Financial Services: Managing Changes to SEC RegulationsFred Harris of Societe Generale on Frameworks, Automation and Trends
The U.S. Securities and Exchange Commission and the state of New York have proposed new cybersecurity regulations. Fred Harris, managing director of Societe Generale, says it's a "watershed moment for the industry" and offers insights as to how financial institutions can manage these changes.
The SEC has proposed amendments to the Code of Federal Regulations Title 17, while the New York State Department of Financial Services has proposed sweeping changes to its Part 500 Cybersecurity Rules.
Of the proposals, two stand out as being the most significant, Harris said. Financial institutions are now "going to require a cybersecurity expertise on boards. ... It's not enough for the board members to be educated in cybersecurity, they're going to need someone who is an authority on cybersecurity." Also, the CISO will now be required to report directly to the CEO, Harris said.
He explained how he ascertains compliance by following the NIST Cybersecurity Framework and the use of automation.
"I started off with an inventory of all of the NIST controls mapped to every applicable framework and every law, rule and regulation that I was responsible for. Then we had our internal controls, which were already mapped to the NIST CSF. So then I could take all of my internal controls and when a control failed, I would immediately be able to tell when there was a potential compliance issue. So we started to create automation there.
"Then we tied our risk register and our open risk issues and mapped all of those to the controls, and then also our policies. So, now, if you think about that ecosystem, I could look at any one piece of that ecosystem and understand how it interrelates to everything else, and that allows me to have a lot of flexibility on providing regulatory requests," he said.
In this video interview with Information Security Media Group, Harris discusses:
- The regulatory changes and timelines to observe;
- Strategies to build a repeatable and sustainable program to manage regulatory changes and minimize impact on organizations;
- Future regulatory changes to watch.
Harris previously served as head of cybersecurity risk, data risk and IT risk at Societe Generale. He worked in a similar role at Bank of America and, prior to that, served in a variety of roles over 16 years at Deloitte. He has more than 30 years of technology and cybersecurity experience in the financial services industry.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.