Standards, Regulations & Compliance , Video

Financial Services: Managing Changes to SEC Regulations

Fred Harris of Societe Generale on Frameworks, Automation and Trends
Fred Harris, managing director, Societe Generale Americas, and executive member of the CyberEdBoard

The U.S. Securities and Exchange Commission and the state of New York have proposed new cybersecurity regulations. Fred Harris, managing director of Societe Generale, says it's a "watershed moment for the industry" and offers insights as to how financial institutions can manage these changes.

See Also: Cisco Umbrella for Government: Helping Agencies Meet Their Enhanced Cybersecurity Mandates and TIC3.0 Standards

The SEC has proposed amendments to the Code of Federal Regulations Title 17, while the New York State Department of Financial Services has proposed sweeping changes to its Part 500 Cybersecurity Rules.

Of the proposals, two stand out as being the most significant, Harris said. Financial institutions are now "going to require a cybersecurity expertise on boards. ... It's not enough for the board members to be educated in cybersecurity, they're going to need someone who is an authority on cybersecurity." Also, the CISO will now be required to report directly to the CEO, Harris said.

He explained how he ascertains compliance by following the NIST Cybersecurity Framework and the use of automation.

"I started off with an inventory of all of the NIST controls mapped to every applicable framework and every law, rule and regulation that I was responsible for. Then we had our internal controls, which were already mapped to the NIST CSF. So then I could take all of my internal controls and when a control failed, I would immediately be able to tell when there was a potential compliance issue. So we started to create automation there.

"Then we tied our risk register and our open risk issues and mapped all of those to the controls, and then also our policies. So, now, if you think about that ecosystem, I could look at any one piece of that ecosystem and understand how it interrelates to everything else, and that allows me to have a lot of flexibility on providing regulatory requests," he said.

In this video interview with Information Security Media Group, Harris discusses:

  • The regulatory changes and timelines to observe;
  • Strategies to build a repeatable and sustainable program to manage regulatory changes and minimize impact on organizations;
  • Future regulatory changes to watch.

Harris previously served as head of cybersecurity risk, data risk and IT risk at Societe Generale. He worked in a similar role at Bank of America and, prior to that, served in a variety of roles over 16 years at Deloitte. He has more than 30 years of technology and cybersecurity experience in the financial services industry.


CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.

Join the Community - CyberEdBoard.io.

Apply for membership


About the Author

Anna Delaney

Anna Delaney

Director, Productions, ISMG

An experienced broadcast journalist, Delaney conducts interviews with senior cybersecurity leaders around the world. Previously, she was editor-in-chief of the website for The European Information Security Summit, or TEISS. Earlier, she worked at Levant TV and Resonance FM and served as a researcher at the BBC and ITV in their documentary and factual TV departments.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.