On March 15, 2023 the U.S. Securities and Exchange Commission (“SEC”) released its proposal to amend Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, while simultaneously issuing two additional cybersecurity-related rule proposals[1] and re-opening the comment period for its previously-proposed cybersecurity risk management rule released in February 2022.[2] This set of sweeping reforms makes it clear, if not already, that the SEC is serious about implementing comprehensive cybersecurity and privacy standards across its regulated entity population—including investment advisers.   

This new proposed rulemaking occurs against the backdrop of the SEC’s longstanding focus—through examination and enforcement—on the risks that cybersecurity incidents pose to covered firms and, by extension, to their investors, clients and customers. The Division of Examinations has made information security and resilience an examination priority every year since 2014, and it did so again in 2023.[3] Similarly, the Division of Enforcement has repeatedly brought enforcement actions in this area, including fourteen relating to cybersecurity controls and safeguarding customer information since 2015,[4] pursuing these actions through its dedicated Crypto Assets and Cyber Unit which recently almost doubled in size to fifty professionals.[5] In addition to pursuing violations uncovered during the course of routine compliance examinations, the Examinations and Enforcement Divisions also proactively investigate potential violations of which they become aware, either through whistleblowers or public news reports of prominent security breaches, such as the late 2020 SolarWinds cyber breach.[6] SEC examination and enforcement focus in this area can therefore be expected to continue—and possibly even increase—creating more risk for firms as compliance obligations expand.

For more information, read the full client alert here.

[1]    Cybersecurity Risk Management Proposed Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Exchange Act Release No. 34-97142 (Mar. 15, 2023) (“Exchange Act Cybersecurity Proposal”), and Regulation Systems Compliance and Integrity, Exchange Act Rel. No. 34-97143 (Mar. 15, 2023) (“Regulation SCI Proposal”).

[2]    Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Act Rel. No. 11028 (Feb. 9, 2022) (“Cybersecurity Proposal”).

[3]   SEC Division of Examinations, 2023 Examination Priorities, at pp. 13-14.

[4]    SEC Website, Crypto Assets and Cyber Enforcement Actions — Regulated Entities – Cybersecurity Controls and Safeguarding Customer Information.

[5]    SEC Press Release, SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit, May 3, 2022.

[6]    Reuters, U.S. SEC probing SolarWinds clients over cyber breach disclosures -sources, June 22, 2021