March 11, 2022
My first concern as a retail investor is why are the companies allowed 4 days till they are required to inform the SEC of a breech? I feel that these lapses in security should be reported the next business day. Also what are the penalties for failing to do so? What of the companies that hide this information or fail to report it? Also this proposed rule change talks a lot about disclosures but where are the incentives to do so or the incentives to not do so? What happens if a company fails to disclose? Do the get a fine? a warning? removed from being a participant in the markets? What if they caused great harm to retail investors with their lack of competence when it comes to cybersecurity? I like the rule. I think companies should be responsible to think and care about cybersecurity and implement a system that can protect themselves and their customers. But there also needs to be an incentive and inducement in place to do so. Otherwise these companies will either ignore the rule and take whatever small fine the SEC throws at them or they will follow the rule the SEC has put in place because the failure to protect its self and customers from a cyberattack would result in harsh penalties by the SEC.