On March 9, 2022, the SEC released new proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.
The proposed rules would require advisers and funds to adopt and implement policies and procedures that are designed to address cybersecurity risks. Advisers and funds would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures; and prepare a report describing the review, explaining the results, documenting any incident that has occurred since the last report, and discussing any material changes to the policies and procedures since the last report.
The proposed amendments would require current reporting of material cybersecurity incidents by adding a new item to Form 8-K which is already in use. This added item would require companies to disclose material cybersecurity incidents within four business days of an incident being determined to be material.
Required disclosure would include:
When the incident was discovered and whether it is ongoing.
A brief description of the nature and scope of the incident.
Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
The effect of the incident on the company’s operations; and
Whether the company has remediated or is currently remediating the incident.
The proposed rules would also require disclosure about the cybersecurity expertise of members of the board, if any. The proposed rules do not define “cybersecurity expertise” but provide several factors to consider, such as prior work experience or certifications in cybersecurity. (ISC)² addresses each of these in our response.
These new proposed rules would have a signifi ..
Support the originator by clicking the read the rest link below.
2 Supports Members with Thoughtful Response to SEC Proposed Rule on Cybersecurity Reporting){kind=link}