Breaking Down SEC Guidance: How This Changes the Rules for Risk Management

There are personal gains: Credit card numbers. Social security. Passwords. Account numbers. Money. Assets. Identity. This is all powerful data.

Then there’s the element of chaos: Shutting down interconnected services, the pride of making it on the news, destroying trust, and being able to add another name to the “I hacked that” roster.

Financial organizations are a prime target for cyberattacks.

These threats are continuous in nature — they stem from the relentless determination of people. Hackers have plenty of powerful (and financial) incentives to find security gaps your security team may have missed.

It’s caught the attention of the SEC (Securities and Exchange Commission). In July 2023, the SEC announced that your cybersecurity risk management, strategy, and governance need to be disclosed annually. 

The first step is being open with all stakeholders about what risks you face as a business, and how those risks can be minimized or mitigated.

Here are the changes mandated by the SEC for sensitive industries.

What the SEC Is Requiring Financial Organizations to Do

Your disclosure is required.

After you’ve been alerted and have proof there’s been a cyber incident, the right stakeholders and investors need to know immediately. 

There could be financial instability. Services locked out and shut down — confusing customers. 

Any incident needs to be documented and talked about in a way that all teams understand.

The 2023 SEC cyber disclosure gives you six steps to follow so you can be ready for risk, no matter where it comes from.

  1. Regularly review and update your internal cyber risk management programs.
  2. Maintain and document an incident response plan to minimize downtime, data loss, while expediting recovery and restoration of services.
  3. Include continuous risk identification, assessment, and mitigation for health cyber risk management. 
  4. Keep an incident response and resilience strategy in place to promptly address breaches.
  5. Always set strong access rights and controls for safeguarding customer data.
  6. Frequent risk assessments and stress tests confirm cyber defenses can withstand potential attacks.

What To Start Documenting in Your Risk Management Program

Section 106(b)(1) of the updated SEC guidance lays out the processes for assessing, identifying, and managing risks from cybersecurity threats:

  1. “Describe how your cybersecurity processes have been integrated into the registrant’s overall risk management system or processes.”
  2. “Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes.”
  3. “Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider.”

Are changes and daily audits being documented? (Thorough documentation can be used as part of an organization’s disclosure filing, should a company need it.)

Are vulnerabilities being scanned for remediation across the entire enterprise environment?

These are the questions that get technical and business teams to brainstorm goals. 

Consider the Different Ways to Access Sensitive Data

A proactive approach to cybersecurity incorporates continuous monitoring and finding potential weaknesses before they can be exploited by malicious actors.

Reducing your attack surface means limiting points (or ‘attack vectors’) that unauthorized users can attempt to access your data.

Work fluctuates, data grows, and your attack surface changes.

Consider the security checkpoints you’d implement in a physical office or manufacturing building. Who needs to have access to sensitive data in order to do their job? Who doesn’t need access to that?

You need to secure physical and digital entry points. Limit the number of people who have access to sensitive data. 

It’s equivalent to a real-world scenario where a building has fewer doors and windows to reduce the number of entry points for potential intruders.

Reducing your attack surface makes it harder for cybercriminals to breach your defenses. Fewer points of entry mean fewer opportunities for cyber threats to infiltrate your system. 

What Next?

It’s absolutely crucial for financial organizations to shrink their attack surface as part of the response to the SEC’s recent cyber guidance. This can be accomplished in several ways, but these efforts require a streamlined approach to risk management, incident response, and resource allocation.

Want to talk to an expert on IT and security operations management and how automating these areas can help you get ahead of this SEC cyber guidance? Set up a time to talk to a Syxsense expert today.