Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications
SEC Proposes New Requirements to Address Conflicts of Interest in the Use of Artificial Intelligence and Similar Technologies
On July 26, 2023, the SEC issued proposed rules under the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 to address conflicts of interest that the SEC believes are associated with the use by broker-dealers and investment advisers of predictive data analytics (PDA) and PDA-like technologies, such as artificial intelligence (AI), in investor interactions. The proposed rules seek to prevent firms from using these technologies to influence investor behavior to the investor’s detriment and the benefit of the firm.Continue Reading SEC Proposes New Requirements to Address Conflicts of Interest in the Use of Artificial Intelligence and Similar Technologies
SEC Proposes Amendments to the Internet Adviser Exemption
On July 26, 2023, the SEC issued proposed rules under the Investment Advisers Act of 1940 to narrow the types of smaller investment advisers that can register with the SEC in reliance on the Internet adviser exemption. Currently, an investment adviser with less than $25 million in assets under management that would ordinarily be too small to register with the SEC may register so long as it provides investment advice to clients exclusively through an interactive website and engages in appropriate recordkeeping. An adviser also may provide investment advice to fewer than 15 clients through other means during the preceding 12 months. The amendments are designed to modernize the exemption and address investment advisers that rely on the exemption but continue to provide non-Internet-based advice through adviser personnel.Continue Reading SEC Proposes Amendments to the Internet Adviser Exemption
Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure
Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General). As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public. Why does that matter? Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).Continue Reading Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure
SEC Reopens Comment Period for Investment Adviser and Investment Company Cybersecurity Proposals in Connection with Other Cyber and Data Privacy Related Proposals
On March 15, 2023, the SEC reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies and business development companies that were proposed on February 9, 2022. The initial comment period ended on April 11, 2022. A previous Vedder Price summary of the proposals is available here. Comments on the proposals are now due by May 22, 2023.Continue Reading SEC Reopens Comment Period for Investment Adviser and Investment Company Cybersecurity Proposals in Connection with Other Cyber and Data Privacy Related Proposals
SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies
On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies