Mar. 30, 2023
March 30, 2023 There needs to be more accountability from the Cybersecurity Regulation. It should not only focus on Cyber Risk as a response to an incident however set standardize Consumer/Investor Protection if investor's access device (computer, mobile, etc) becomes compromised or stolen, and other digital scenarios. This is different the Unauthorize Trade Regulation, which focuses on a dealer and not a digital request. Right now, if an investor is under threat, scammed, or their device is compromised, granting access digitally to an individual account, companies are ill-prepare to combat these scenario and this is at the cost of the investor as no regulation provides full protection, and without the regulation the business is set be bias on who they give protection too. In a transitional bank, you would have Consumer Protection Laws, such as Regulation E, however if cash or securities is stored in a SEC regulated business, such as a Broker-Dealer, there is no requirement to have protections as long as the minimal Regulation S-ID and S-P are met, which most do not consider theft of a device, Identity Theft Victim, or a Scam Victim. This amended needs to be to include enhanced reporting, actions to take, transparency to the public, and should also include a requirement to have clear policy and procedures that set standardize responsibility and liabilities of both the investor and business, which cover all cybersecurity scenarios. It should not be on the investor time and cost to prove to the SROs they deserve their life savings back when it was stolen and the business didn't take all appropriate cybersecurity steps to verify the risk and ownership.