Want to be ready for the new SEC Cybersecurity Risk Management Rules? Here’s How.
The U.S. Securities and Exchange Commission is set to pass its long-awaited Cybersecurity Risk Management rules (rules 38a-2 and 206(4)-9). If the final rules end up being similar to the rules for public companies finalized on July 26, 2023, they will require registered investment advisers and funds to implement new incident disclosure practices and communicate to investors how firms are managing cybersecurity risks.
What does that mean for your firm? You will have to describe to your investors what the firm is doing to address current cybersecurity threats by implementing a comprehensive cybersecurity management program to protect against, detect, and respond to likely cyber threats to investor data and critical business systems. You will also need to be prepared to respond to cyber incidents and disclose to investors if the incidents have a material impact on their investment.
If you are a current Agio SEC Cybersecurity Governance Program client, rest assured Agio will work to have you prepared for the final SEC rules and your next SEC examination.
If you are not a current client and would like to gauge how well-prepared your firm is for the new rules, our virtual Chief Information Security Officers (vCISOs) have crafted a regulatory self-assessment that comprises nine critical questions. If you find yourself answering “NO” to any of these questions, it is a clear indicator that you are not adequately prepared. We should talk.
1. Do you perform an annual risk assessment and document how risks evolve over time?
Staying vigilant in the face of evolving cybersecurity threats is paramount, and conducting periodic risk assessments is the first step in understanding how well-prepared your firm is to stay ahead of bad actors. Annual risk assessments are also going to be a regulatory requirement, so if your firm isn’t conducting annual risk assessments, now is the time to start.
2. Have you adopted and implemented written policies and procedures designed to address your cybersecurity risks?
Clear and comprehensive written policies and procedures form the foundation of a robust cybersecurity program. They guide your actions and responses in the event of a cyber event. Regulators will also want you to be able to produce these documents and answer detailed questions about them during your next audit.
3. Do you regularly test the effectiveness of your written information security policies and procedures through penetration testing?
Regular penetration testing is an essential tool for stress testing your people, policies, procedures, and cyber defense capabilities. The SEC has regularly stated in their Risk Alerts and observations from cybersecurity examinations that they expect penetration testing as part of robust cybersecurity-related procedures.
4. Do you categorize and prioritize cybersecurity risks based on an inventory of information systems components, the information they contain, and the potential impact of a cybersecurity incident?
Understanding the prioritizing cyber risk within your firm is not always a straightforward process. Risks can fluctuate based on several controllable and uncontrollable factors. You are going to need to be able to demonstrate that you are monitoring cyber risk and adjusting your risk management priorities as risk levels fluctuate based on emerging threats and newly discovered vulnerabilities.
5. Can you identify your service providers that handle or access your business information and assess the cybersecurity risks associated with their services?
Your vendors can be a weak link in your cybersecurity defenses. Assessing vendor cybersecurity risk is an essential part of any compliant cybersecurity governance program.
6. Have you implemented user security and access controls to minimize user-related risks and prevent unauthorized access?
A comprehensive user security control policy is one of the easiest ways to reduce the risk of unauthorized access to your systems and data, reducing the risk of insider threats.
7. Have you implemented information protection measures to monitor and secure your information systems and data?
Safeguarding your client data is at the core of the SEC’s new cybersecurity ruleset, but cyber incidents that impact critical business data and systems—and ultimately clients’ investments—are equally at stake. If you’ve not implemented a cyber threat detection and response system (a measure the SEC is recommending firms take to shore up their cyber defenses), you should consider implementing one now.
8. Have you implemented threat and vulnerability management to detect, mitigate, and remediate cybersecurity threats and vulnerabilities?
Effective vulnerability management requires being able to monitor and identify vulnerabilities, categorize them by risk level, and document remediation steps to limit risk to systems and data. You’ll also need to be able to report on this process when SEC examiners request it.
9. Have you implemented cybersecurity incident response and recovery measures to detect, respond to, and recover from a cybersecurity incident?
Effective incident response is the last line of defense. It enables you to limit damage and recover swiftly in the event of a breach. Agio’s Incident Response Management service can help you quickly discover these breaches and combat them with swift resolution time.
At Agio, we’ve been at the forefront of cybersecurity governance, offering vCISO-led Cybersecurity Governance programs, Incident Response Management programs, and XDR monitoring services since 2014. Our services continuously adapt to changing requirements, the evolving threat landscape, and the risks faced by our clients. Our vision at Agio is to empower our clients with secure, reliable, and resilient information systems. Let Agio help you turn that vision into a reality.
Don’t wait; contact us today to shore up your cybersecurity defenses and limit your regulatory risk.
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.