New SEC cybersecurity reporting mandates put increased pressure on investment firms

SEC Chairman Gary Gensler testifies before a Senate Banking, Housing, and Urban Affairs Committee oversight hearing on September 14, 2021 in Washington, D.C. (Photo by Evelyn Hockstein/Pool via Getty Images)

Following persistent cyber threats from Russia, the U.S. Securities and Exchange Commission (SEC) is proposing new cybersecurity rules to strengthen reporting of cyber incidents.

Specifically, the SEC recommends “mandatory reporting of cybersecurity incidentswithin four business days of detecting an incident. The commission pointed out that over the past decade reporting on cyber incidents has been “inconsistent”. In addition, the SEC requires disclosures about companies’ cybersecurity policies to be more consistent, with reporting within 30 days of the incident being published in the Federal Register, or 60 days after it is published.

“Whereas in the short term, companies will not like this new requirement, they should see it as an opportunity to demonstrate that they are better at cybersecurity and risk management than their competitors in the market,” said Padraic O’Reilly, cyber risk adviser for the Department of Defense and co-founder of the security firm. CyberSaint cyber risk. .

“Having a strong governance approach to managing cyber risk is a business opportunity and should be viewed as an investment,” he said. “Ultimately, cyber-management and risk management must be part of investors’ due diligence and more transparency is long overdue.”

According to recent proposals from the SEC, certain financial companies and listed companies must report cyberattacks to their regulators, create detailed plans to respond to hacks, and explain how they handle cybersecurity at all levels. Many industry experts believe that this proposed new rule will support the ability of financial firms to fend off cyberattacks.

“The SEC’s proposed new rule, which would require public organizations to disclose cyberattacks within four days, will ensure organizations are transparent when it comes to disclosing breaches,” said Dr. Threat intelligence and response for Mimecast. “And it should also help their leaders to place more importance on cyber resilience.”

“Cyberattacks are on the rise, and it’s often a question of when, not if, they will happen,” Gaffney said. “It is essential that business leaders have adequate multi-layered cybersecurity measures in place, as well as a well-functioning cyber resilience response plan. Frequent and engaging cybersecurity awareness training for their staff is also a crucial defense against cyberattacks.