On February 9, 2022, the Securities Exchange Commission (“SEC” or “Commission”) voted 3-1 to propose rules, forms and amendments concerning cybersecurity risk management, as well as registered investment adviser and fund disclosures. As we have previously discussed, the proposal under the Investment Advisers Act of 1940 (Advisers Act) and the Investment Company Act of 1940 (Investment Company Act) seeks to set out specific requirements for cybersecurity risk management for registered investment advisers (RIAs), registered investment companies (“RICs,” including mutual funds, exchange-traded funds (ETFs), unit investment trusts (UITs), and closed-end funds) and business development companies (BDCs)1 and related amendments to certain rules and forms that govern RIA and fund disclosures.

Rounding out a series of quarter-end announcements from the US Securities and Exchange Commission (SEC), the Division of Examinations (Exams) announced its 2022 examination priorities on March 30, 2022. These priorities reflect SEC Chair Gary Gensler's stated view that the examinations program is crucial to the SEC's work to protect investors and instill trust in markets. Exams will focus on, among other things, (i) private funds, (ii) broker-dealers, (iii) Environmental, Social, and Governance (ESG) or impact investing, (iv) financial technology (FinTech) and crypto-assets, and (v) information security (InfoSec) and operational resiliency.

The Securities and Exchange Commission (“SEC”) recently published proposed rulemaking regarding cybersecurity for (1) investment advisers and funds and (2) public companies. If implemented, these rules will have significant impact regarding cybersecurity governance, risk management by management, oversight by boards of directors, and the maintenance and update of policies, procedures, and compliance programs regarding cybersecurity.

This 27-year-old finance pro lost $3,000 to an Instagram scam — here are the 4 red flags he missed

In a world where Elizabeth Holmes, Anna Delvey and the Tinder Swindler co-exist, it seems like scammers are waiting for unsuspecting victims around every corner. Sometimes, those victims are even sophisticated finance professionals.

The NYDFS recognized the significant risk of cyberattacks to financial businesses that operate in the state and their customers, so it took action. In 2017, NYDFS adopted a set of regulations, 23 NYCRR 500, that places strict cybersecurity requirements on financial services companies that do business in the state of New York and related third-party service providers to defend against cyberattacks. They need to know what the regulation requires, which companies must comply and similar laws that overlap the provisions of this one.

On February 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.

Chair Gensler recently emphasized that cybersecurity rulemaking in this area is one of his priorities, and placed particular emphasis on establishing standards for cybersecurity hygiene and incident reporting for registrants. The proposed rules, which are the most detailed cybersecurity rules that Chair Gensler’s SEC has issued thus far, reflect the SEC’s intense attention to cybersecurity risk and its willingness to deploy the full scope of its regulatory authority to promulgate standards that address this risk.

These proposed rules would impose significant new requirements on registered investment advisers and funds, and are generally consistent with cybersecurity requirements imposed on other companies by New York’s Part 500 Cybersecurity Regulation and the Federal Trade Commission’s updated Safeguards Rule.

The fallout from Russia’s invasion of Ukraine is hitting the advice industry as government agencies warned wealth managers last week to protect themselves and their clients against increased attacks.

Wealth management executives are reassessing cybersecurity policies and procedures as they prepare firms for the future.

Growing demand for third-party access data — from both customers and technology vendors — is increasing threat vectors, as is the growing use of mobile devices. These aren’t new trends, but the shift to remote working caused by the coronavirus pandemic has accelerated the influence of these forces. For example, fintech companies initially created to reach younger investors are now embraced by clients of all ages.

The SEC issued a proposed cybersecurity rule applicable to registered investment advisers and registered investment companies, but did not issue the rule to publicly traded companies.

• The rule requires notification to the Commission within 48 hours of discovering a significant cybersecurity incident.

• The rule also requires extensive policies and procedures, including a written information security plan and incident response plan, to address and respond to cybersecurity threats.

• Companies will be required to increase disclosures and recordkeeping around cybersecurity practices, risks, and incidents.

Under the regulation, advisers would have to adopt and implement policies and procedures to address cyber risks and report incidents to the SEC and on their Form ADV.