Upcoming cyber regulations – what can you do to prepare?
SEC – the SEC is expected to adopt regulations on registered Broker Dealers that require disclosure of cyber security risks. (Estimated April 2023).
The SEC has also proposed rules that would require public companies to have a robust cyber security program and to go into detail about breach reporting requirements. (Estimated April 2023).
The most highly-anticipated regulation is around Cybersecurity Requirements for Investment Advisers and Investment Companies. (Estimated April 2023).
Federal Reserve – the Federal Reserve has highlighted that, “Examiners will be monitoring and assessing a supervised institution’s remediation of supervisory findings in areas such as independent risk management and controls, compliance, operational and cyber resilience, and information technology.”
FTC – the FTC has extended its deadline by six months to comply with the Safeguards Rules by 9 June 2023 and had announced that data security and privacy will be key enforcement items for 2023.
NYDFS – New York Department of Financial services has proposed an amendment to the well-known NYDFS 500 to include cyber security requirements for financial services companies that had previously been out of scope.
OCC – as part of the FY2023 Bank Supervision Operating Plan the OCC has listed operational resilience, cyber security and third-party risk management as priority objectives.
NCUA (National Credit Union Administration) – has issued cyber incident notification requirements for Federally insured credit unions.
DOD, GSA and NASA – have introduced a single new rule that addresses the sharing of cyber threats (Federal Acquisition Regulation (FAR) amended).
The Commerce Department – has proposed regulations around Executive order 13984 and Executive order 14086 that look to take additional steps to address the national emergency of significant cyber-enabled activities.
What can firms do now to prepare?
- begin cyber security risk assessments that include a strong vendor risk management component
- draft new cyber policies or review prior policies
- examine existing technology controls to determine whether or not they meet current industry best practice
- prepare for the SEC’s annual review requirements.
How can Waystone Compliance Solutions help?
Our US Solutions Team offers an SEC Annual Cyber Security Review Retainer which provides firms with the following:
- SEC Annual Review preparation including baseline cyber risk assessment
- written Information Security Policy update or implementation, if required
- SEC readiness report
- Incident Response Annual Retainer (including SEC filing)
- Cyber Risk Gap Analysis Report.
Annual Services:
- Provide ongoing advice on cyber security matters, ensuring that the client remains at the forefront when addressing cyber security developments
- Propose an annual cyber workplan to be signed off by the management team
- Provide quarterly updates to the management team on progress against a cyber workplan
- Oversee third-party vendor management and other stakeholders.
If you would like to discuss any of these topics further or discuss your cyber security requirements in more detail, please reach out to your usual Waystone representative or contact us below.