Protect Investors and Ensure Compliance: Guiding Principles for Cybersecurity

July 10, 2023by Tiffany Magri

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing

In a recent address by Gurbir Grewal, the Director of Enforcement at the U.S. Securities and Exchange Commission (SEC), he outlined five guiding principles for cybersecurity and disclosure. These principles emphasize the SEC's commitment to safeguarding the investing public as potential victims and highlight the importance of cyber compliance. While these regulations are still in progress, financial firms should be aware of and prepared for their potential impact on cybersecurity practices and disclosure decisions.

Recognizing the investing public as potential victims: The SEC acknowledges that cyber attacks on publicly traded companies and other market participants can have a detrimental impact on the investing public. To protect investors, financial firms must establish robust cybersecurity programs. These programs should include strong access controls, encryption, multi-factor authentication, and network segmentation to safeguard investor data and assets.

Implementing peal policies and avoiding "check-the-box" approaches: Financial firms need to go beyond superficial cybersecurity policies that simply aim to “check-the-box” and move on. Instead, they should develop comprehensive policies aligned with industry frameworks and best practices such as the NIST Framework or CISA Cyber Essentials Starter Kit. These policies should cover areas such as risk assessments, user security and access controls, information protection, incident response, and compliance with notification and reporting requirements.

Regularly reviewing and updating cybersecurity policies: The SEC emphasizes the importance of regular policy reviews and updates to keep pace with evolving cyber threats. Financial firms should conduct ongoing risk assessments to identify vulnerabilities and prioritize mitigation efforts. Additionally, they should stay informed about emerging threats and industry-specific risks to better understand potential impacts on investors.

Reporting the right information for disclosure decisions: Accurate and timely reporting of cybersecurity incidents is crucial for informed disclosure decisions. Financial firms should establish clear lines of communication and reporting channels within their organizations. Incident response plans should outline the steps and timelines for reporting cyber incidents to internal and external stakeholders, including senior management, legal teams, and regulatory authorities.

Zero tolerance for gamesmanship in disclosure decisions: The SEC's zero-tolerance approach toward gamesmanship underscores the importance of prioritizing disclosure over reputational concerns. Financial firms must foster a culture of transparency and accountability, ensuring senior management and board members understand their legal and ethical obligations. Engaging legal counsel and external cybersecurity experts can provide guidance on disclosure decisions during cyber incidents.

Integration of cyber compliance elements from proposed SEC rules

In addition to the guiding principles, financial firms should consider incorporating the following cyber compliance elements proposed by the SEC:

  • Adopting and implementing written cybersecurity policies and procedures: Financial firms should develop written cybersecurity policies tailored to their specific risks and challenges. These policies should encompass areas such as risk assessments, user security, information protection, cybersecurity threat management, incident response, and compliance with notification and reporting requirements.
  • Enhancing cybersecurity policies and oversight procedures: Regular assessments of cybersecurity risks and controls should minimize user-related risks and prevent unauthorized access to systems. Monitoring information systems for threats and vulnerabilities and establishing incident response procedures are essential to effective cybersecurity policies.
  • Compliance with notification and reporting requirements: Financial firms should establish processes and procedures to comply with reporting requirements outlined by the SEC. This includes mandatory reporting of significant cybersecurity incidents within 48 hours on the required forms. Clear communication channels should be maintained to ensure immediate and accurate reporting to stakeholders and regulatory authorities.

The best practices listed above should be tailored to your organization’s specific needs and characteristics. Engaging legal counsel, cybersecurity experts, and compliance professionals can help ensure that your policies, procedures, and reporting practices align with regulatory requirements and industry best practices. Regular training and awareness programs should also be implemented to educate employees about their roles and responsibilities in maintaining cybersecurity compliance.

By embracing the SEC's guiding principles and integrating elements of cyber compliance from the proposed rules, financial firms can enhance their cybersecurity practices and disclosure decisions. It is crucial to prioritize investor protection, implement effective policies, regularly review and update cybersecurity measures, report accurate information and avoid gamesmanship in disclosure decisions.

Share this post!

Tiffany Magri
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Contact Us

Tell us about yourself, and we’ll be in touch right away.