On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) adopted rules to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance.Continue Reading New SEC Disclosure Rules for Cybersecurity Incidents and Governance and Key Takeaways

On July 26, 2023, the Securities and Exchange Commission (“SEC”) proposed new rules targeting the use of predictive data analytics and artificial intelligence (“AI”) by registered investment advisers (“RIAs”) and broker-dealers.[1]  The new proposed rules focus on the potential for conflicts of interest and the possibility that newer, more complex analytics models (including those using AI) might optimize decision making for RIAs and broker-dealers by placing those firms’ interests above the interests of their clients.[2]  The proposed rules would require RIAs and broker-dealers to: (i) evaluate whether their use of technologies “that optimize for, predict, forecast or direct investment-related behaviors or outcomes” create such a conflict of interest, and (ii) either stop using or address the effects of tools that place a firm’s interests before the interests of clients.  RIAs and broker-dealers will also will be required to adopt policies to ensure compliance with the new proposed rules.[3] Continue Reading SEC Proposes Rules Limiting the Use of Artificial Intelligence by Registered Investment Advisers and Broker-Dealers

On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents.  The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”Continue Reading SEC Continues to Shine Light on Cyber and Data Security: Proposes Amendments to Regulation S-P

On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1]  This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2]  This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures. Continue Reading SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack

On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions.[1]  In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including:  (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins.
Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team

The SEC published in March 2022 a dauntingly complex proposal to require public companies to provide climate-related disclosures.[1]  The period for public comment on the proposal is very short, and it seems clear that a majority of the Commission is determined to proceed quickly.
Continue Reading The SEC’s Climate Proposal – Top Points for Comment

Last month, the U.S. Securities and Exchange Commission issued a proposal to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance. Among other changes, the SEC’s proposal would require disclosure about material cybersecurity incidents within four business days and require annual disclosure regarding a registrant’s policies and

The SEC and a consortium of 32 states recently announced a $100 million settlement with BlockFi Lending LLC over its crypto lending product, BlockFi Interest Accounts. The SEC alleged BlockFi had violated the securities laws by failing to register its interest-bearing crypto lending product as a security, failing to register itself as an investment company,

On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts.  Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars.
Continue Reading SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context