On February 9, 2022, the Securities and Exchange Commission proposed its first comprehensive Cybersecurity Rule.
The proposal would create a so-called cyber hygiene program, mandate annual investor disclosures on cybersecurity preparedness, and require advisors to maintain records on such practices, the proposal states. The proposal notes that part of the Rule would also give advisors up to 48 hours to tell the SEC if they’ve been hacked. They must also make “prompt” disclosure to investors.
Craig Moreshead, managing director, Foreside, shared with Ignites that “The 48-hour turnaround is a short window, particularly if a firm is still trying to assess whether the breach is “significant” or causes “substantial” harm, as the rule requires. As a result, firms may end up overreporting.
Click here to read the full article in Ignites to learn more about how the new proposal could trigger annual public disclosures of any breaches from advisors for the past two years.