Yesterday’s release of a comprehensive proposed rule change by the SEC was a welcome evolution of their approach to cybersecurity. Currently, there are “no Commission rules that specifically require firms to adopt and implement comprehensive cybersecurity programs”[1]. Despite the Commission’s emphasis on good cyber hygiene within the examinations, today marks the beginning of a revolutionary approach to cybersecurity. The proposed release of a comprehensive rule may solidify the expectations of a firm to achieve compliance with SEC cybersecurity requirements.
The rules will focus on 5 key areas[2]:
- risk assessment, including assessment of risks associated with certain service providers, oversight of such providers, and appropriate written contracts with such providers;
- user security and access;
- information protection;
- cybersecurity threat and vulnerability management; and
- cybersecurity incident response and recovery.
This framework comes with a strong emphasis on reporting back to the Commission, maintaining historical data, and incident reporting (to the Commission, and in some cases, to the general public as well). There is an underlying theme that covered firms’ cybersecurity programs should be built on established cyber frameworks, such as NIST CSF and CISA.
What is also clear, is that the Commission debated the implementation of stricter guidelines; for example, establishing specific standards for encryption. Fortunately, they recognize the speed at which cyber standards change, and how technology and innovation may outpace that style of regulation. To that end, too, they did not stipulate the frequency of updates, noting that a review should be done at least annually. However, a changing landscape of technology, business functions, and threat intelligence must be considered and instigate a review as needed. It is becoming clearer to all that cybersecurity is an ongoing, always-on discipline that requires continuous preparedness.
While much will be made of administrative controls like policies and risk assessments, two technical controls should not be overlooked. Both Vulnerability Management and User Access Controls feature prominently in the Commission’s release. Firms will have to implement technology that fits with their specific environment. If, for example, a firm has shifted to a hybrid or largely remote work model, those services will require a review to be sure they are sufficient for compliance. That will likely include endpoint vulnerability management for roaming devices and multi-factor authentication (MFA) for access to corporate services.
While the rules are still in the proposal stage, it is clear that firms will need to ensure their policies, business cyber risk assessment, and third-party cyber risk assessments are united with a suitable and established cybersecurity framework. Clearly defined ownership is a vital aspect of Incident Response planning, and it is advisable to test your Incident Response plans, including the debriefing and reporting post-incident, via methods like table-top exercises.
There are some 64 open questions within the proposal that warrant feedback from the public. As a trusted cybersecurity partner to over 700 firms of varying sizes and strategies in the alternative investment space, Drawbridge occupies a unique position in the space. We look forward to the opportunity to put our expertise to work in helping to guide regulation, and in establishing a baseline framework for firms to adopt. Our extensive experience can help to demonstrably shape effective cybersecurity policies that do not become overburdensome to the business.
[1] https://www.sec.gov/rules/proposed/2022/33-11028.pdf Page 13
[2] https://www.sec.gov/rules/proposed/2022/33-11028.pdf Page 93
