In September of 2017, the Chairman of the SEC, Jay Clayton, appeared before the Senate Committee on Banking, where he emphasized the increasing importance of corporate cybersecurity at publicly traded companies to ensure transparency in investments and minimize the impact of cyber events on shareholders.
While these guidelines have not yet been finalized, it is expected that they will be completed in the first half of 2018 and will impact how organizations respond to and prepare for the continuing escalation of cyberattacks and data breaches.
The Role of the SEC
The SEC was established to enforce laws, regulations and guidelines that protect investors in the securities market. Their core mission, as stated on the SEC site, is to protect investors, maintain fair and orderly markets, and facilitate capital formation. Regulations and guidelines issued by the SEC largely apply to publicly traded organizations, as well as to investment advisors, which include investment consultants, financial planners, and money managers.
With cyberattacks and data breaches becoming both increasingly common and impactful, the SEC has determined that robust cybersecurity guidelines, in addition to other established rules and best practices, must play an integral role in the security and protection of the market and its investors. This is especially important now, given that the global cost of cybercrime grew to $11.7 million per organization in 2017, up 23 percent from 2016, and is expected to continue to grow at this or a faster rate over the foreseeable future.
Impending SEC Updates to Cybersecurity Guidelines
The announcement that the SEC will be updating their cybersecurity guidelines, which were originally released in 2011, follows on the damaging Equifax data breach, as well as a breach at the SEC itself. This announcement is part of a larger trend of increased regulation and guidance pertaining to cybersecurity, as evidenced by individual states such as New York recently bolstering oversight as well.
These updates will aim to ensure that corporate finance teams are equipped to identify cyber risks and incorporate the necessary cybersecurity controls to mitigate these risks. The goal is to ensure the protection of market participants and detection in the case of successful breaches. However, the SEC also recognizes that even with additional robust security features and protocols in place, organizations can still fall victim to data breaches.
While the forthcoming guideline updates have not been solidified, preliminary reports indicate that they will address or add clarity to the following areas, requiring financial teams and advisors to revamp their cybersecurity infrastructure and policies:
In addition to these specific areas of guidance, the SEC more generally states that “cybersecurity efforts must include, in addition to assessment, prevention, and mitigation, resilience and recovery.”
As organizations seek to secure their data and comply with these guidelines, Threat detection and prevention controls, including Advanced Threat Protection (ATP), Data Center Intrusion (News - Alert) Prevention System (DCIPS), and internal segmentation can provide a new level of network transparency, while preventing known and derivative threats and isolating any attacks that manage to breach the network. In addition to addressing infrastructure issues, organizations should also be sure to formally educate their employees on avoiding cyber risks, such as the growing incidents of phishing scams that lead to such things as malware infections and ransomware attacks, as well as the proper procedures for responding to a security event.
Cyberattacks and resulting data breaches are becoming increasingly common headlines. As a result, regulatory bodies are taking stronger positions when it comes to ensuring necessary security controls are in place to protect both organizations and investors. This new set of updates expected from the SEC are likely to affect how corporate finance teams must prepare for and respond to breaches, as well as recommend incorporating stronger prevention and detection methods.
About the Author: Brian Forster is a Senior Director at Fortinet (News - Alert) where he oversees and manages all aspects of the financial services vertical, including thought leadership, demand generation, sales enablement and account-based marketing. Prior to Fortinet, he held a leadership role at Juniper Networks and has spent most of his career within the high tech industry, including three years at Accenture and seven years at IBM (News - Alert) in a variety of positions. He is a graduate of Pomona College with a B.A. in Political Science and an M.B.A. from Goizueta Business School at Emory University.