Breaking Down Cybersecurity-Related Regulatory Developments for Registered Investment Advisers

0
118

In 2023, the U.S. Securities and Exchange Commission (SEC) made it clear that data security, cybersecurity and IT operational resilience remain top of mind for the Commission. In an effort to tackle issues around transparency, recordkeeping and breach reporting requirements, among other areas of focus, the SEC proposed the following three new sets of rules:

  1. Impose cybersecurity risk management and incident notification rules for broker-dealers and other SEC-registered entities. This proposal for registered investment advisers and registered investment companies relating to cyber risk management was set forth back in February 2022. The comment period was supposed to end in March 2023, but the SEC reopened it and accepted additional comments through May 2023.
  2. Amend Regulation S-P (commonly known as a firm’s “privacy policy”) to require broker-dealers, registered investment advisers (RIAs) and registered investment companies to report breaches of “sensitive” nonpublic personal information to affected individuals.
  3. Establish a new cybersecurity risk management rule (referred to as Proposed Rule 10) for broker-dealers, clearing agencies and other…

Read More…