|This GT Alert covers the following:|
|The SEC issued a proposed cybersecurity rule applicable to registered investment advisers and registered investment companies, but did not issue the rule to publicly traded companies.The rule requires notification to the Commission within 48 hours of discovering a significant cybersecurity incident. The rule also requires extensive policies and procedures, including a written information security plan and incident response plan, to address and respond to cybersecurity threats.Companies will be required to increase disclosures and recordkeeping around cybersecurity practices, risks, and incidents.|
On Feb. 9, 2022, the SEC released its long-awaited proposed cybersecurity rule, and there’s a lot to unpack. As GT reported previously, the SEC increased enforcement of cybersecurity compliance in 2021. As recently as Jan. 24, 2022, Chair Gary Gensler made cybersecurity the focus of his speech at Northwestern Law School’s Securities Regulation Institute.
(1) A risk assessment, including assessment of risks associated with certain service providers, oversight of such providers, and appropriate written contracts with such providers. This comes as no surprise given the interest the SEC has taken in the December 2020 SolarWinds Orion hack, which exposed more than 18,000 companies to a possible security breach attributed to Russian hackers. The SEC recognizes that a company’s security is only as good as the weakest link of its vendors.
(2) User security and access. The proposed rule would require companies to have an acceptable use policy outlining standards of behavior for individuals with certain access to information and systems, a method for identifying and authenticating individual users, expressly requiring multifactor authentication (MFA); establishing procedures for passwords; restricting access to employees on a “need to know” basis; and securing remote access technologies. The express requirement of MFA mirrors the enforcement actions announced Aug. 30, 2021, in which the SEC took eight registered broker-dealers and investment advisers to task for, among other things, failing to have MFA in place to prevent a compromise of email accounts, exposing sensitive information. Remote access requirements make sense in light of the risk we’ve seen emerge since the sudden onset of remote work due to COVID-19 beginning in March 2020.
(3) Information protection. Organizations will be required to conduct a periodic assessment of their information systems and information residing on such systems. The assessment should then be used to implement measures to prevent unauthorized access or use of data. The SEC gives examples of utilizing encryption, network segmentation, and access controls to reduce risks identified in a security assessment.
(4) Cybersecurity threat and vulnerability management. The proposed rule would require ongoing monitoring of risks and vulnerabilities, including conducting network and applications scans and vulnerability assessments, as well as monitoring publicly available sources for the latest intel on security threats.
(5) Cybersecurity incident response and recovery. The SEC also is requiring an incident response plan (IRP) designed to ensure that a company can continue to operate during a significant cyber event, most likely a nod to the massive increase in ransomware attacks. The IRP should also include measures to protect systems and information, report significant events to the Commission, and document a cybersecurity incident, including the response and recovery efforts. The Commission also notes that the IRP should be tested, which generally comes in the form of breach tabletop and business continuity exercises.