SEC Suggests New Rules Regarding Cyber Security and AI
This post is also available in: 
עברית (Hebrew)
New rules regarding “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” were announced Wednesday. They dictate that the US Securities and Exchange Commission (SEC) now requires that companies report major cyber incidents to investors within four days of a breach. Wall Street is also proposing new requirements for firms to disclose any AI-related trading conflicts of interest.
If a cyber incident is deemed serious enough to be relevant for investors, then the new four-day breach disclosure rule will be required. According to the SEC, the information required in the disclosure will include the material aspects of the incident’s nature, scope, and timing, as well as its impact or likely material impact on the registrant.
According to Cybernews, by ensuring that companies disclose material cybersecurity information, public investors will be able to cope with the rising costs and frequency of attacks.
Another rule that was voted on Wednesday builds upon a proposal from March 2022, which requires a company’s board of directors to periodically report on a company’s oversight and expertise in assessing and managing risks from cybersecurity threats. SEC claims that this will help to harden the financial system against data theft, systems failure, and cyber-intrusions.
The SEC also voted for a proposal requiring that companies reveal if AI-trading platforms are being used by stockbroker-dealers, in order to avoid any conflicts of interest like using AI to drive user behavior.
The goal is that this proposal will eliminate any type of conflict that might happen if the predictive AI advisors put the broker’s financial interest ahead of the firm’s clients.
The last proposal that was voted upon was to require that more internet-based investment advisors register with the SEC, and once registered they’d be required to provide investment advice through a functioning, interactive website.
These proposals are not yet final, and the final rules will become effective 30 days after the publication of the adopting release in the Federal Register.
