On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers.  Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically.  The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program.  As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.

The Biden Administration released its Fall 2022 regulatory agenda on Jan. 4, 2023, to outline regulations aimed at cybersecurity requirements for government contractors, the maritime industry, public companies and others.

Additional Requirements to Go Into Effect June 9, 2023

As the name suggests, the purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

In 2021, the number of cyberattacks and data breaches in the U.S. increased by 15.1% from the previous year. And the cost of being victimized by cybercrime rose, as well. According to a study by IBM, on average, a single data breach in the U.S. costs a business $9.44 million.

Online attacks aimed at the financial system are a top concern for regulators, and small advisory firms aren’t immune to the trend, an SEC official warned Wednesday.

Upcoming policy illustrates that government is taking cyber threat seriously

What You Need to Know

• The SEC's proposed due diligence requirements could cover services like portfolio management and trading software.

• The rule excludes services such as clerical, ministerial, utility and general office services.

• The Investment Adviser Association says the rule is overly burdensome, especially for small firms.

The Securities and Exchange Commission has a busy rulemaking agenda, and brokers and advisors can look ahead to new regulations concerning cybersecurity and safeguarding clients’ personal information.

The commission is currently reviewing the comments it received for its cybersecurity proposal, but Chairman Gary Gensler is indicating that the agency is also working on an overhaul of Regulation S-P, the 22-year-old rule stipulating how registrants must protect sensitive client data.

Gensler briefly addressed the topic when he appeared via web conference at the Investment Adviser Association’s conference this week, saying that he believes the rule, which was last amended in 2004, needs to be updated.

Cybersecurity insurance is an absolute necessity for any business operating in the modern world. However, increasing demand and threats of attacks have made insurance companies much more hesitant to offer claims. Here are some of the most common reasons claims are rejected, and how organizations can ensure they receive the coverage they need.