April 6, 2022
March 2022 Cyber RecapWHAT HAPPENED?Significant changes are on the horizon for cybersecurity requirements for investment advisers and other companies in critical infrastructure.
March 9th, 2022: On March 9th, 2022, the SEC proposed rules and amendments surrounding cybersecurity for RIAs and public companies to enhance disclosures regarding cybersecurity risks management, strategy, governance, and incident reporting.
The proposal would require the following;
March 15th, 2022: On March 15th, 2022, President Biden signed the Consolidated Appropriations Act, 2022, the fiscal year 2022 omnibus spending bill. The bill includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y) that would require an entity to report “substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule” to the Cyber and Infrastructure Security Agency (“CISA”).
Under the law, any covered entity that experiences a substantial cyber incident must:
The CISA has 24 months to further define what this law will entail; however, the financial services industry is considered to be critical infrastructure. Companies must review and revise their incident response policy and plan as needed in order to comply with the law.
March 21st, 2022: President Biden made a National Security Alert statement on March 21st, 2022, regarding our nation’s cybersecurity. President Biden emphasized his previous warning about the potential threat of Russia conducting malicious cyber activity against the United States and the critical importance of cybersecurity. The President urged companies to harden their cyber defenses immediately and utilize cybersecurity best practices that have been developed over the last year. A joint cybersecurity advisory alert was also issued by the FBI, CISA, MS-ISAC in response to a Chinese advanced persistent threat (APT) group leveraging customized attacks using tools like KEYPLUG and Remote Access Trojan.
March 30th, 2022: The Division of Examinations (“Division”) published its 2022 Examination Priorities.
One of the five significant focus areas for 2022 was Information and Security and Operational Resiliency. Implementing information security controls is critical to protecting investor information, business continuity, and maintaining strong financial markets. A single data breach typically spans across a wide net, impacting not only the firm, but other market participants and retail investors. To counteract this risk, the Division will continue to review practices investment advisers have in place to:
The Division will also continue reviewing business continuity and disaster recovery plans, with a focus on compliance with Regulations S-P and S-ID.WHAT DOES THIS MEAN FOR ME?Firms should consider what changes would be necessary to comply with the Cyber Incident and Reporting Act and proposed amendments. Firms should also take a defensive stance in response to security alerts External vulnerability scans should be conducted regularly. Vulnerabilities identified should be resolved in a timely manner. Incident Response Plans should be reviewed regularly and updated if needed. Reviews of employee credentials and access levels should be conducted regularly and documented appropriately. Multi-factor Authentication (“MFA”) should be implemented when possible and companies should take time to update their network diagram.
In addition, firms should:
If your firm requires assistance interpreting and implementing these proposed cybersecurity laws, amendments, recommendations, or is seeking further guidance on cybersecurity issues, Fairview Cyber can help. Contact us today for more information about our services.