On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents.  The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”

Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) proposed three new cybersecurity rulemakings that, if adopted, would affect a wide range of market participants, including SEC-registered broker-dealers.

Continue Reading SEC Proposes Major New Cybersecurity Rules for Market Participants

On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1]  This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2]  This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. 

Continue Reading SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack

On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions.[1]  In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including:  (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins.
Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team

The SEC published in March 2022 a dauntingly complex proposal to require public companies to provide climate-related disclosures.[1]  The period for public comment on the proposal is very short, and it seems clear that a majority of the Commission is determined to proceed quickly.
Continue Reading The SEC’s Climate Proposal – Top Points for Comment

Last month, the U.S. Securities and Exchange Commission issued a proposal to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance. Among other changes, the SEC’s proposal would require disclosure about material cybersecurity incidents within four business days and require annual disclosure regarding a registrant’s policies and

The SEC and a consortium of 32 states recently announced a $100 million settlement with BlockFi Lending LLC over its crypto lending product, BlockFi Interest Accounts. The SEC alleged BlockFi had violated the securities laws by failing to register its interest-bearing crypto lending product as a security, failing to register itself as an investment company,

On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts.  Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars.
Continue Reading SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context

Last month, the United States District Court for the Southern District of New York granted a motion to dismiss in In re Fed Ex Corp. Securities Litigation, a putative class action securities fraud case filed against FedEx following numerous disclosures in 2017 and 2018 regarding the impact of a Russian cyberattack on its recently acquired subsidiary, TNT Express Services B.V (“TNT”).[1]  The court held that the complaint failed to adequately plead that FedEx had made any material misrepresentations or had the requisite scienter.  FedEx’s successful defense against the lawsuit highlights the importance for companies to consider their disclosure obligations following a cyber-incident and carefully tailor their disclosures to account for their risks and accurately reflect the consequences of the incident.
Continue Reading District Court Dismisses Securities Fraud Claim Against FedEx Concerning Disclosures About NotPetya Cyberattack

On March 3, 2021, the U.S. Securities and Exchange Commission (“SEC”) Division of Examinations (the “Division”)—formerly the Office of Compliance Inspections and Examinations—released its 2021 Examination Priorities (“2021 Priorities”).  The 2021 Priorities generally retain perennial risk areas as the Division’s core focus, but do include several new and emerging risk areas reflecting broader policy shifts under new SEC leadership.

The 2021 Priorities include:  retail investors; information security and operational resilience; financial technology (“Fintech”), including digital assets; anti-money laundering; transition from the London Inter‑Bank Offered Rate (“LIBOR”); several areas covering registered investment advisers and investment companies; market infrastructure; and oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board programs and policies.  Although not formal priorities, the Division will also focus on climate-related risks and environmental, social and governance (“ESG”) matters in light of recent market developments and broader attention in these areas.
Continue Reading Turning the Page: Highlights of the SEC’s Division of Examination’s 2021 Priorities