Upcoming cyber regulations – what can you do to prepare?
As many as eight US regulatory entities have announced new regulations. Here is a summary of what is forthcoming in 2023:
SEC Cyber Security Regulations
The SEC is expected to adopt regulations on registered Broker Dealers that require disclosure of cyber security risks. (Estimated April 2023).
The SEC has also proposed rules that would require public companies to have a robust cyber security program and to go into detail about breach reporting requirements. (Estimated April 2023).
The most highly-anticipated regulation is around Cybersecurity Requirements for Investment Advisers and Investment Companies. (Estimated April 2023).
Federal Reserve Cyber Security Regulations
The Federal Reserve has highlighted that, “Examiners will be monitoring and assessing a supervised institution’s remediation of supervisory findings in areas such as independent risk management and controls, compliance, operational and cyber resilience, and information technology.”
FTC Cyber Security Regulations
The FTC has extended its deadline by six months to comply with the Safeguards Rules by 9 June 2023 and had announced that data security and privacy will be key enforcement items for 2023.
NYDFS Cyber Security Regulations
The New York Department of Financial services has proposed an amendment to the well-known NYDFS 500 to include cyber security requirements for financial services companies that had previously been out of scope.
OCC Cyber Security Regulations
As part of the FY2023 Bank Supervision Operating Plan the OCC has listed operational resilience, cyber security and third-party risk management as priority objectives.
NCUA (National Credit Union Administration) Cyber Security Regulations
The NCUA has issued cyber incident notification requirements for Federally insured credit unions.
DOD, GSA and NASA Cyber Security Regulations
The DOD, GSA, and NASA have introduced a single new rule that addresses the sharing of cyber threats (Federal Acquisition Regulation (FAR) amended).
The Commerce Department Cyber Security Regulations
The Commerce Department has proposed regulations around Executive order 13984 and Executive order 14086 that look to take additional steps to address the national emergency of significant cyber-enabled activities.
What can firms do now to prepare?
- begin cyber security risk assessments that include a strong vendor risk management component
- draft new cyber policies or review prior policies
- examine existing technology controls to determine whether or not they meet current industry best practice
- prepare for the SEC’s annual review requirements.
How can Waystone Compliance Solutions help?
Our US Solutions Team offers an SEC Annual Cyber Security Review Retainer which provides firms with the following:
- SEC Annual Review preparation including baseline cyber risk assessment
- written Information Security Policy update or implementation, if required
- SEC readiness report
- Incident Response Annual Retainer (including SEC filing)
- Cyber Risk Gap Analysis Report.
Annual Services:
- Provide ongoing advice on cyber security matters, ensuring that the client remains at the forefront when addressing cyber security developments
- Propose an annual cyber workplan to be signed off by the management team
- Provide quarterly updates to the management team on progress against a cyber workplan
- Oversee third-party vendor management and other stakeholders.
If you would like to discuss any of these topics further or discuss your cyber security requirements in more detail, please reach out to your usual Waystone Compliance Solutions representative or contact us below.