On February 9, 2022, the SEC proposed and requested comments to its first ever cybersecurity risk management rule. https://www.sec.gov/news/press-release/2022-20
The proposed rules would require advisers and funds to adopt and implement written cybersecurity policies and procedures.
SEC Chair Gary Gensler. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
The following areas are identified by the SEC:
|Cybersecurity Risk Management Rules||Reporting of Significant Cybersecurity Incidents|
|Disclosure of Cybersecurity Risks & Incidents||Recordkeeping|
In January 2020, the SEC published observations related to a general lack of cybersecurity preparedness. OCIE Cybersecurity and Resiliency Observations.pdf
In January 2022, the OCC’s Acting Comptroller, Michael J. Hsu, noted in the OCC 2021 annual report,
“Complacency also exposes banks to operational risks in cybersecurity. For instance, some banks have postponed investments that update and maintain their information technology (IT) systems, complacently satisfied with current IT systems. Postponing IT updates and maintenance, however, increases operational risk.” https://www.occ.gov/about/what-we-do/annual-report/index.html
What impact does this have on, your institution, and your third-party service providers?
Cybersecurity threats are here to stay, they are significant and increasing. Organizations (government, public, and private) must work to protect the safety and soundness of our financial institutions and the citizens that participate. Regardless of to which regulatory agency/s you are aligned, you and your service providers need ensure that all cybersecurity programs are appropriately monitored, assessed, and managed in concert with the most current guidance available.
If you need help maturing your cybersecurity program – contact Fortrex at 877-FORTREX or firstname.lastname@example.org.