Twitter Linkedin

SEC and NYDFS for the Win

This fall has been extremely active in cybersecurity, with new benchmarks in both regulation and in enforcement. The SEC’s Cybersecurity Final Rule – a 186-page behemoth – had been released over the summer and in September we saw the first SEC filing when Clorox filed the first 8K announcing it had been the victim of a cyber incident. While there are arguments to be made about whether incident notification to the SEC within 72 hours of an incident being deemed “material” is actually helpful to the investing public, the SEC’s push for stronger internal cybersecurity governance and controls forces improvements that can only help raise defenses across publicly traded companies. 

When the New York Department of Financial Services (NYDFS) released its updated Cybersecurity Regulation on November 1, it was clear that the NYDFS had been keeping a close eye on the SEC’s cyber rules. The NYDFS regulation puts teeth into the SEC’s approach, increasing the obligations imposed on a CISO, as well as the duties and obligations of the Board or senior executive group at the company.  In fact, NYDFS gets quite prescriptive into what companies will have to include in their cybersecurity plans, including:   

  • Technical controls around least privileged access and password management
  • Multi-factor authentication deployment
  • “Complete, accurate, and documented” asset inventory for each asset, with detailed requirements on a per asset basis of what must be recorded
  • Controls for malicious code
  • Annual social engineering as a part of the company’s overall cybersecurity training 
  • Endpoint detection and lateral movement solutions
  • Centralized logging and event alerting

If companies were not paying attention to the fact that cybersecurity is now a Board-level issue, the SEC put it there this summer, and NYDFS gave Boards directions on exactly what to do. Companies are now on notice.

The SEC’s enforcement action against SolarWinds and CISO Tim Brown is such a significant development this fall that it merits its own post, and so I’ll follow up on that soon. 

CITATIONS AND SOURCES:

Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure 

Clorox Cyberattack Brings Early Test of New SEC Cyber Rules – WSJ 

 Regulations – Financial Services: Final Adoption of the 2nd Amendment to Regulation 23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies – November 1, 2023 – Second Amendment – without changes highlighted 

Company

Services

Newsletter

Sign up today for hints, tips & the latest service news


Copyright © 2024 Advancing Cyber – All Rights Reserved. Advancing Cyber and Advancing Responder are Trademarks of Advancing Cyber, Inc.

Privacy Policy