Oct. 24, 2023
Just wanted to say how grateful I am for the amazing work It may be a little late, however the brilliant people,out there, working hard to safeguard the ideals of the free market are heroes. Your honorable and intelligent efforts are fundamental to this nation. It goes without saying I admire you, and all your efforts abet a bright future Despite my well wishes and all, it is in my limited understanding that there are institutions who willing to bet; against the well being of our citizens. It would appear to me that this is an effort to even the odds and gain understanding of the technology utilized. Despite the small occupancy or recruiting needs there must be a check on the means of information gained by PFOP development, and such platforms. I fully support your efforts to mitigate any obfuscation and paid for competitive gain in informatic competition against the household investor. Hesters sponsored argument alludes to the feasibility of a full-time institutions remaining in administrating funds towards aggressive and already intrusive practices regarding, data acquisition/analytics. in itself the blind eye of the CFTC has lopsided the battle against value driven acquisition. Not to long ago the house argued over the evident disregard of failure to deliver and .The household/part time investor has no hope in the battle against data analysis. To answer your questions: 1. What best practices have commenters developed or become aware of with respect to the types of measures that can be implemented as part of an incident response program? Are there any measures commenters have found to be ineffective or relatively less effective? To the contrary, are there any measures that commenters have found to be effective, or relatively more effective? 2. Should we require the response program procedures to set forth a specific timeframe for implementing incident response activities under Regulation S-P? For example, should the procedures state that incident response activities, such as assessment and containment, should commence promptly, or immediately, once an incident has been discovered? 3. Are the proposed elements for the incident response program appropriate? Should we modify the proposed elements? For instance, should the rule prescribe more specific steps for incident response within the framework of the procedures, such as detailing the steps that an institution should take to assess the nature and scope of an incident, or to contain and control an incident? If so, please describe the steps and explain why they should be included. Alternatively, should the requirements for the incident response program be less prescriptive and more principles-based? If so, please describe how and why the requirements should be modified. 4. Are there additional or different elements that should be included in an incident response program? For example, should the rule require procedures for taking corrective measures in response to an incident, such as securing accounts associated with the customer information at issue? Should the rule require procedures for monitoring customer information and customer information systems for unauthorized access to or use of those systems, and data loss as it relates to those systems? Should the rule require procedures for identifying the titles and roles of individuals or departments (e.g., managers, directors, and officers) who should be responsible for overseeing, implementing, and executing the incident response program, as well as procedures to determine compliance? If additional or different elements should be added, please describe the element, and explain why it should be included in the response program. 5. Is the scope of the incident response program appropriate? For example, is the scope of the incident response program reasonably aligned with the vulnerability of the customer information at issue? • Should the incident response program be more limited in scope, so that it would only address incidents that involve unauthorized access to or use of a subset of customer information (e.g., sensitive customer information)? If so, please explain the subset of customer information that should require an incident response program. • Alternatively, should the incident response program be more expansive in scope, so that it would cover additional activity beyond unauthorized access to or use of customer information? For example, should the incident response program address cybersecurity incident response and recovery at large (i.e., should the rule require covered institutions to have a response program reasonably designed to detect, respond to, and recover from a cybersecurity incident)? Since these are all work of mitigating self service and conflict of interest, why is it a question of self regulation. My broker account promises to insure a set amount of money in the case of "failure" however the user end agreement make no statements about what the competition is willing to do or even capable of IN THE TERMS OF INFORMATION PROVIDED AND AQUIRED BY THEIR SERVICES. Yet they have a broad avenue to end my contract of use for whatever reason. Is the SEC not responsible for the inner workings of the DTCC and CFTC. We know what we are up against, we know what the threat is but enough is enough. It would be nice to for once be able to compete and contribute to the good side.