The NYDFS recognized the significant risk of cyberattacks to financial businesses that operate in the state and their customers, so it took action. In 2017, NYDFS adopted a set of regulations, 23 NYCRR 500, that places strict cybersecurity requirements on financial services companies that do business in the state of New York and related third-party service providers to defend against cyberattacks. They need to know what the regulation requires, which companies must comply and similar laws that overlap the provisions of this one.

On February 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.

Chair Gensler recently emphasized that cybersecurity rulemaking in this area is one of his priorities, and placed particular emphasis on establishing standards for cybersecurity hygiene and incident reporting for registrants. The proposed rules, which are the most detailed cybersecurity rules that Chair Gensler’s SEC has issued thus far, reflect the SEC’s intense attention to cybersecurity risk and its willingness to deploy the full scope of its regulatory authority to promulgate standards that address this risk.

These proposed rules would impose significant new requirements on registered investment advisers and funds, and are generally consistent with cybersecurity requirements imposed on other companies by New York’s Part 500 Cybersecurity Regulation and the Federal Trade Commission’s updated Safeguards Rule.

The fallout from Russia’s invasion of Ukraine is hitting the advice industry as government agencies warned wealth managers last week to protect themselves and their clients against increased attacks.

Wealth management executives are reassessing cybersecurity policies and procedures as they prepare firms for the future.

Growing demand for third-party access data — from both customers and technology vendors — is increasing threat vectors, as is the growing use of mobile devices. These aren’t new trends, but the shift to remote working caused by the coronavirus pandemic has accelerated the influence of these forces. For example, fintech companies initially created to reach younger investors are now embraced by clients of all ages.

The SEC issued a proposed cybersecurity rule applicable to registered investment advisers and registered investment companies, but did not issue the rule to publicly traded companies.

• The rule requires notification to the Commission within 48 hours of discovering a significant cybersecurity incident.

• The rule also requires extensive policies and procedures, including a written information security plan and incident response plan, to address and respond to cybersecurity threats.

• Companies will be required to increase disclosures and recordkeeping around cybersecurity practices, risks, and incidents.

Under the regulation, advisers would have to adopt and implement policies and procedures to address cyber risks and report incidents to the SEC and on their Form ADV.

U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler made remarks on Jan. 24, 2022, at Northwestern University Pritzker School of Law's Annual Securities Regulation Institute regarding the SEC's work to improve "the … cybersecurity posture and resiliency of the financial sector." Consistent with Holland & Knight's recent SECond Opinions Blog post highlighting the SEC's more aggressive cyber posture in 2021, Gensler indicated that the SEC will consider updating existing cybersecurity disclosure and reporting rules and requirements in 2022 for entities regulated by the SEC and expanding cybersecurity requirements on those entities falling outside the agency's direct regulatory regime.

What You Need to Know

• Gensler has asked for recommendations on how advisors and BDs can strengthen their cybersecurity and incident reporting.

• Gensler sees opportunities to expand Regulation S-P, a rule about protecting customers' personal data.

• He also wants to broaden Reg SCI to more types of firms, like big market makers, BDs and Treasury trading platforms.

This year saw a number of significant changes on both the state and federal levels with regard to data privacy and data security. These changes reflect the increasing focus on the digital landscape to which the global economy has shifted and emphasized a much sharper focus on protecting sensitive information. Indeed, the significance of having strong cybersecurity regulations was emphasized from the top down in the United States, including an emphasis on improving and updating cybersecurity defenses and protections for federal government networks, as outlined in President Biden's May 12, 2021 Executive Order on Improving the Nation's Cybersecurity. This article highlights the legislative and litigation developments in 2021 and discusses what may lie ahead in 2022 for businesses that collect, process, and store sensitive information.

Individuals’ use of insecure cybersecurity behaviors, including the use of weak passwords, is a leading contributor to cybersecurity breaches.