The SEC cybersecurity rule is proposed on March of 2022 (See our report on it at http://ria.tips/ebook) They opened it up for comments again in March. That second comment period closed but it is uncertain when a final rule will be released, or when it will be implemented.
I personally read through the comments, and they were illuminating, I expected to see calls for the rule to be watered down, instead the most common themes were:
- Extend the 48 hour disclosure deadline
- Harmonize the reporting requirements and timelines, both intra-agency and interagency
- Add more clarity to various definitions
A disclosure deadline beyond 48 hours should absolutely be in the final rule. I have opined against it myself.
The reporting and disclosure harmonization is perhaps the most helpful suggestion in the 300+ pages of comments. For firms under multiple regulations, both from the SEC and other regulatory bodies, this:
- Eases the reporting burden
- Allows more resources to be used on responding to a cyber incident rather than reporting it
- Increases the usefulness of the reports in general
We’ll see if it happens: the hodgepodge approach to cybersecurity at every level of government is both what makes the harmonization needed, and prevents it from happening due to the complexity of the attempt at the same time.
Download our Report!
Get your copy of What Every Business Owner Must Know About Hiring an Honest, Competent, Responsive, and Fairly-Priced Computer Consultant.