The Securities and Exchange Commission is reopening the public comment period for its proposed rule on cybersecurity, after it was initially released last year.
The rule was originally proposed in February 2022, with an initial comment period extending into April of last year, and it would pertain to RIAs, as well as registered investment companies and business development companies.
If finalized as written in the proposal, the rule would require advisors and funds to create reasonably designed policies and procedures to protect clients’ information if a breach occurred, and to disclose cyber incidents on amendments to their Form ADVs.
Additionally, firms would be tasked with reporting “significant” cyber incidents to the SEC within 48 hours of uncovering the severity of the breach, a time period that caused some consternation for chief compliance officers and firms in the initial comment period and during this week’s Investment Adviser Association Compliance Conference in Washington, D.C.
