One of the most significant cybersecurity events in history is about to occur for the financial services industry in the form of new legislative regulations.

New rules from the US Securities and Exchange Commission (SEC) will have a significant impact on businesses that provide financial services and could have a profound effect on cybersecurity culture once they are adopted.

The SEC’s new proposal

The new SEC proposal will mandate complete cybersecurity transparency and accountability at the highest level of business leadership—including the boards of directors—for all publicly held companies. It will mandate that businesses report significant cybersecurity events on their Form 8-K.

They must also disclose the company’s policies and practices for managing cybersecurity risks, as well as how management participates in their implementation.

The process that the company’s board of directors uses to oversee cybersecurity risk, as well as any board member’s cybersecurity expertise, must also be disclosed.

This proposal will go a long way towards helping cybersecurity risk and strategy become a board-level conversation – a long-needed development. It will also help boost enterprise spending for cybersecurity and drive demand for cybersecurity knowledge at the board level. And it will also underscore the importance of including CISOs in these board-level conversations and decisions.

Digging into the details

On 23 March 2022, the SEC put forward a proposal to improve and standardise the disclosures made by public firms that are required to comply with the reporting requirements of the Securities Exchange Act of 1934. The requirements refer to cybersecurity risk management, strategy, governance and incident reporting. Material cybersecurity events would need to be reported, cybersecurity policies and procedures would need to be disclosed on a regular basis and the board of directors would need to oversee cybersecurity risk.

When a financial institution concludes they have had a substantial cybersecurity incident after these SEC requirements become law, they have four business days to disclose it. The Form 8-K report – which businesses must submit to the SEC in order to announce significant events that shareholders need to know about – will need to be amended as part of the disclosure process. The new plan also mandates the disclosure of a number of previously unreported individual cybersecurity incidents that, taken together, have serious consequences.

Your policies laid bare

The new plan for risk management, strategy and governance disclosure is even more significant than the proposal’s incident reporting section. The cybersecurity risk management policies and practices of a public corporation will be laid bare via this section of the proposal. Companies must also disclose how the board of directors oversees cybersecurity risk.

Additionally, companies must disclose executive management’s role in evaluating cybersecurity risk and carrying out the firm’s policies and procedures. This process is akin to posting an organisation’s “report card” online for public review and comment.

Under the new regulation, companies must disclose their policies and processes for identifying and managing risks from cybersecurity attacks. If none are in place, the SEC will note it and it may result in major consequences, such as fines and penalties for non-compliance. Companies will also need to say whether cybersecurity is a part of their corporate strategy, financial planning and capital allocation.

Last but not least, the new regulation mandates that any board members who possess cybersecurity expertise must declare it in the annual report and some proxy statements. The board should have both internal and external cybersecurity subject matter experts (SMEs). External SMEs should provide specialist knowledge, and internal SMEs should supply the institutional knowledge.

Cybersecurity: a leadership imperative

The chinks in cybersecurity’s armour are created by people. Making your staff an integral part of the solution, rather than the problem, is the only way to deal with this reality. The board of directors is typically at the top of the organisational structure; it is here that attention to the new rules needs to begin. And they must equip employees with ongoing training and new technologies.

One of the most important fiduciary obligations that directors and officers have today is cybersecurity. The board must be certain that cybersecurity guidelines and practices are being followed. Leaders must establish and nurture a risk-aware culture throughout the company, which enables better decision-making.

Compliance on the horizon

Whether we realise it or not, the financial services sector is essential to us all. It must be strengthened and protected – and now, not later.

New regulations are arising in light of this fact, and compliance is not optional. Companies must align their policies and procedures with the SEC and other international regulatory bodies in order to make the digital world safer for investors and consumers alike.

About the author:

Michael Brown is field CISO for financial services at cybersecurity firm Fortinet.

He specialises in cybersecurity regulations, ESG impact, SD-WAN, SD-Branch, Zero Trust, low-latency electronic trading security, SASE and multi-cloud solutions.