How new SEC cybersecurity proposed rules affect risk management and reporting in a financial sector

1st March 2022

How new SEC cybersecurity proposed rules affect risk management and reporting in a financial sector

The Securities and Exchange Commission (SEC) proposed buy-side cybersecurity rules that could significantly change the way financial cyber risk is handled.  

The proposed rules promise to give more weight to cybersecurity risk management and reporting requirements in financial regulation. As a result, investors will have to consider cyber risk an integral part of their investment strategy.  

When the rules are passed, business development companies, registered investment firms, and investment advisers will need to account for cyber risk when making investment decisions.  

Furthermore, the SEC also proposed amendments to rules to further govern investment advice and fund disclosures.  

What are the proposed rules and obligations from the SEC? 

The proposed rules would require investment firms to: 

– Create cybersecurity-related books and records to turn security into a formal process 

– Report significant cybersecurity incidents to the SEC on the proposed ADV-C form  

– Adopt and implement written policies designed to address cybersecurity risks 

What is the significance behind the SEC proposal? 

The SEC is an independent organisation tasked with protecting investors by preventing market manipulation.  

Their decision to incorporate cyber risk reporting and risk management into their compliance process indicate the growing importance of effective cyber risk management in attracting investment.  

With cybercriminals becoming bolder in their cyberattacks, sensitive financial data from investors is at risk.  

Investors and key institutions suffered multiple cyberattacks during the pandemic. Cyberattacks increased by over 238% from February 2020 to the end of April of the same year. 

Furthermore, new technologies, such as blockchain, pose significant risks given the lack of regulation.  

Given these developments, the SEC is looking to integrate cybersecurity into financial reporting to provide investors with important information about cybersecurity—this helps them make informed decisions when choosing which company to invest in. 

Creating a secure environment for investors 

The proposed ruling by the SEC will hopefully create a more secure environment for investors by giving them more transparency in an organisation’s cybersecurity capabilities.  

With security becoming more integral to an organisation's cybersecurity, devising procedures and processes for improving security and refining reporting capabilities to ensure the SEC receives accurate, detailed reports will be critical in the future. 

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world. Contact us to get your free organisation’s attack surface risk score and a personalised demo with one of our security specialists.