SEC taking a tough stand on cyber threats
Due to rise in breaches among its members and on its systems, the Security and Exchange Commission (SEC) is thinking how it can tackle the problem of cyber threats.
The SEC suggested new amendments in March to supervise how investment firms and public companies under its purview should strengthen their IT security management and incident reporting.
Throughout the years, SEC's disclosure regime has advanced to highlight evolving risks and investor needs.
Current Cyber Security Landscape
Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks. A lot of issuers already provide cybersecurity disclosure to investors. I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner, said SEC Chair Gary Gensler.
SEC being rough on incident reporting and identity theft programs
In July, the SEC thrashed JP Morgan & Co, UBS and online stock-trader TradeStation with having deficient customer identity programs, all these programs have violated the Identity Red Flag rules, or regular S-ID between between January 2017 and October 2019.
Regulation S-ID aims to protect investors from identity threat risks. All the three financial organizations have agreed to: 1.Cease and desist from violations in future, 2. Getting censored, 3. Pay fines of $1.2 Million, $925,000, and $425,000, respectively.
Besides these commitments, the SEC's proposed amendments will need the financial institutions to provide current report regarding material cybersecurity cases and periodic reporting to give updates about earlier reported cybersecurity incidents.
The SEC in March issued that:
“proposed rule defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Under the new rule, it considered "information systems" in a broad sense, especially when the financial firm made use of a cloud- or host based systems.
SEC in the amendment says:
"The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks. The registrant’s board of directors' oversight of cybersecurity risk, and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures."