Cybersecurity and data privacy risks continue to loom large with potentially significant consequences. Litigation, often filed soon after incidents, adds to the possible repercussions. In our previous article, we discussed a trio of states providing affirmative defenses or “safe harbors” that companies can take advantage of to minimize litigation exposure resulting from a data breach. Three other states have recently followed, with Oklahoma, Iowa, and Tennessee recently passing their own “safe harbor” laws.

Financial institutions must get ready to report on assessing, monitoring, mitigating and remediating cyber risks

New York Attorney General Letitia James and a coalition of five attorneys general reached a $6.5 million agreement Thursday with Morgan Stanley Smith Barney LLC for compromising the personal information of millions of customers nationwide.

According to James’ office, Morgan Stanley “failed to decommission its computers and erase unencrypted data in certain computer devices that were later auctioned while still containing consumers’ personal information, including data belonging to 1.1 million New Yorkers.”

In today’s rapidly evolving digital landscape, cybersecurity has become a critical concern for businesses across all industries. Recognizing the need for increased transparency and accountability, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) has issued a new pronouncement1 that outlines cybersecurity requirements for all registrants, which includes registered investment companies and registered investment advisers (“RIAs” or “advisers”). Implementation of this new SEC pronouncement is of critical importance as it will help advisers safeguard their (and their investors’) sensitive data and protect against cyber threats. By embracing these requirements, companies can enhance their cybersecurity posture, build trust with investors, and mitigate potential financial, operational, and reputational risks.

This is the second in a three-part series discussing the newly amended rules (collectively the “Rules”) adopted by the Colorado Division of Securities (“Division”) effective as of March 30, 2023 (the “Effective Date”) applicable to certain Colorado investment advisers and their registered representatives (“IARs”). The Rules mostly affect investment advisers registered with Colorado State (such advisers, “Colorado Licensed Advisers”).

The U.S. Securities and Exchange Commission will continue to review broker-dealers’ and advisers’ cybersecurity practices next year, the agency said in a report issued Monday.

“Operational disruption risks remain elevated due to the proliferation of cybersecurity attacks, firms’ dispersed operations, intense weather-related events, and geopolitical concerns,” the agency said in its “2024 Examination Priorities, Division of Examinations” report.

Cybersecurity and Cybersecurity Compliance share the same objective (protecting sensitive data from cyber threats), but they aren’t the same thing.  They are related but have different focuses.

Under the proposed SEC Cybersecurity Risk Management Rules, firms would need to have documented processes in place to mitigate and respond to “significant cybersecurity incidents” and report them to the SEC when they happen—including whether any losses are covered by insurance policies…

The SEC is about to upend your firm when it comes to cybersecurity.

Last year, the agency proposed a series of new rules, heading toward approval likely later this year. Although not yet final, they are going to shake up the ways RIAs run their businesses.

The SEC Cybersecurity Rules strive to enhance and standardize disclosures regarding cybersecurity incidents, risk management, strategy, and governance. Public companies subject to the reporting requirements of the Securities Exchange Act of 1934 will be subject to new disclosure requirements regarding (1) cybersecurity incidents, and (2) cybersecurity risk management, strategy, and governance. The rules also significantly expand cyber compliance obligations for registered investment advisers (RIAs), investment companies and broker-dealers.