The U.S. Securities and Exchange Commission (SEC) recently issued final cyber risk management and incident disclosure rules for public companies. It is expected that cybersecurity risk management rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act will follow similar disclosure requirements. So, the question is, are you ready to go through your first SEC examination under the new regulations? If you’re unsure, here are 7 things your firm can do now to ensure you’ll be ready when the SEC’s cybersecurity rules hit. 

1. Annual Risk Assessment and Ongoing Monitoring 

If you need to start from the beginning, then you need to first conduct a comprehensive security risk assessment to discover your firm’s current state and identify any cybersecurity gaps. Since effective cybersecurity starts with understanding your vulnerabilities, this process will help you identify potential threats and inconsistencies specific to your organization, allowing you to take proactive measures to mitigate risks. Remember, cybersecurity is not a one-time endeavor or a check-the-box exercise; it requires continuous monitoring and adjustment as your business landscape and cyber threats evolve.  

2. Policies and Procedures: Your Defense Blueprint 

Written policies and procedures are the backbone of your strong cybersecurity governance plan. These foundational documents serve as your defense against cyber threats. Ensure you have well-defined and up-to-date policies that address your cybersecurity risks and are designed to protect your firm’s sensitive data and information systems from likely threats.  

cyber governance expert guidance seamless compliance

3. Penetration Testing for Real-World Insights 

Stay one step ahead of the bad actors by conducting routine penetration testing. Penetration testing provides invaluable insights into your cybersecurity vulnerabilities and the effectiveness of the security controls you have in place. Regularly test the effectiveness of your security processes by simulating cyberattacks. This proactive approach helps you identify weaknesses and expose vulnerabilities before malicious actors can exploit them.  

4. Categorize and Prioritize Cybersecurity Risks 

To optimize your cybersecurity efforts, categorize and prioritize risks based on a comprehensive inventory of your information systems, whether company-owned and on-premises or cloud-based SaaS systems. Understand the potential impact of a cybersecurity incident on your firm, its operations, and its financial condition. This approach ensures you can allocate the resources to areas that need the most attention and protection.

See also  If You’re Thinking “A Cyber Attack Won’t Happen to Me,” Think Again

5. Third-Party Risk Mitigation 

Don’t overlook the cybersecurity risks posed by third-party service providers. Identify vendors with access to your information systems and sensitive data then assess the cybersecurity risks associated with their involvement. This step is crucial as third-party vulnerabilities can have a direct impact on your firm’s security. Implement controls to mitigate these risks and safeguard your firm’s integrity. 

6. Strengthen User Cybersecurity and Access Controls 

Minimize user-related risks and prevent unauthorized access to your systems by implementing robust user cybersecurity and access controls. Ensuring the right people have the right access helps prevent internal and external threats from compromising your data. 

7. Incident Response Planning 

The key to effective cybersecurity lies in how well you respond to incidents. Prepare for the inevitable by developing a comprehensive incident response and recovery plan. This strategy enables you to detect, respond to, and recover from cyber incidents effectively. Regularly test your plan through tabletop exercises to ensure your team is ready to take action when needed. 

Let Us Be Your Trusted Partner 

Luckily for you, Agio’s SEC Cybersecurity 360 Governance Program is a custom-designed service that incorporates all seven ingredients we just listed. With a focus on ownership, control, maturity, and fortification, our program guides you toward a mature cyber operating model at a cost-efficient price and seamless service. From cybersecurity risk assessment and penetration testing to incident response testing and security cybersecurity training, we offer every service you need to empower clients with secure, resilient information systems. 


Don’t wait until it’s too late. The time to strengthen your cyber posture is now. As the SEC cybersecurity rule changes approach, Agio is here to assist you every step of the way.

Contact us today to learn more about how our cybersecurity expertise can prepare your firm for a safer and more resilient digital future. Your cybersecurity is our priority, and together, we can navigate the complex cybersecurity landscape with confidence.  

See also  What Investment Management Execs Need to Know About NIST's CSF 2.0