Skip to content

SEC Cybersecurity Risk Governance: A Step-by-Step Guide to Compliance

SEC Cybersecurity Risk Governance: A Step-by-Step Guide to Compliance

Published on

As cyberattacks become more frequent and complex, ensuring cybersecurity is essential for companies and investors. To address these concerns, the SEC has proposed regulations to assess advisers' and funds' levels of preparedness for cybersecurity threats. 

In this article, we'll dive into the SEC Cybersecurity Risk Governance, the benefits, and what you need to know for your applications security program. 


What is the SEC Cybersecurity Risk Governance? 

The SEC Cybersecurity Risk Governance is a set of regulations that the Securities and Exchange Commission (SEC) has proposed to implement to protect investors from the risks of cybersecurity incidents. 

As described by the SEC Fact Sheet: 

The Commission's proposed rules and amendments are designed to address concerns about advisers' and funds' cybersecurity preparedness and reduce cybersecurity-related risks to clients and investors; to improve the disclosures clients and investors receive about advisers' and funds' cybersecurity exposures and the cybersecurity incidents that occur at advisers and funds; and to enhance the Commission's ability to assess systemic risks and its oversight of advisers and funds. 

The proposed regulations are based on the cybersecurity risk management framework: 

  • Risk Assessment: A process for identifying and assessing cybersecurity risks 
  • Control Measures: A method for developing and implementing controls to mitigate cybersecurity risks 
  • Incident Response: A strategy for responding to cybersecurity incidents 
  • Disclosure: A system for reporting and communicating cybersecurity incidents to the proper parties 

Read More: The SEC Is Inching Closer to Clarity on Cybersecurity Requirements 


Key Benefits of the SEC Cybersecurity Risk Governance 

While it may feel like an overstep for development teams and companies to comply with these SEC regulations, the overall goal is to protect investors and the market from growing cybersecurity risks. 

Here are some key benefits of the SEC Cybersecurity Risk Governance for the companies that need to comply: 

  • Public companies can increase investor confidence in their ability to protect their data and assets by demonstrating that they take cybersecurity seriously. 
  • Cybersecurity incidents can result in significant financial losses, both in direct and indirect costs, such as lost revenue and reputational damage. Public companies can reduce the risk of these losses by implementing strong cybersecurity risk management measures. 
  • Many laws and regulations, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require public companies to implement and maintain effective cybersecurity programs. By implementing SEC Cybersecurity Risk Governance, public companies can help to ensure that they are in compliance with these laws and regulations. 


What Development Teams Need to Know About the SEC Cybersecurity Risk Governance 

The first thing to know is that these SEC regulations apply to public companies that are or should be, registered with the SEC.  

The second thing to know is that as of June 2023, the proposed regulations are still in the comment period, and the SEC still needs to make a final determination on whether to adopt the regulations. But it's important to be familiar with the proposed regulations so that your team is ready to be compliant. And even if the rules are not adopted, it is still important for development teams to be aware of the risks of cybersecurity incidents and to take steps to protect their data and assets. 

Read More: Public Company Cybersecurity Proposed Rules Fact Sheet 

Let's look at what you can do for each area of the framework above: 


Risk Assessment 

The proposed SEC regulations aim to encourage companies to stay proactive regarding cybersecurity risks.  

Here are some things you can do for better risk assessment: 

  • Implement written policies and procedures designed to identify, assess, and manage cybersecurity risks 
  • Have a cybersecurity risk management framework in place with a process of identifying and evaluating cybersecurity risks 
  • Be aware of the latest cybersecurity threats by reading security blogs and following security experts on social media 

Read More: What is Threat Modeling? (Practical Guide + Threat Modeling Template) 


Control Measures 

The proposed SEC regulations aim to encourage companies to work in a way that protects company and user data.  

Here are some things you can do for better control measures: 

  • Educate employees about cybersecurity, including how to spot and report suspicious activity 
  • Require secure coding training for everyone within the SDLC to ensure code is being developed securely 
  • Use a secure development environment to isolate the development environment from the rest of the network 

Read More: What Is Secure Coding Training? 


Incident Response 

The proposed SEC regulations aim to encourage companies to have a plan in case a cybersecurity incident does occur at your company.  

Here are some things you can do for better incident response: 

  • Have a plan for responding to cybersecurity incidents, including having a designated point of contact for security incidents and having a process for restoring data and systems in the event of an incident 
  • Have a board of directors or a committee of the board of directors responsible for overseeing the company's cybersecurity risk management program 



The proposed SEC regulations aim to encourage companies to properly disclose cybersecurity incidents to those affected and the SEC, investors, and advisors.  

Here are some things you can do for better disclosure: 

  • Develop a recording-keeping protocol to document the relevant details of cybersecurity incidents properly 
  • Build a communication plan to disseminate cybersecurity incident information to the applicable parties 


Are You Building Your Framework? 

In the ever-changing threat and regulatory landscape of cybersecurity, it can take time to know what your next step should be. While growing regulations and outside voices may shape your application security program, it will always start with your team of developers. 

If you’re ready for your next step, contact our team today to learn how secure coding training can be the foundation of an effective application security program at your organization.