The SEC is done playing around. This summer, particularly August, the SEC has demonstrated its resolve to bring the cyber house to order, first by actions against public companies for alleged poor cyber disclosures and the governance around such disclosures, and then by actions against SEC registrants (e.g., broker-dealers and investment advisers) alleging failures to implement basic cybersecurity controls even when internal policies called for such controls. The later actions, as noted, were aimed at broker-dealers and investment advisers, but the ramifications are much broader. Please read our analysis here: https://www.linklaters.com/en/insights/blogs/digilinks/2021/august/us-the-sec-makes-its-mark-on-cyber
Basic cyber hygiene is a necessity: Multi-Factor Authentication is no longer truly optional. With every regulator calling for it, even for those entities not covered by cyber regulations, MFA is required as “reasonable security.” But it isn’t enough to have a policy about it: it must be implemented.