A quite remarkable development occurred in mid-November 2023: a cyber-criminal organization filed a complaint with the U.S. Securities and Exchange Commission because one of their victims didn’t comply with the SEC four-day rule to disclose a cyberattack.
The ALPHV ransomware gang said it breached the network of MeridianLink, a provider of lending technology to financial institutions, and submitted a complaint to the SEC stating that, ‘It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.’
Asset and wealth managers registered with the SEC should be taking note. Whether it’s SEC regulation or criminal attacks, RIAs and private fund advisers alike need to be prepared when the SEC finalizes its impending cybersecurity rules for the asset management industry. Those rules, announced back in February 2022, include a stipulation for reporting a serious breach to the SEC. RIAs and fund managers should ensure they have a viable Incident Response Plan (IRP) in place to comply with the regulatory requirements should they become a victim of a cyberattack.