The SEC is about to upend your firm when it comes to cybersecurity.
Last year, the agency proposed a series of new rules, heading toward approval likely later this year. Although not yet final, they are going to shake up the ways RIAs run their businesses.
Read MoreThe SEC Cybersecurity Rules strive to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. Public companies subject to the reporting requirements of the Securities Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) cybersecurity incidents, and (2) cybersecurity risk management, strategy, and governance. The rules also significantly expand cyber compliance obligations for registered investment advisers (RIAs), investment companies and broker-dealers.
Read MoreKey Takeaways
Since 2022, the U.S. Securities and Exchange Commission (SEC) has proposed several cybersecurity rules applicable to numerous regulated entities that, if adopted, would impose quick notification obligations and heightened disclosure requirements.
Amid significant pushback during the public comment period, the SEC announced it would delay issuance of these rules, which are now expected to be finalized in October 2023 and April 2024.
Because cybersecurity risks will continue to evolve more rapidly than the SEC’s public rulemaking process, public companies, investment advisers, broker-dealers, and other entities that may be impacted by these rules should not wait to address these risks, even in the face of regulatory uncertainty.
After all, the SEC has already brought enforcements actions relating to cybersecurity incidents even in the absence of these proposed rules being finalized, and existing SEC and other regulatory frameworks already require baseline disclosure, notification, and safeguarding measures that these proposed SEC rules seek to enhance.
We are all familiar with the mantra on the importance of managing third-party risk to prevent anti-corruption, sanctions, money laundering and associated risks. Over the last ten years, however, we have observed a new and important addition to the third-party risk plate – cybersecurity and data breach.
Read MoreWhile scams like email impersonation and phishing are nothing new, generative AI has supercharged the risks by introducing new threats, including deepfakes and malicious chatbots.
Read MoreGurbir S. Grewal, Director of the SEC’s Division of Enforcement, spoke on the topic of cyber resilience at the Financial Times Cyber Resilience Summit. Director Grewal defined cyber resilience as a guiding concept: because cybersecurity incidents are likely to occur, companies must be prepared to respond and react appropriately when they do.
Read MoreEarlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. This alert provides guidance on what companies should be doing to prepare now.
Read MoreBased on updates to its rulemaking agenda that were released last week, the U.S. Securities and Exchange Commission (SEC) has delayed approval of two cybersecurity rules until at least October 2023. Both proposed rules were released by the agency in early 2022.
Read MoreIn today’s digital age, remote work has become a norm, posing challenges to maintaining operational security. Any mistake by remote employees can result in a data breach that can be detrimental to the organization.
Read More