Data governance is the responsibility for managing an organization's data's availability, usability, integrity, and security within its enterprise systems. This is done according to internal data standards and policies that regulate data usage. Good data governance ensures that data is reliable and accurate, is not misused, or has the potential to be exploited by internal or external threats. With the US Security and Exchanges Commissions' (SEC) new final rule, which was announced on 26th July 2023, it's now a legal requirement for registrants to disclose material cybersecurity incidents that they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The new regulations brought in by the final rule fully underscore the growing emphasis on data management, integrity, and security within the financial industry, proving now, more than ever, how important it is to ensure your firms' data governance and cybersecurity measures are totally sound.
In the alternative asset industry, having and maintaining a robust data governance policy is imperative to maintain compliance with regulatory requirements and reporting, enhance transparency, support cybersecurity risk management and foster investor confidence. The SEC's chair, Gary Gensler, stated, "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."
The final rule is an amendment to Form 8-K to add Item 1.05, "Material Cybersecurity Incidents." 8-K is a report that must detail unscheduled material events or corporate changes at a company that could be of significant importance to the Shareholders, Investors or the SEC. This report notifies these bodies of events, including acquisitions, bankruptcy, the resignation of directors, or changes in the fiscal year. The addition of the final rule now dictates that firms must disclose any material cybersecurity incidents within four business days from the date on which the registrant determines that the incident is considered material to the registrant. The only exception to this rule is if the US Attorney General "determines immediate disclosure would pose a substantial risk to national security or public safety," then the registrant may then delay filing the Form 8-K.
The addition of the SEC's final rule fully emphasizes the need for alternative asset firms and institutions to establish comprehensive data management frameworks that address data quality, accessibility, lineage, and security in a harmonious and homogenized manner across the US and beyond. The rule's impact extends beyond geographical boundaries, as their establishment now also requires comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. The alternative asset sector operates in a globally interconnected landscape, and adherence to stringent data governance standards fosters investor confidence and promotes cross-border investment. By adhering to these regulations, organizations can mitigate risks associated with data inaccuracies, unauthorized access, cybersecurity risks and potential breaches, all of which could adversely impact their operations and reputation with investors.
The SEC's new final rule establishes rigorous standards for data governance, focusing on accurate, reliable, and timely reporting of material cybersecurity information, emphasizing the paramount need for all US operating firms to uphold a high level of data accuracy and consistency. The rule's implications are profound, and if your firm or institution needs support in bolstering its data collection, validation, and reporting processes in alignment with the final rule policy, please reach out to Portfolio BI today.