Key Takeaways

• Since 2022, the U.S. Securities and Exchange Commission (SEC) has proposed several cybersecurity rules applicable to numerous regulated entities that, if adopted, would impose quick notification obligations and heightened disclosure requirements.

• Amid significant pushback during the public comment period, the SEC announced it would delay issuance of these rules, which are now expected to be finalized in October 2023 and April 2024.

• Because cybersecurity risks will continue to evolve more rapidly than the SEC’s public rulemaking process, public companies, investment advisers, broker-dealers, and other entities that may be impacted by these rules should not wait to address these risks, even in the face of regulatory uncertainty.

• After all, the SEC has already brought enforcements actions relating to cybersecurity incidents even in the absence of these proposed rules being finalized, and existing SEC and other regulatory frameworks already require baseline disclosure, notification, and safeguarding measures that these proposed SEC rules seek to enhance.

We are all familiar with the mantra on the importance of managing third-party risk to prevent anti-corruption, sanctions, money laundering and associated risks.  Over the last ten years, however, we have observed a new and important addition to the third-party risk plate – cybersecurity and data breach. 

While scams like email impersonation and phishing are nothing new, generative AI has supercharged the risks by introducing new threats, including deepfakes and malicious chatbots.

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, spoke on the topic of cyber resilience at the Financial Times Cyber Resilience Summit. Director Grewal defined cyber resilience as a guiding concept: because cybersecurity incidents are likely to occur, companies must be prepared to respond and react appropriately when they do.

Earlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. This alert provides guidance on what companies should be doing to prepare now.

Based on updates to its rulemaking agenda that were released last week, the U.S. Securities and Exchange Commission (SEC) has delayed approval of two cybersecurity rules until at least October 2023. Both proposed rules were released by the agency in early 2022. 

In today’s digital age, remote work has become a norm, posing challenges to maintaining operational security. Any mistake by remote employees can result in a data breach that can be detrimental to the organization.

he SEC has been concerned for years about online attacks that could expose financial advisors’ customer data, but the agency’s intensity on the topic is now reaching a crescendo.

The Federal Trade Commission updated its “Standards for Safeguarding Customer Information” (“Safeguards Rule”) and extended the compliance deadline to June 9, 2023. Some entities still may be wondering – “Do these regulations apply to my business?” and “What do I have to do?”

The Securities and Exchange Commission warned broker-dealers and advisors Wednesday about the importance of having written policies and procedures for safeguarding client records and information at branch offices, since some firms have experienced cybersecurity and data breaches.