As cyberattacks become more frequent and complex, ensuring cybersecurity is essential for companies and investors. To address these concerns, the SEC has proposed regulations to assess advisers' and funds' levels of preparedness for cybersecurity threats.
In this article, we'll dive into the SEC Cybersecurity Risk Governance, the benefits, and what you need to know for your applications security program.
The SEC Cybersecurity Risk Governance is a set of regulations that the Securities and Exchange Commission (SEC) has proposed to implement to protect investors from the risks of cybersecurity incidents.
As described by the SEC Fact Sheet:
The Commission's proposed rules and amendments are designed to address concerns about advisers' and funds' cybersecurity preparedness and reduce cybersecurity-related risks to clients and investors; to improve the disclosures clients and investors receive about advisers' and funds' cybersecurity exposures and the cybersecurity incidents that occur at advisers and funds; and to enhance the Commission's ability to assess systemic risks and its oversight of advisers and funds.
The proposed regulations are based on the cybersecurity risk management framework:
Read More: The SEC Is Inching Closer to Clarity on Cybersecurity Requirements
While it may feel like an overstep for development teams and companies to comply with these SEC regulations, the overall goal is to protect investors and the market from growing cybersecurity risks.
Here are some key benefits of the SEC Cybersecurity Risk Governance for the companies that need to comply:
The first thing to know is that these SEC regulations apply to public companies that are or should be, registered with the SEC.
The second thing to know is that as of June 2023, the proposed regulations are still in the comment period, and the SEC still needs to make a final determination on whether to adopt the regulations. But it's important to be familiar with the proposed regulations so that your team is ready to be compliant. And even if the rules are not adopted, it is still important for development teams to be aware of the risks of cybersecurity incidents and to take steps to protect their data and assets.
Read More: Public Company Cybersecurity Proposed Rules Fact Sheet
Let's look at what you can do for each area of the framework above:
The proposed SEC regulations aim to encourage companies to stay proactive regarding cybersecurity risks.
Here are some things you can do for better risk assessment:
Read More: What is Threat Modeling? (Practical Guide + Threat Modeling Template)
The proposed SEC regulations aim to encourage companies to work in a way that protects company and user data.
Here are some things you can do for better control measures:
Read More: What Is Secure Coding Training?
The proposed SEC regulations aim to encourage companies to have a plan in case a cybersecurity incident does occur at your company.
Here are some things you can do for better incident response:
The proposed SEC regulations aim to encourage companies to properly disclose cybersecurity incidents to those affected and the SEC, investors, and advisors.
Here are some things you can do for better disclosure:
In the ever-changing threat and regulatory landscape of cybersecurity, it can take time to know what your next step should be. While growing regulations and outside voices may shape your application security program, it will always start with your team of developers.
If you’re ready for your next step, contact our team today to learn how secure coding training can be the foundation of an effective application security program at your organization.