New cybersecurity regulations are imminent. The US. Securities and Exchange Commission (SEC) is on the verge of finalizing rules with significant implications for registered investment advisors (RIAs), funds and public companies.
We’ve known that this has been in the works for about a year, with the SEC publishing their intent to establish regulations for two groups: the first concerning
. With
of companies prepared to manage cyber risk, the ramifications of this legislation will have similar impacts on both groups.
So how can companies ensure compliance and better protect the bottom line— and interests of their stakeholders—against cyber risk?
Complying with the new regulations starts with identifying the critical changes and how they’ll impact your company. While the main goal is to help companies minimize the risk of cybersecurity breaches, the new rules also speak to defining and documenting what companies will do in the case of a material cybersecurity breach.
summarizes the requirements for RIAs and funds. Interestingly, similar legislation is proposed for public companies that share some similarities. We’ve broken the changes into three intersecting areas in the below table.
| Regulatory guidance |
Impact |
How to Prepare |
| Require companies and entities to adopt and implement written policies and procedures designed to address cybersecurity risks. |
Organizations may not have policies and procedures formally documented. Further, there are best practices and guidance to review these annually. There must be evidence to support this review. |
At a minimum, develop and annually review written cybersecurity policies and procedures that define cyber incidents, breaches and reporting practices, and encapsulate plans for
- Identifying how cybersecurity is part of their business strategy, financial planning and capital allocation.
- Protecting the company against cybersecurity attacks.
- Vetting and overseeing third-party risk mitigation.
- Handling any cyber incidents.
Documenting and reviewing compliance. |
| Incident Reporting and Disclosure |
Depending upon the entity, companies must report cybersecurity incidents as required by the regulation. This reporting has specific timing requirements and is required to take a structured form that is noted below. |
Create a plan to report cybersecurity incidents as required within the appropriate regulation and have structured procedures to identify reporting timelines, methods and stakeholders, including
- Determining who is responsible for reporting.
- Creating a reporting template to streamline information gathering.
Creating a procedure for incident management to facilitate the type, frequency and audience for reporting. |
| Require companies to use certain structured data reporting. |
In addition to incident handling requirements, entities are required to utilized standardized reporting methods and data structures to report incidents. |
Determine which reporting methods apply to you and ensure that your incident response team or compliance department has the mechanisms in place to use the proper channels and data structures for reporting. |
The Potential Wide-Ranging Ramifications
While the SEC regulations speak primarily to the finance sector and publicly traded companies, it’s important for every company to start paying attention. Since the goal is protecting the public and public companies, some of this regulatory language will eventually start coming down for everyone.
If avoiding regulatory fines and sanctions designed to enforce compliance isn’t enough to start adopting cyber hygiene best practices, developing an adequate cyber risk program is a good business strategy for building credibility with your audience.
However, while some companies are already doing what they’re supposed to do concerning cybersecurity, many are still virtually at ground zero, needing much more work to bring current practices in line with regulatory compliance. While some of the changes are a relatively simple matter of implementing reporting practices and policies, others may require philosophical changes to operations and governance at all levels.
The Burden of Proof
While much of what this legislation covers relates to practices companies should already be following, gathering proof is going to be challenging. After all, checking a box and saying “trust me” isn’t an option with regulatory matters. If part of the policy is to perform reviews, and your risk manager is doing them, there must be supporting documentation or evidence that can stand up to an audit. To that end, in addition to approving and following written cyber security documentation, companies will need a more detailed review to ensure that every “I” is dotted, and “T” crossed.
At BDO, we see this quite often because we help companies in every industry comply with many of the different regulatory compliance requirements currently established. Too often, they don’t think to save logs or meeting minutes that would provide the evidence they need to prove they’re doing what’s necessary. During that work, we put together an audit plan so that if and when clients are required to provide evidence of compliance, they will have the appropriate documentation that backs up everything they’re doing.
SEC Cybersecurity Compliance Should be the Baseline for Every Company
Whether or not your company is subject to these new laws, you should implement cybersecurity best practices. Doing so includes creating a policy that outlines your plans and procedures for mitigating, reacting to and reporting incidents. Moreover, it includes documenting evidence that you’re following the policy.
However, just implementing or performing best practices in cybersecurity might not be enough. You must also have a way to review and collect your work as evidence of compliance, and that's where BDO can help. Even if your IT team says your company is audit-ready, having another set of eyes from a neutral third party like BDO can be beneficial.
In addition to regulatory compliance and audit support, BDO’s team of experts can help with every aspect of cybersecurity – from governance and risk to technical implementation of controls. Contact us to find out how we can help you.
FAQs
Which companies can expect to comply with new regulations?
The regulations specifically name RIAs, funds and publicly traded companies, but every company should follow these best practices to minimize risk and establish credibility. Moreover, while the federal government is starting with companies that are publicly traded or in the finance sector, this is only the beginning. Most organizations will likely be subject to similar regulations down the line.
How can we prepare for the new regulations?
One of the best places to start is reviewing the requirements set forth in the regulation, then reviewing current policies (if they exist) and identifying stakeholders - including the board of directors. After this review, it’s possible to identify gaps and create a plan to work toward compliance. BDO has the cybersecurity and audit expertise to help you create and implement your cybersecurity plan.
What will be the biggest cybersecurity obstacle for most organizations?
While the biggest obstacle for any organization depends on their business, industry and cybersecurity maturity, one of the most significant areas we see clients struggling with isn’t necessarily related to implementation of technical controls. Instead, we frequently find that clients have challenges providing sufficient evidence to reviewers, auditors and regulatory bodies that can be used to evaluate compliance. We often help clients create plans, processes and procedures so they can be ready when a review or an audit happens.
SHARE