MFA submitted a supplemental comment letter to the U.S Securities and Exchange Commission (SEC) on the proposed rules regarding Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies. This letter, MFA’s second on the proposal, addresses their concern about the comprehensive nature of certain aspects of the rules, particularly the cybersecurity incident notification rule.
MFA expresses apprehension regarding the potential negative impact on investment advisors’ ability to respond effectively to incidents due to the inflexible notification timeline and burdensome reporting requirements. Additionally, MFA raises concerns about the possibility of incomplete and inconsistent filings since different information becomes available at varying stages following an attack.
MFA encourages the SEC to amend the proposal rules to maintain regulatory harmonization by streamlining notification timelines for registrants to align with other regulatory regimes and simplify cybersecurity incident reporting for entities subject to multiple notification requirements to the Commission.
