Many companies are now grappling with the imminent enforcement of the new SEC regulations. According to Davis Polk, this affects specifically “market entities” including “many types of broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.” A rule proposed by the SEC last year would make a company obligated to report a cybersecurity breach within 4 days of noticing it. This rule, which changes the game on incident reporting, is now up for comments with the comment period ending on May 22nd.
Though it has been a long time coming, cybersecurity is no longer the last box a company checks on the long list of worries and compliance requirements. Companies today are constantly in battle against cyber attackers, and without holistic cybersecurity programs, this trend will only continue. Another side of this is the rule that makes companies report any hack within a certain amount of time. Previously companies were not reporting the hacks which leaves clients unaware of when their information has been stolen. This new rule emphasizes the importance of finding the appropriate solutions to keep your company safe to avoid the need to report entirely. Amongst these new regulations, executive boards will be required to have “Cyber Experts” to keep up with this ever-changing industry. According to the Wall Street Journal, “more than three-quarters of boards have at least one cyber expert among the directors.” However, in the same survey, they reported that “only three in 10 directors rate their board’s ability to oversee a cyber crisis highly.” Many organizations have gotten on board, but this rule is proving to be a challenge for small- to medium-sized businesses that haven’t previously thought they needed to worry about cybersecurity.
The most likely origin of these rules are due to the large uptake in ransomware and other cyber attacks. When ransomware companies attack they often steal clients personal information and, even if they are paid, often keep the victims’ data. This causes people to be wary of giving companies their personal information; these reforms are put into place to help people feel safer and give some regulation to a previously unregulated market.