On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected

On May 16, 2024, the SEC issued a release (the “Release”) adopting amendments to Regulation S-P (the “Amendments”) that require broker-dealers, registered investment companies (together, with business development companies, “registered funds”) and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including

Not that long ago, financial sector regulations seldom mentioned cybersecurity expressly, instead addressing the issue indirectly through restrictions focused on general system safeguards and omnibus reporting requirements. Gone are those days. Over the past few years, federal and state regulators have increased focus on information security issues impacting financial institutions, introducing a spate of cyber rules that often include stringent regulatory reporting and disclosure requirements. This year was no different.Continue Reading Making a List and Checking it Twice: The Impact of Cybersecurity Regulations on Financial Services in 2023

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) voted 3–2 to adopt rules requiring public companies to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategy, and governance (the “Cybersecurity Disclosure Rules” or “Final Rules”).1 The Final Rules require disclosure of “material cybersecurity incidents”. The disclosure must be made within four business days from the date on which a cybersecurity incident is determined to be “material” as opposed to four business days from the date on which the occurrence of an incident is discovered; although, that distinction may be difficult to implement in practice. Covered entities, which include all issuers that file annual reports on Form 10-K or Form 20-F, should promptly review their cybersecurity protocols and procedures to address further required disclosure items.2Continue Reading SEC Adopts Final Rules on Public Company Cybersecurity Disclosures

Ropes & Gray, in partnership with Mass Insight Global Partnerships, hosts and presents the Data Insights webinar series. This series focuses on bringing together business people, academics and researchers, and government policy makers to discuss issues associated with the collection and use of data to address significant problems across a broad range of contexts. The

Since 2000, technological advances have transformed how customers interact with financial institutions and how such firms store, process and protect personal information. The proliferation of large-scale hacks and data breaches throughout this time simultaneously demonstrated the difficulty of data protection given the ever-evolving nature of cybercrime. Despite these developments, the SEC has failed to update

On March 15, 2023, the SEC issued a release (the “Release”) containing proposed amendments to Regulation S-P (the “Proposals”). These Proposals were published in the Federal Register today, March 21. If adopted, the Proposals would require broker-dealers, registered investment companies (with business development companies, “registered funds”) and investment advisers to adopt written policies and

Blackbeard may not be the first name that comes to mind when considering cybercrime, but prior international efforts to stop stateless rogue actors can point us toward the proper focus for cybersecurity—governments taking responsibility to solve a classic collective action problem by direct action, supporting existing industry defense measures, and leading multilateral cooperation efforts. This

On October 26, 2022, in a divided 3-2 vote, the Securities and Exchange Commission (“SEC”) proposed a new rule, 206(4)-11, under the Investment Advisers Act of 1940 and related amendments (the “Proposed Rule”) requiring SEC-registered investment advisers to exercise effective and sufficient oversight over their service providers so as to fulfill the adviser’s fiduciary duty, comply with the federal securities laws and protect investors from potential harm.  Notably, the Proposed Rule prohibits advisers from outsourcing certain services or functions to service providers without meeting minimum diligence and monitoring requirements. Continue Reading The SEC’s Proposed Outsourcing Oversight Requirements for Investment Advisers

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed updates to its disclosure rules intended to “enhance and standardize” public company disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The Proposed Rules may require issuers to update their disclosure controls and procedures, in particular with respect