The SEC is Focused On Cybersecurity Along With Insurers and Investors

According to Proskauer, the Securities and Exchange Commission (SEC) is focused on cybersecurity and has proposed new rules that will affect private investment advisers and funds. The SEC’s new rules aim to increase attention to cybersecurity by insurers and the SEC itself. Investors are also comparing one company’s cybersecurity measures to another’s due to the SEC’s Rule on cybersecurity and incident reporting by public companies, which was adopted in July 2023.

Proskauer expects a market-wide shift in focus to cybersecurity issues. The SEC says that it is not “seeking to prescribe particular cybersecurity defenses, practices, technologies, risk management, governance, or strategy,” but standards are certain to become more comprehensive and sophisticated. 

A 2024 survey of compliance professionals showed that their primary concerns were how new and proposed rules will be enforced, and the time frame for compliance with incident reporting requirements. Rising cybersecurity risks are driving higher per-incident costs for both companies and investors. The global average cost per data breach in 2023 was $4.5 million. In the US it was $9.48 million, according to an annual report by IBM.

As of December 18, 2023, public companies must disclose all “material” cybersecurity incidents within four business days of determining “materiality,” and that assessment must be made quickly. The SEC’s proposed rule for advisers is a reflection of their fiduciary role. They will be required to file a report within 48 hours of concluding, or having a reasonable basis to conclude, that a significant adviser or fund cybersecurity incident has occurred or is occurring.

A significant cybersecurity incident is defined as one impacting the adviser, the fund it manages, or one of the investors in the fund.

The SEC’s determination to require board-level attention to cyber resilience is similar to regulators in other Western countries. For example, a draft code on cyber security governance in the UK was launched in January 2024 as part of the government’s National Cyber Strategy. It is designed to help businesses meet legal and regulatory obligations and emphasizes the need for a top-down approach to incident response and prompt recovery.