Last month’s release of a comprehensive proposed rule change by the SEC was a welcome evolution of their approach to cybersecurity. Currently, there are “no Commission rules that specifically require firms to adopt and implement comprehensive cybersecurity programs”[1]. Despite the Commission’s emphasis on good cyber hygiene within the examinations, this marks the beginning of a revolutionary approach to cybersecurity. The proposed release of a comprehensive rule may solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements.
The rules will focus on 5 key areas[2]:
- risk assessment, including assessment of risks associated with certain service providers, oversight of such providers, and appropriate written contracts with such providers;
- user security and access;
- information protection;
- cybersecurity threat and vulnerability management; and
- cybersecurity incident response and recovery.
Watch the on-demand webinar below!
[1] https://www.sec.gov/rules/proposed/2022/33-11028.pdf Page 13
[2] https://www.sec.gov/rules/proposed/2022/33-11028.pdf Page 93