The SEC and Systems Controls for Cyber Risk

Our colleague Diane Janosek, a globally known cyber compliance expert and attorney, wrote here about the new SEC systems controls requirements, originally published at The Cyber Guild. Diane also described her recommended approach to cyber compliance.

The impact of the SEC rules, which will require regulated companies to detail their cybersecurity program in annual risk disclosures, will have an impact beyond publicly traded companies. Any vendor, service provider or other business partner who is doing business with the regulated company will create an attack vector for the publicly traded company, and the SEC systems control requirements will necessitate controls for that risk. In other words, the SEC rule will flow down market because any entity doing business within the regulated industry will itself have to have adequate cyber risk controls.

The banking sector regulations have similarly flowed down market, which is instructive for how the SEC rule will play out. A complete cyber program is becoming a compliance requirement much more broadly, as Diane has pointed out. Being “cyber prepared” is the attribute customers of OnCall Cyber and its partnership with the CyberJuris Network most recognize as the business reason for working with our professionals.