Risk & Compliance Hot Topics: SEC Cybersecurity Rules, BSA/AML Exams, Data Breach Costs

This month’s roundup of recent news and developments in the world of governance, risk, and compliance (GRC) for financial services includes:

• Cybersecurity disclosure rules
• BSA/AML examination manual updates
• ESG a top procurement concern
• Data breach costs

Let’s dive in:

SEC issues new cybersecurity incident disclosure rules

On July 26, the Securities and Exchange Commission (SEC) adopted rules “requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” The rules will become effective 30 days after publication in the Federal Register and compliance with incident disclosure requirements will be enforced beginning 90 days after publication or no later than December 18, 2023.

Public companies must report incidents within four days of determining materiality. To prepare to comply with the new requirements, organizations must take a proactive approach to defining when an incident is material and make sure their reporting processes are up to the task, InformationWeek points out:

“Once a company’s leadership is aligned, the key stakeholders need a way to determine materiality, before an incident happens, to ensure any cybersecurity incident can swiftly be defined and then reported within the four-day window, if necessary…. Leadership teams will need to take a long, hard look at how cybersecurity risk maps to enterprise risk, which will require communication and coordination between business and security leaders.”

FFIEC updates BSA/AML examination manual

On August 2, the Federal Financial Institutions Examination Council (FFIEC) released updates to six sections of the Bank Secrecy Act/Anti-Money Laundering Examination Manual. The changes reorganize or revise the following sections:

• Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity
• Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions
• Due Diligence Programs for Private Banking Accounts
• Prohibition on Correspondent Accounts for Foreign Shell Banks; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
• Summons or Subpoena of Foreign Bank Records; Termination of Correspondent Relationship; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
• Reporting Obligations on Foreign Bank Relationships with Iranian-Linked Financial Institutions

In an outline of the updates, the FFIEC clarified that “there were no changes to the regulatory requirements covered by these sections. The agencies made revisions to ensure language clearly distinguishes between mandatory regulatory requirements and considerations set forth in guidance or supervisory expectations. The updated sections provide further transparency into the BSA/AML examination process and do not establish new requirements.”

Chief procurement officers rank ESG as a top priority

According to a recent Deloitte survey, the top three priorities for chief procurement officers (CPOs) for 2023 are: 1) driving operational efficiency, 2) enhancing ESG, and 3) digital transformation.

ESG jumped from the seventh to second-ranked priority in this year’s report, part of a survey series that has been conducted since 2011, a change due at least in part to growing regulatory pressures.

“As financial regulatory frameworks and standards are emerging to help quantify environment-related science-based metrics and targets, regulatory pressures in the United States and globally are forcing companies to look at ESG from a variety of lenses,” the report observes. “It is far from a simple compliance exercise nor is it something that is inherently at odds with cost—that is, if you view sustainability as ‘always more expensive,’ then your organization may be too narrowly focused on short-term value instead of long-term value.”

In the midst of this evolving regulatory landscape, financial services firms are also concerned about compliance and litigation risks related to ESG, Banking Exchange reports.

Data breach costs reach all-time high

The average cost of a data breach reached a record $4.45 million in 2023, according to IBM’s annual report, contributing to a 15% increase over the last three years.

An analysis by The GRC Report highlights the severity of breaches linked to third parties. For the 15% of organizations that identified a supply chain compromise as the source of a data breach, costs averaged $4.76 million, which is 11.8% higher than the average cost of breaches caused by other factors.

“The findings from the IBM report underscore the critical importance for organizations to prioritize third-party risk management and implement robust security measures to protect their supply chains. Collaborating with business partners comes with inherent risks, making it imperative for companies to thoroughly assess and monitor the security practices of their partners.”