Cybersecurity

Subscribe to Cybersecurity via RSS

On November 22, the Securities and Exchange Commission announced its enforcement results for the 2024 fiscal year with a record $8.2 billion in financial remedies.[1]  At the same time, a few cases and sweeps comprised the vast bulk of that amount, and the number of cases brought dropped by 26%.  In a press release announcing the results, Acting Enforcement Director Sanjay Wadhwa touted the agency’s “high impact enforcement actions” and noted “stepped up efforts” by market participants to self-report their own potential wrongdoing, cooperate in SEC investigations, and remediate any shortcomings.  Chair Gary Gensler, who recently announced he will step down at the start of the next Trump presidency, described the Enforcement Division as a “steadfast cop on the beat.”  Set forth below are key highlights on enforcement trends from the past year, as well as predictions for what the next year may hold under a new administration.Continue Reading SEC FY 2024 Enforcement Results: Record Dollars But Many Fewer Cases

On October 22, 2024, the SEC announced settled enforcement actions charging four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. These cases mark the first to bring charges against companies who were downstream victims of the well-known cyber-attack on software company SolarWinds. The four companies were providers of IT services and digital communications products and settled the charges for amounts ranging from $990,000 to $4 million.Continue Reading SEC Charges Four Companies Impacted by Data Breach with Misleading Cyber Disclosures

The U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”) released its 2025 examination priorities on October 21, 2024 (the “2025 Priorities”).  The 2025 Priorities highlight a wide range of topics for entities subject to SEC examinations, particularly investment advisers and broker-dealers.  The topics should be very familiar, as they largely continue recent focus areas for not only the Examinations Division but also the Enforcement Division.Continue Reading SEC 2025 Exam Priorities: Private Funds, Cyber, Crypto, and New Rule Compliance

On May 16, 2024, the Securities and Exchange Commission (the “Commission” or “SEC”) adopted a final set of amendments (the “Final Amendments”) to Regulation S-P (“Reg S-P”) to require “covered institutions,” which include SEC-registered investment advisers (“RIAs”) and broker-dealers, to adopt an incident response program for incidents involving unauthorized use of or access to customer data.  The Final Amendments also require customer notification where the covered institution determines the compromise of such data could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.  Continue Reading SEC Adopts Amendments to Reg S-P

On November 14, the Securities and Exchange Commission announced its enforcement results for the 2023 fiscal year,[1] with case numbers up from fiscal year 2022 and monetary sanctions at the second highest level in the agency’s history, though down significantly from last year’s record highs.  In a press release announcing the results, Enforcement Director Gurbir Grewal noted that the past year’s cases demonstrate how the agency “work[s] with a sense of urgency, using all the tools in our toolkit.”  This post evaluates how the SEC used its enforcement tools in the past year and surveys the enforcement highlights in key substantive areas.Continue Reading SEC Announces FY 2023 Enforcement Results with Second-Highest Penalties on Record

On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) adopted rules to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance.Continue Reading New SEC Disclosure Rules for Cybersecurity Incidents and Governance and Key Takeaways

On July 26, 2023, the Securities and Exchange Commission (“SEC”) proposed new rules targeting the use of predictive data analytics and artificial intelligence (“AI”) by registered investment advisers (“RIAs”) and broker-dealers.[1]  The new proposed rules focus on the potential for conflicts of interest and the possibility that newer, more complex analytics models (including those using AI) might optimize decision making for RIAs and broker-dealers by placing those firms’ interests above the interests of their clients.[2]  The proposed rules would require RIAs and broker-dealers to: (i) evaluate whether their use of technologies “that optimize for, predict, forecast or direct investment-related behaviors or outcomes” create such a conflict of interest, and (ii) either stop using or address the effects of tools that place a firm’s interests before the interests of clients.  RIAs and broker-dealers will also will be required to adopt policies to ensure compliance with the new proposed rules.[3] Continue Reading SEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-Dealers

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents.  The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P

On October 26, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed a new rule under the Investment Advisers Act of 1940 (“Advisers Act”) imposing due diligence, recordkeeping and reporting obligations on registered investment advisers (“RIAs”) who outsource certain key “covered functions” of the adviser’s business to third parties, including affiliates.  The Proposal represents another step toward more substantive regulation of RIAs by the SEC under Chairman Gensler, and will impose real costs and operational risk on RIAs.
Continue Reading New Requirements for Outsourcing by Advisers: Proposed SEC Rule Brings More Obligations and Scrutiny

On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019.
Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance