Published on Jan 26th, 2025 |

Misleading Cybersecurity Disclosure Leads to SEC Charges

SEC RELEASES

Introduction

On January 13, 2025, charges were announced against an Alternative Asset Management Company for false and misleading cybersecurity disclosures.

Cybersecurity was a major examination topic for the SEC in 2024. The speed and accuracy of disclosure requirements after cybersecurity incidents continues to face a high standard.

What Happened?

What Happened?

According to the SEC:

  • The Firm discovered that a cybersecurity attack and ransomware demand had been made by a foreign-based threat.
  • Approximately twelve (12) terabytes of data had been extracted from the Firm’s internal computer systems which included sensitive customer information.
  • The Firm was publicly traded at the time, requiring disclosures of the incident on Form 10-Q and Form 10-K.
  • In the description of the event in public disclosures, the Firm reported that they had not identified any customer information being exposed.
  • The case will be tried by a jury.

Vigilant's Conclusion

Vigilant’s Conclusion

It is important to note that the Proposed Cyber Rule for Cybersecurity Risk Management and Disclosure Requirements on RIAs and RICs is still in its proposed stage at this time.

Nonetheless, Firms should adopt policies and procedures that ensure the timely and accurate disclosure of cybersecurity incidents as required by applicable Law. It is best practice to have an Incident Response Plan in place that identifies the exact roles and responsibilities of the members of a Firm when an incident occurs.

At Vigilant, we can assess your program’s policies, procedures, and practices for compliance with the SEC Rules and Regulations, and can offer remediation and on-going Compliance Support.

Schedule a call with Vigilant to learn more about how we can help.

Contact Us