The Securities and Exchange Commission (SEC) issued a Commission Statement and Guidance on Public Company Cybersecurity Disclosures that many feel could be a precursor to greater cybersecurity oversight by the agency.
In the statement, the SEC states “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century” and notes “As companies’ exposure to and reliance on networked systems and the Internet have increased, the attendant risks and frequency of cybersecurity incidents also have increased“.
The prediction that this statement will lead to additional requlations is foreshadowed by the New York State Department of Financial Services, 23 NYCRR 500,Cybersecurity Requirements for Financial Services Companies, the fact that investors are concerned about the lack of risk awareness and the results of breaches upon companies they have invested in (or are considering investing in), and the fact that breaches in the financial sector have tripled in the past 5 years.
Organizations in the financial sector should be thinking about:
- How have you evalulated your organization’s cyber risk? (The SEC emphasizes that investors have a right to be notified of major risk factors, even before an actual event).
- Have your policies and procedures been recently reviewed to make sure they map to your current controls?
- What resources do you have in place for incident response?
- Would you pass an audit if the SEC required one today?
In the end, the issues raised by the SEC’s updated guidance are important for every organization. Cultivating corporate responsibility, sustaining consumer trust, protecting valuable data assets, and maintaining the integrity of critical ecosystems are all essential to long-term success and competitive advantage. Digging deep to identify vulnerabilities, track improvements and outcomes, and ensure accountability will create a stronger, more resilient organization.