Making Sense of the New SEC Regulations and the Role of IT Asset Disposition (ITAD)

By: Clint Parsons, Director of Strategic Partnerships, SEAM

The Securities and Exchange Commission (SEC) has recently ramped up its focus on cybersecurity to address the growing threat of data breaches. This includes new rules for reporting cybersecurity incidents and updates to existing regulations that impact how organizations handle IT assets.

The SEC’s New Cybersecurity Reporting Rules

In 2023, the SEC introduced new rules that require public companies to report significant cybersecurity incidents within four business days. This means if your company experiences a major data breach, you must inform the SEC quickly. Additionally, companies now need to provide annual updates on how they manage and protect against cybersecurity risks.

Updates to Regulation S-P

On May 16, 2024, the SEC issued updates to Regulation S-P, a rule first established in 2000. The original rule required broker-dealers, investment companies, and Registered Investment Advisers (RIAs) to have written policies to safeguard customer information, including how they dispose of it.

The new updates to Regulation S-P include:

• Written Procedures for Cybersecurity Breaches: Companies must have documented plans for responding to cybersecurity incidents.
• Customer Notification: If a data breach occurs, affected customers must be notified promptly, but no later than 30 days after the breach is discovered.
• Incident Response Program: Companies need to have measures in place to detect, respond to, and recover from unauthorized access to customer information.

These updates aim to better protect customers’ financial data in today’s rapidly changing cybersecurity landscape.

Focus on Physical Security of IT Assets

A key area the SEC is focusing on is the physical security of IT assets. This means protecting IT equipment from the time it’s acquired until it’s disposed of. Proper management and disposal of IT assets are crucial to preventing data breaches.

The SEC’s Risk Alert Program

The SEC’s Office of Compliance Inspections and Examinations (OCIE) has been evaluating financial services firms to assess their cybersecurity practices. Their focus areas include:

• Governance and Risk Assessment
• Access Controls
• Data Loss Prevention
• Vendor Management
• Training
• Incident Response

Their findings highlight best practices in cybersecurity and emphasize the need for strong physical security measures for IT assets.

Ensuring Secure IT Asset Disposition (ITAD)

According to IBM Security, the average cost of data breaches has been rising steadily and reached an all-time high in 2023. Beyond the financial impact, data breaches can damage a company’s reputation and erode customer trust.

To mitigate these risks, organizations need secure IT asset disposition (ITAD) processes.

Key elements of a secure ITAD program include:

• Data Destruction: Ensure all data-bearing assets are completely destroyed or sanitized before recycling or refurbishing.
• Chain-of-Custody: Implement a process that tracks the possession of each asset, providing a detailed history and comprehensive audit reports.
• Third-Party Certification: Use ITAD providers with certifications like NAID AAA, E-Stewards and R2, which guarantee high standards of security and environmental compliance.

Evaluating Your ITAD Program

With the SEC’s increased focus on cybersecurity, it’s essential for IT professionals to reassess their ITAD processes. A strong ITAD program should include:

• Secure chain-of-custody tracking
• Complete data destruction or sanitization
• Compliance with environmental regulations

Partnering with a certified ITAD provider can help ensure your organization meets these standards, reducing the risk of data breaches and maintaining compliance with SEC requirements.

Proactive Steps and Future Considerations

The updated regulations reflect the SEC’s heightened focus on cybersecurity, with more changes likely to come. Investing in cyber insurance policies and leveraging external expertise can provide additional support in managing cybersecurity risks effectively.

As the SEC sharpens its focus on cybersecurity, it’s crucial for businesses to prioritize the protection of nonpublic personal information. By adopting comprehensive IT asset management and disposition strategies, companies can better safeguard customer data, comply with regulatory requirements, and build trust with their clients.

At SEAM in Sioux Falls, we are dedicated to helping our customers in North Dakota, South Dakota, and Iowa navigate these new regulations. As the only certified ITAD company in the Dakotas, we provide secure, compliant, and certified IT asset disposition services to ensure your data is protected every step of the way. Contact us today to be your partner in achieving cybersecurity compliance and safeguarding your sensitive information.

Clint Parsons is the Director of Strategic Partnerships at SEAM, specializing in building partnerships with businesses of all sizes. He ensures clients effectively navigate secure data destruction, responsible recycling, and maximize the resale value of their IT equipment while staying compliant with evolving regulations.