The Securities and Exchange Commission (SEC) on Thursday said it is now gathering capital market players’ views on the proposed policies on the cyber resilience framework, in line with the government’s bid to protect investors and ensure market stability.

In a press release, the SEC said it issued for public comment the draft memorandum on Wednesday.

“The proposal is in line with the government’s National Cybersecurity Plan 2023 to 2028, which recognizes cybersecurity as critical to peace, security and economic development,” it said.

SEC explained that regulated firms are proposed to “adopt a cyber resilience framework that outlines their cyber resilience objectives and cyber risk tolerance, as well as procedures on how they can effectively identify, mitigate, and manage cyber risks to support their objectives.”

It said covered firms “will be required to exercise oversight of risks stemming from cybersecurity threats” and “will also be responsible for the creation or appointment of a Computer Emergency Response Team (CERT).”

Firms will be required to create a new position to be called the chief information security officer (CISO), who will be tasked as the chief information officer and the primary liaison for the company.

SEC said the proposed policies “also provide that covered entities will remain responsible for the cybersecurity and resilience of computer systems they rely on, even if those systems are managed by a third party.”

“If a covered entity experiences a cyber incident that is determined to be material, it should disclose to the SEC within five days after the occurrence of the event the nature, scope, and timing of the incident. The company should also report its material impact or reasonably likely material impact on the, including its financial condition and results of operation,” it added.

PNA PHOTO