On May 16, 2024, the SEC adopted amendments to Regulation S-P requiring broker-dealers, registered investment companies, registered investment advisers, funding portals, and transfer agents (collectively, “covered institutions”) to create an incident response program to deal with unauthorized access to or use of customer information. The amendments also expanded the obligations of covered institutions by requiring them to safeguard and properly dispose of a broader range of data types and maintain records documenting compliance with the amendments. Finally, the annual privacy notice delivery provisions now include an exception from a 2015 amendment to the Gramm-Leach-Bliley Act (GLBA).
Read MoreThe Financial Industry Regulatory Authority on Tuesday touted its focus this year on a number of common compliance themes, including broker-dealers’ cybersecurity risks and anti-money laundering controls while adding some new hot spots, including the selection of third-party vendors, according to its annual regulatory oversight report.
Read MoreFinancial services firms must establish procedures to ensure that their day-to-day operations and regulatory compliance are not interrupted in the event of a cybersecurity issue involving a third-party vendor, Finra says.
Read MoreOn May 15, 2024 the SEC issued Release Nos. 34-100155; IA-6604 (the “Adopting Release”) providing for amendments to the safeguards and disposal rules of Regulation S-P (the “Amendments”). The compliance dates for the Amendments are December 31, 2025 for “large” investment advisers (those with $1.5 billion or more in assets under management) and June 3, 2026 for “small” investment advisers (those with less than $1.5 billion in assets under management.
The safeguards rule requires investment advisers (and other Covered Institutions - broker-dealers, investment companies and transfer agents) to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information (“Customer Information”). The disposal rule requires investment advisers (and other Covered Institutions) to ensure the proper disposal of Consumer Report information, and pursuant to the Amendments, Customer Information. This alert summarizes the Amendments as applicable to investment advisers.
Read MoreCybersecurity threats continue to evolve as cybercriminals become more sophisticated, even using advanced technology, such as artificial intelligence (AI), to carry out their scams. They also try to exploit human vulnerabilities, duping their targets into revealing sensitive information by clicking on questionable links or responding to phishing emails. In fact, human error accounts for up to 95 percent of security breaches.
Read MoreThroughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend.
Read More"You still get some of them that think, 'I'm okay. My IT people tell me, I'm okay'
Read MoreOn October 21, 2024, the Division of Examinations (Division) of the Securities and Exchange Commission (SEC) published its 2025 examination priorities (2025 priorities). The release of the 2025 priorities is intended to inform registered investment advisers, investment companies and broker-dealers of potential areas the Division will review during examinations in 2025.
Read More