Public and private companies in the financial services industry face an ever-growing number of external influences and pressures around good business practice and regulation. Two of the most critical are the mounting expectations to keep people and data safe and the scrutiny of regulators that exist to protect the assets of the industry.
The SEC (U.S. Securities and Exchange Commission) proposed a new, comprehensive rule that will have profound implications for the industry. Why has Rule 10 been proposed? The context behind it is summarized well by Thomas Reuters:
“There must be a shift in mindset whereby threats should no longer be considered a surprise but rather expected or inevitable.”
The numbers around Ubiquiti’s experiences tell the shocking story well. In 2015, $46.7 million was stolen through business email compromise (BEC), by hackers posing as the company’s CEO. The company didn’t even realize that 10% of their cash position was missing until they were notified by the Federal Bureau of Investigation (FBI).
Then in 2023, as if their earlier drama wasn’t enough, a leading developer in the company was jailed for posing as a hacker, targeting the organization with ransomware, and then pretending to investigate himself. While Ubiquiti declined to pay the ransom, once the truth unraveled following an FBI investigation and whistleblowing by the ex-employee, the company lost a further $4 billion as their stock value plummeted by 20%!
This is an extreme case but highlights the real scale that cyberattacks can amount to, particularly in regulated industries. But the good news is that a lot can be done to stop this kind of activity from occurring.
Aligning cybersecurity with the proposed SEC Rule 10 before it becomes law is not just ticking a compliance box, it gets ahead of potential threats now instead of waiting for the unthinkable to happen through a breach. The requirements of Rule 10 are very likely going to be a necessity for business continuity and integrity as we move into the future regardless of whether you are in a regulated compliance industry or not. You may as well get ahead of the game.
In this blog, we give you everything you need to know to prepare for the SEC’s proposed Rule 10.
What Is SEC Rule 10?
The SEC’s new rule is proposed to apply to all “Market Entities” and “Covered Entities”. In a nutshell, it calls for the establishment, maintenance, and enforcement of written policies and procedures that are designed to address their cybersecurity risks.
Organizations are to do this well in advance of a cybersecurity incident, and they will be required to regularly review the effectiveness of their measures.
But there is a twist: the rule also will also apply even if you’re not a Market or Covered Entity! How so?
Gary Gensler’s leadership of the SEC is taking a determined approach to enforcement that goes beyond public companies and registrants. In a recent lawsuit case involving a private firm called Covington & Burling, the SEC demanded the names of clients caught up in a 2020 cyberattack on the firm. This sets a precedent for wider governance and accountability that align with the key values of the legislation.
Summary of the Requirements of SEC Rule 10
The current outline of SEC Rule 10 suggests these requirements:
- Procedures for periodic assessment of cybersecurity risks associated with the covered entity’s information systems and written documentation of the risk assessments.
- Controls designed to minimize user-related risks and prevent unauthorized access to the covered entity’s information systems.
- Measures designed to: 1) monitor the covered entity’s information systems; 2) protect the covered entity’s information from unauthorized access or use; and 3) oversee service providers that receive, maintain, or process information or are otherwise permitted to access the covered entity’s information systems.
- Adopt measures to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities to information systems.
- Measures to detect, respond to, and recover from a cybersecurity incident, and procedures to create written documentation of any cybersecurity incident and the response to and recovery from the incident.
- At least annually, the covered entity would need to review and assess the design and effectiveness of its cybersecurity policies and procedures. Covered entities also need to prepare a written report that describes the review and how it was done.
Remember, the rule is yet to be finalized, but it’s much better to get ahead rather than playing catch-up!
Why Compliance Is Not Optional
It’s likely that Rule 10 is going to be approved because it proposes a range of measures that are appropriate to a world where the cyber landscape is becoming more complex while evolving more rapidly.
Regulators are trying to be more agile. They know that the safeguards they stipulate are falling behind the pace of change in technology. This is why Rule 10 is more than a set of rigorous checkboxes—it’s reflective of the benchmark security standards that the financial services industry needs to protect consumers and clients from cyber threats.
This can look like meeting all of your team and breaking the ice before the engagement, providing simple and clear documentation for getting helpdesk support and using new tools, and installing handy tools on their desktops to simplify IT access and support.
How SEC Rule 10 Affects Your IT Operations
The SEC’s proposed rule will impact your IT operations in several ways:
- Technical measures, policies, processes, and people will need to be aligned and integrated together like never before.
- Each regulated financial services business will need to step further into an evolutionary and reflective approach to their cybersecurity as opposed to a static one.
- Advanced cybersecurity measures will be needed to meet the requirements. This includes advanced email protection and managed extended detection and response (MXDR).
- People will need to be cyber-savvy and continually trained. Did you know business email compromise attacks such as the one on Ubiquiti are by far and away the most common and hackers are getting smarter at remaining undetected by most cybersecurity measures?
Preparing for SEC Rule 10 Compliance: Steps to Take
There are three key steps that your financial services business will need to take.
The first is to conduct a gap analysis to see where you stand against the SEC’s new requirements. This will give clarity and frame your efforts going forward.
Secondly, you need to create a cybersecurity roadmap so you can bridge the gap and focus your efforts. You can use a framework such as the Center for Internet Security (CIS) to help you. Most financial services firms will need to adopt security controls within Implementation Group 2 in this framework.
Thirdly, implement the roadmap. You won’t need to do it all at once if you start now before the rule is enacted! The roadmap can be gradual and help you address your top priorities first.
The Role of IT Support in Ensuring SEC Rule 10 Compliance
It is important to remember, too, that you won’t need to do it all alone! As Rule 10 pushes for new controls, tools, and actions, your IT services provider should be an integral part of putting your roadmap into action. A specialist IT service provider can make your journey to robust security and SEC Rule 10 compliance a much faster and smoother one, helping you gain the foresight you need to make a cybersecurity plan. They can help you with the bits and bytes of implementation, as well as be your go-to partner for IT support and remediation if any challenges, issues, or questions arise.
They can take the trouble, frustration, and uncertainty out of the process for you, so you can keep focusing on what you do best.
Take the First Step: Claim Your Free SEC Rule 10 Gap Analysis
Gain actionable clarity on your SEC Rule 10 compliance with a complementary gap analysis on us. If you qualify, we’ll show you how to pave the way to Rule 10 compliance and a highly secure business that is resilient both today and going forward.
The SEC’s proposed Rule 10 represents a crucial pivot toward addressing cyber threats effectively in a time where the rising pace and complexity of technology is prompting higher regulatory standards for the industry.
This rule isn’t simply a regulatory hoop to jump through—it’s really a clarion call to enhance cyber standards and safeguard customers from sophisticated cyber risks.
While evolving your cybersecurity to meet these standards can be a daunting task, there is help at hand! An IT service provider can help you find the gaps, fill them, and evolve your security with the cyber landscape, enabling you to focus on what you do best with peace of mind.
Anderson Technologies: Cybersecurity and SEC Rule 10 Compliance Partners
If you would like clarity on your current SEC Rule 10 gaps and gain actionable insights, give us a call. And don’t forget, you can see if you are eligible for a complementary gap analysis from Anderson Technologies! We’re always happy to help you.