 1 in every 2,326 blood specimens is inaccurately labeled, translating into a recurrent error risk once every two weeks for a standard-sized hospital. Specimen and patient misidentification have been age-old issues in...
28
Jan

What are the Components of an Efficient Telehealth System?

28.01.2020
A mere five years ago, telehealth was slowly making its presence known, used by less than 20% of healthcare facilities in the U.S. However, during the coronavirus outbreak, that number skyrocketed by 154% within the first weeks of...
15
Jan

How Enhanced Mobility Overcomes the Challenges in Modern Healthcare

15.01.2020
Before the pandemic, new healthcare technologies such as telehealth and clinal mobile devices were already making an impact worldwide. However, now as we continue to move through unprecedented demands, the push for innovation has been superseded by...