On March 15, 2023, the SEC issued a release (the “Release”) containing proposed amendments to Regulation S-P (the “Proposals”). These Proposals were published in the Federal Register today, March 21. If adopted, the Proposals would require broker-dealers, registered investment companies (with business development companies, “registered funds”) and investment advisers to adopt written policies and

Blackbeard may not be the first name that comes to mind when considering cybercrime, but prior international efforts to stop stateless rogue actors can point us toward the proper focus for cybersecurity—governments taking responsibility to solve a classic collective action problem by direct action, supporting existing industry defense measures, and leading multilateral cooperation efforts. This

Introduction

Throughout 2022, cybersecurity lawyers have kept their eyes firmly fixed on two pieces of EU cybersecurity legislation: the NIS2 Directive (“NIS2”) and the Cyber Resilience Act (the “CRA”). With NIS2 having been formally enacted by the EU and the draft text of the CRA being published by the European Commission in September 2022, businesses should take time in 2023 to digest the implications of NIS2 and the CRA on their cybersecurity compliance programmes, both in terms of organisational measures and product compliance.

Continue Reading 2023 – A Year for Reflection on EU Cybersecurity

Ropes & Gray data, privacy & cybersecurity practice co-lead Ed McNicholas was recently featured on the R&G Tech Studio podcast, a Ropes & Gray podcast focused on showcasing the interesting and exciting work our attorneys are doing in the world of tech. In the interview, McNicholas sits down with Ed Black, technology, media &

2023 will bring with it updates and reforms in relation to data protection and cybersecurity in the UK. The proposed changes are expected to place tighter restrictions on digital content; increase protection around the internet of things and connected products; and, to the delight of some, lighten compliance burdens with respect to personal data. A few highlights to watch out for are set out below:

Continue Reading Incoming Privacy and Cybersecurity Developments in the UK

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.

Continue Reading NYDFS Proposes Significant Amendments to its Cybersecurity Rules

As smartphone capabilities and the ubiquity of their usage increases, an increasing number of functions that were previously performed by standalone devices have now moved into the app ecosystem – but doing so raises the risks of personal data misuse, and consequently regulatory scrutiny under data privacy laws. Recent advice and comments provided by EU data protection regulators regarding Qatar FIFA World Cup apps highlight this risk.

Continue Reading EU Regulators’ Comments on World Cup Apps Highlight Data Protection Risks

Data, privacy & cybersecurity partner Ed McNicholas and counsel Kevin Angle authored the USA chapter in Cybersecurity Laws and Regulations 2023. The chapter provides an overview of common issues in cybersecurity laws and regulations, including cybercrime, applicable statutes, prevention of cyber-attacks, sector-specific guidance, corporate governance, litigation, insurance, and investigatory and police powers.

Click here to

Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.

Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.

Continue Reading Data Protection: The Increasing GDPR/ UK GDPR Focus on Security

On October 26, 2022, in a divided 3-2 vote, the Securities and Exchange Commission (“SEC”) proposed a new rule, 206(4)-11, under the Investment Advisers Act of 1940 and related amendments (the “Proposed Rule”) requiring SEC-registered investment advisers to exercise effective and sufficient oversight over their service providers so as to fulfill the adviser’s fiduciary duty, comply with the federal securities laws and protect investors from potential harm.  Notably, the Proposed Rule prohibits advisers from outsourcing certain services or functions to service providers without meeting minimum diligence and monitoring requirements. 

Continue Reading The SEC’s Proposed Outsourcing Oversight Requirements for Investment Advisers