On November 14, the Securities and Exchange Commission announced its enforcement results for the 2023 fiscal year,[1] with case numbers up from fiscal year 2022 and monetary sanctions at the second highest level in the agency’s history, though down significantly from last year’s record highs.  In a press release announcing the results, Enforcement Director Gurbir Grewal noted that the past year’s cases demonstrate how the agency “work[s] with a sense of urgency, using all the tools in our toolkit.”  This post evaluates how the SEC used its enforcement tools in the past year and surveys the enforcement highlights in key substantive areas.Continue Reading SEC Announces FY 2023 Enforcement Results with Second-Highest Penalties on Record

On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) adopted rules to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance.Continue Reading New SEC Disclosure Rules for Cybersecurity Incidents and Governance and Key Takeaways

On July 26, 2023, the Securities and Exchange Commission (“SEC”) proposed new rules targeting the use of predictive data analytics and artificial intelligence (“AI”) by registered investment advisers (“RIAs”) and broker-dealers.[1]  The new proposed rules focus on the potential for conflicts of interest and the possibility that newer, more complex analytics models (including those using AI) might optimize decision making for RIAs and broker-dealers by placing those firms’ interests above the interests of their clients.[2]  The proposed rules would require RIAs and broker-dealers to: (i) evaluate whether their use of technologies “that optimize for, predict, forecast or direct investment-related behaviors or outcomes” create such a conflict of interest, and (ii) either stop using or address the effects of tools that place a firm’s interests before the interests of clients.  RIAs and broker-dealers will also will be required to adopt policies to ensure compliance with the new proposed rules.[3] Continue Reading SEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-Dealers

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents.  The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P

On October 26, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed a new rule under the Investment Advisers Act of 1940 (“Advisers Act”) imposing due diligence, recordkeeping and reporting obligations on registered investment advisers (“RIAs”) who outsource certain key “covered functions” of the adviser’s business to third parties, including affiliates.  The Proposal represents another step toward more substantive regulation of RIAs by the SEC under Chairman Gensler, and will impose real costs and operational risk on RIAs.
Continue Reading New Requirements for Outsourcing by Advisers: Proposed SEC Rule Brings More Obligations and Scrutiny

On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019.
Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance

On March 30, 2022, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”)—formerly the Office of Compliance Inspections and Examinations—released its 2022 Examination Priorities (“2022 Priorities”).  The Division is undergoing extensive leadership changes, with the recent departures of several top officials.  Consistent with the aggressive agenda set by Chair Gensler for the SEC generally, the Division has returned to its pre-pandemic caseload, conducting over 3,000 exams in fiscal year 2021, issuing over 2,000 deficiency letters, and making 190 referrals to the Enforcement Division.  Despite the management changes, the 2022 Priorities generally retain perennial risk areas as the core focus, but include several new and emerging risk areas reflecting the policy goals espoused by Gensler in recent proposed rule releases and public statements.
Continue Reading SEC Division of Examinations Reinforces Gensler Initiatives in its 2022 Exam Priorities

On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts.  Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars.
Continue Reading SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context

Cybersecurity and data privacy continue to be among the most significant legal risks that businesses face today.

Last year brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets, continuing the trend seen in recent years. Regulators also brought a number of cybersecurity enforcement actions and announced new rules, guidance, and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government. Companies should expect the demands of cybersecurity risk management and oversight to intensify as we enter 2022.
Continue Reading 2021 Cybersecurity and Privacy Developments in the United States

2021 was a year of transition for white-collar criminal and regulatory enforcement. As courthouses reopened and trials resumed, newly-installed heads of law enforcement authorities looked to reset priorities and ramp up enforcement in the first year of the Biden administration. 
Continue Reading Priorities, Trends and Developments in Enforcement and Compliance