Protect Investors and Ensure Compliance: Guiding Principles for Cybersecurity

Recognizing the investing public as potential victims: The SEC acknowledges that cyber attacks on publicly traded companies and other market participants can have a detrimental impact on the investing public. To protect investors, financial firms must establish robust cybersecurity programs. These programs should include strong access controls, encryption, multi-factor authentication, and network segmentation to safeguard investor data and assets.

Implementing peal policies and avoiding "check-the-box" approaches: Financial firms need to go beyond superficial cybersecurity policies that simply aim to “check-the-box” and move on. Instead, they should develop comprehensive policies aligned with industry frameworks and best practices such as the NIST Framework or CISA Cyber Essentials Starter Kit. These policies should cover areas such as risk assessments, user security and access controls, information protection, incident response, and compliance with notification and reporting requirements.

Regularly reviewing and updating cybersecurity policies: The SEC emphasizes the importance of regular policy reviews and updates to keep pace with evolving cyber threats. Financial firms should conduct ongoing risk assessments to identify vulnerabilities and prioritize mitigation efforts. Additionally, they should stay informed about emerging threats and industry-specific risks to better understand potential impacts on investors.

Reporting the right information for disclosure decisions: Accurate and timely reporting of cybersecurity incidents is crucial for informed disclosure decisions. Financial firms should establish clear lines of communication and reporting channels within their organizations. Incident response plans should outline the steps and timelines for reporting cyber incidents to internal and external stakeholders, including senior management, legal teams, and regulatory authorities.

Zero tolerance for gamesmanship in disclosure decisions: The SEC's zero-tolerance approach toward gamesmanship underscores the importance of prioritizing disclosure over reputational concerns. Financial firms must foster a culture of transparency and accountability, ensuring senior management and board members understand their legal and ethical obligations. Engaging legal counsel and external cybersecurity experts can provide guidance on disclosure decisions during cyber incidents.

Integration of cyber compliance elements from proposed SEC rules

FEATURED INFOGRAPHIC

Cybersecurity vs Cyber Compliance

READ NOW

Share this post!

• Author
• Recent Posts

Tiffany Magri

Senior Regulatory Advisor at Smarsh

As a Regulatory Advisor at Smarsh, Tiffany Magri monitors, evaluates and consults on the financial services regulatory landscape. Tiffany has more than 10 years of experience facilitating compliance with laws and regulations, policies, and risk management. Prior to joining Smarsh, Tiffany was a Senior Associate at Benefit Street Partners and a Compliance Analyst at Broadstone and Manning & Napier Advisors.

Latest posts by Tiffany Magri (see all)

• From Hypothetical Performance to Real Consequences: SEC’s Message to Advisers - April 15, 2024
• Navigating the SEC’s Expanded Dealer Definition - March 6, 2024
• Digital Communication Preservation: Highlights of the DOJ and FTC’s Imperative Guidance - February 27, 2024

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.