infoTECH Feature

February 28, 2018

What Updated SEC Cybersecurity Guidelines Will Mean for Corporate Finance

By Special Guest
Brian Forster, Sr. Director at Fortinet

Financial advisors and corporate finance teams can expect a new set of cybersecurity guidelines to be distributed by the Securities and Exchange Commission (SEC (News - Alert)) within the year.

In September of 2017, the Chairman of the SEC, Jay Clayton, appeared before the Senate Committee on Banking, where he emphasized the increasing importance of corporate cybersecurity at publicly traded companies to ensure transparency in investments and minimize the impact of cyber events on shareholders.

While these guidelines have not yet been finalized, it is expected that they will be completed in the first half of 2018 and will impact how organizations respond to and prepare for the continuing escalation of cyberattacks and data breaches.

The Role of the SEC

The SEC was established to enforce laws, regulations and guidelines that protect investors in the securities market. Their core mission, as stated on the SEC site, is to protect investors, maintain fair and orderly markets, and facilitate capital formation. Regulations and guidelines issued by the SEC largely apply to publicly traded organizations, as well as to investment advisors, which include investment consultants, financial planners, and money managers.

With cyberattacks and data breaches becoming both increasingly common and impactful, the SEC has determined that robust cybersecurity guidelines, in addition to other established rules and best practices, must play an integral role in the security and protection of the market and its investors. This is especially important now, given that the global cost of cybercrime grew to $11.7 million per organization in 2017, up 23 percent from 2016, and is expected to continue to grow at this or a faster rate over the foreseeable future.

Impending SEC Updates to Cybersecurity Guidelines

The announcement that the SEC will be updating their cybersecurity guidelines, which were originally released in 2011, follows on the damaging Equifax data breach, as well as a breach at the SEC itself. This announcement is part of a larger trend of increased regulation and guidance pertaining to cybersecurity, as evidenced by individual states such as New York recently bolstering oversight as well. 

These updates will aim to ensure that corporate finance teams are equipped to identify cyber risks and incorporate the necessary cybersecurity controls to mitigate these risks. The goal is to ensure the protection of market participants and detection in the case of successful breaches. However, the SEC also recognizes that even with additional robust security features and protocols in place, organizations can still fall victim to data breaches.

While the forthcoming guideline updates have not been solidified, preliminary reports indicate that they will address or add clarity to the following areas, requiring financial teams and advisors to revamp their cybersecurity infrastructure and policies:

  • The updated guidelines will likely stipulate that affected public organizations be able to demonstrate they have the controls in place to detect and mitigate cyberattacks within a reasonable amount of time. Threat detection has become a major security focus as cyberattacks have become more frequent and sophisticated. It is unlikely that an organization will be able to prevent all threats at all times. Critical detection measures, therefore, help ensure that when a breach is successful it can be contained and mitigated with minimal dwell time.
  • Updates to the current SEC guidance will also likely include clarification on how a breach should be classified, helping organizations better determine whether it must be disclosed to investors. Currently, the decision of whether a breach can harm investors, and therefore must be disclosed, is left up to affected organizations. However, an article from Bank Info Security notes a study done by a Virginia senator that showed that of 9,000 assessed organizations that had experienced a cyber incident, fewer than 100 considered their breaches to be large enough to disclose to investors.
  • In addition to clarifying what must be disclosed in the wake of a data breach, guidelines will likely ask affected organizations to assess their level of cyber risk and make that information available to investors. This will provide a new level of transparency for investors when assessing the security of their investment.  
  • Another likely focus for the SEC is providing clearer instructions regarding the appropriate timeline for an organization to inform the public of a breach once it has been discovered. As many organizations have been criticized for waiting to release details on data breaches, a standardized approach to breach disclosures, such as a timeline for reporting an event to regulators and the public, will likely be welcome by investors and security response teams alike.
  • Finally, organizations can expect stronger guidelines surrounding insider trading. Following the Equifax breach, it was suspected that those with knowledge of the breach sold stock before the breach was made public. As a result, updates are likely to include guidelines that address the potentially negative impacts of insider trading following a data breach.

In addition to these specific areas of guidance, the SEC more generally states that “cybersecurity efforts must include, in addition to assessment, prevention, and mitigation, resilience and recovery.”

As organizations seek to secure their data and comply with these guidelines, Threat detection and prevention controls, including Advanced Threat Protection (ATP), Data Center Intrusion (News - Alert) Prevention System (DCIPS), and internal segmentation can provide a new level of network transparency, while preventing known and derivative threats and isolating any attacks that manage to breach the network. In addition to addressing infrastructure issues, organizations should also be sure to formally educate their employees on avoiding cyber risks, such as the growing incidents of phishing scams that lead to such things as malware infections and ransomware attacks, as well as the proper procedures for responding to a security event.

Final Thoughts

Cyberattacks and resulting data breaches are becoming increasingly common headlines. As a result, regulatory bodies are taking stronger positions when it comes to ensuring necessary security controls are in place to protect both organizations and investors. This new set of updates expected from the SEC are likely to affect how corporate finance teams must prepare for and respond to breaches, as well as recommend incorporating stronger prevention and detection methods.

About the Author: Brian Forster is a Senior Director at Fortinet (News - Alert) where he oversees and manages all aspects of the financial services vertical, including thought leadership, demand generation, sales enablement and account-based marketing. Prior to Fortinet, he held a leadership role at Juniper Networks and has spent most of his career within the high tech industry, including three years at Accenture and seven years at IBM (News - Alert) in a variety of positions.  He is a graduate of Pomona College with a B.A. in Political Science and an M.B.A. from Goizueta Business School at Emory University.

Edited by Mandi Nowitz

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers