Rounding out a series of quarter-end announcements from the US Securities and Exchange Commission (SEC), the Division of Examinations (Exams) announced its 2022 examination priorities on March 30, 2022. These priorities reflect SEC Chair Gary Gensler's stated view that the examinations program is crucial to the SEC's work to protect investors and instill trust in markets. Exams will focus on, among other things, (i) private funds, (ii) broker-dealers, (iii) Environmental, Social, and Governance (ESG) or impact investing, (iv) financial technology (FinTech) and crypto-assets, and (v) information security (InfoSec) and operational resiliency.
Read MoreThe Securities and Exchange Commission (“SEC”) recently published proposed rulemaking regarding cybersecurity for (1) investment advisers and funds and (2) public companies. If implemented, these rules will have significant impact regarding cybersecurity governance, risk management by management, oversight by boards of directors, and the maintenance and update of policies, procedures, and compliance programs regarding cybersecurity.
Read MoreThis 27-year-old finance pro lost $3,000 to an Instagram scam — here are the 4 red flags he missed
In a world where Elizabeth Holmes, Anna Delvey and the Tinder Swindler co-exist, it seems like scammers are waiting for unsuspecting victims around every corner. Sometimes, those victims are even sophisticated finance professionals.
Read MoreThe NYDFS recognized the significant risk of cyberattacks to financial businesses that operate in the state and their customers, so it took action. In 2017, NYDFS adopted a set of regulations, 23 NYCRR 500, that places strict cybersecurity requirements on financial services companies that do business in the state of New York and related third-party service providers to defend against cyberattacks. They need to know what the regulation requires, which companies must comply and similar laws that overlap the provisions of this one.
Read MoreOn February 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.
Chair Gensler recently emphasized that cybersecurity rulemaking in this area is one of his priorities, and placed particular emphasis on establishing standards for cybersecurity hygiene and incident reporting for registrants. The proposed rules, which are the most detailed cybersecurity rules that Chair Gensler’s SEC has issued thus far, reflect the SEC’s intense attention to cybersecurity risk and its willingness to deploy the full scope of its regulatory authority to promulgate standards that address this risk.
These proposed rules would impose significant new requirements on registered investment advisers and funds, and are generally consistent with cybersecurity requirements imposed on other companies by New York’s Part 500 Cybersecurity Regulation and the Federal Trade Commission’s updated Safeguards Rule.
Read MoreThe fallout from Russia’s invasion of Ukraine is hitting the advice industry as government agencies warned wealth managers last week to protect themselves and their clients against increased attacks.
Read MoreWealth management executives are reassessing cybersecurity policies and procedures as they prepare firms for the future.
Growing demand for third-party access data — from both customers and technology vendors — is increasing threat vectors, as is the growing use of mobile devices. These aren’t new trends, but the shift to remote working caused by the coronavirus pandemic has accelerated the influence of these forces. For example, fintech companies initially created to reach younger investors are now embraced by clients of all ages.
Read MoreThe SEC issued a proposed cybersecurity rule applicable to registered investment advisers and registered investment companies, but did not issue the rule to publicly traded companies.
• The rule requires notification to the Commission within 48 hours of discovering a significant cybersecurity incident.
• The rule also requires extensive policies and procedures, including a written information security plan and incident response plan, to address and respond to cybersecurity threats.
• Companies will be required to increase disclosures and recordkeeping around cybersecurity practices, risks, and incidents.
Read MoreUnder the regulation, advisers would have to adopt and implement policies and procedures to address cyber risks and report incidents to the SEC and on their Form ADV.
Read MoreU.S. Securities and Exchange Commission (SEC) Chair Gary Gensler made remarks on Jan. 24, 2022, at Northwestern University Pritzker School of Law's Annual Securities Regulation Institute regarding the SEC's work to improve "the … cybersecurity posture and resiliency of the financial sector." Consistent with Holland & Knight's recent SECond Opinions Blog post highlighting the SEC's more aggressive cyber posture in 2021, Gensler indicated that the SEC will consider updating existing cybersecurity disclosure and reporting rules and requirements in 2022 for entities regulated by the SEC and expanding cybersecurity requirements on those entities falling outside the agency's direct regulatory regime.
Read More