On July 8, the SEC issued an updated 2024 regulatory agenda, which includes updated timing related to several key regulatory actions. This signals another busy few months for the SEC.

Read More

On May 15, 2024, the SEC announced it would make amendments to Regulation S-P (Reg S-P). This will be the first amendment to the regulation since its adoption 24 years ago in 2000. The regulation focuses on how institutions handle customers’ private personal information. The amendment comes in response to the ever-evolving technologies that expose individuals’ sensitive data to potential security breaches. SEC Chair Gary Gensler stated “Over the last 24 years, the nature, scale and impact of data breached has transformed substantially” and that “amendments to regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

Read More

As addressing cybersecurity issues continues to become a top priority throughout the financial industry, the U.S. Securities and Exchange Commission (SEC) is following suit. The SEC unanimously voted to approve a new set of cybersecurity rules last May designed to ensure that broker dealers, investment advisers, and transfer agents have robust measures in place to not only detect data breaches but to notify customers when they may be affected by one.  

Read More

Cybersecurity threats are still abundant — data breaches surged 20% from 2022 to 2023, and a March 2024 cyberattack on a large U.S. health care billing company had wide-reaching impacts. Meanwhile, artificial intelligence has opened the door for new threats, many still unimagined. Despite the scope and scale of these threats, many firms have become inured to the dangers while others simply don’t know where to focus their cybersecurity efforts.

No company can expect to have 100% protection against cyberattacks, no matter how much time, technology, and resources they invest in the challenge, according to Keri Pearlson, executive director of Cybersecurity at MIT Sloan.

The more realistic goal is cyber resilience — making sure a business can quickly respond to inevitable attacks by getting systems back up and running with minimal disruption. A resilient organization emerges from an attack relatively unscathed, with little to no data loss, impact to its financial health, or damage to its brand reputation.

Read More

Earlier this month, approximately one year after releasing its proposed amendments to Regulation S-P, the SEC announced the adoption of final amendments to Regulation S-P, expanding the information protected, the policies and procedures required, and the entities covered by the rules. Covered financial institutions—including any broker-dealer, investment company, registered investment adviser, or transfer agent—will now be required to establish and implement a reasonable incident response program and notify impacted customers of certain security breaches. The final amendments further codify the SEC’s expectations of the financial institutions’ oversight of third-party service providers, and they expand the reach of the Safeguards and Disposal Rules to transfer agents. This alert covers the new components of Regulation S-P, along with our key takeaways.

Read More

Following the Securities and Exchange Commission’s (“SEC’s”) new and updated cybersecurity risk management rules, proposed in February 2022, for investment advisors, registered investment companies, and business development companies, entities classified as “advisors” and “funds” registered with the SEC have taken action to ensure compliance. 

Read More

On May 15, 2024, the Securities and Exchange Commission (SEC) finalized amendments to Regulation S-P, the primary regulation governing the privacy and confidentiality of consumer financial information for SEC-regulated entities. The updated regulation aims to strengthen customer data protection and enhance cybersecurity practices within the financial services sector. The following is an overview of the key changes and implications for impacted financial services companies and vendors to financial services companies.

Read More

The Securities and Exchange Commission (SEC) has updated its decades-old Regulation S-P rule governing customer data protection. 

Under the SEC’s amendments, RIAs, broker-dealers and investment companies must notify customers within 30 days after becoming aware that an unauthorized use of their information occurred. The SEC also said that the rule, which governs the safeguarding and disposal of client information, would require companies to maintain written procedures for responding to a data breach and for notifying customers. 

Read More

The New York State Department of Financial Services (NYDFS) issued guidance for small businesses attempting to comply with its cybersecurity regulations.

New York has had rules for financial institutions regarding cybersecurity in place since 2017. The state issued amended rules in 2023 that require financial institutions to conduct risk assessments more often and improve governance.

Under the amended rules, “[C]overed entities must maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations,” the NYDFS said Monday in a guidance letter.

Read More

The Financial Industry Regulatory Authority has created a new key topics page for its new rules treating home offices as ”residential supervisory locations.”

Read More