Search for:
Debevoise Data Blog
SEC

Top 10 SEC Cyber Posts of 2023

By: , , , , , , , , , , and

As we approach the end of the year, here are the Top 10 SEC cyber posts on the Debevoise Data Blog in 2023 by page views. If you are not already a Blog subscriber, click here to sign up.

1. SEC Adopts New Cybersecurity Rules for Issuers (July 28, 2023)

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.

2. SEC Adopts New Cybersecurity Rules for Issuers – Part 2: Key Takeaways (August 8, 2023)

In this companion update to our previous post, we discuss key takeaways across three areas for issuers to consider: (1) disclosure of material cybersecurity incidents; (2) cybersecurity risk management and strategy; and (3) cybersecurity governance.

3. SEC Cybersecurity Rules for Issuers – Part 3: Practice Guide Q&A (December 8, 2023)

In this webcast, we discussed practice tips to implement the SEC’s new cybersecurity rules. For more information about the SEC cybersecurity rule, see our companion posts, which can be found here and here.

To access an on-demand recording of this webcast, please click here.

4. SEC Cybersecurity Rules for Issuers – Part 4: FBI, DOJ and SEC Publish Guidance on Disclosure Delays (December 18, 2023)

The SEC’s new cybersecurity rules for public companies became effective on December 18, 2023. The rules require disclosure of a cybersecurity event within four business days of a determination that it is material.  They also provide that such disclosure may be delayed for up to 30 days if the United States Attorney General (or per DOJ guidelines, the Attorney General’s authorized designees) determines that immediate disclosure would pose “a substantial risk to national security or public safety, and notifies the SEC of such determination in writing.” Two subsequent delay periods of 30 days and 60 days (in extraordinary circumstances) may also be sought. In this post, we discuss the logistics of making a delay request and offer several tips for companies to prepare for potentially material cybersecurity incidents that may involve making such a request.

5. Hackers Turned Whistleblowers: SEC Cybersecurity Rules Weaponized Over Ransom Threat (November 20, 2023)

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data.   While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. SEC against its victim for failing to publicly disclose the cybersecurity incident. In this post, we discuss the possible reasoning behind AlphV’s actions, what the SEC’s response might be, and what public companies should do to respond.

6. The SEC’s 2024 Examination Priorities: Continued Scrutiny of Cybersecurity Policies and Procedures (October 18, 2023)

On October 16, 2023, the SEC’s Division of Examinations issued its 2024 Examination Priorities (the “2024 Priorities”).  The 2024 Priorities reflect the Commission’s continued scrutiny of information security and operational resiliency at registrants and the risks posed by third-party service providers, as well as new attention to artificial intelligence and other forms of so-called emerging financial technology. In this post, we discuss the implication behind the Priorities, and some key takeaways for companies.

7. SEC Proposes Rule to Eliminate or Neutralize Conflicts of Interest in the Use of “Predictive Data Analytics” Technologies (August 14, 2023)

On July 26, 2023, the U.S. SEC issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers to evaluate their use of predictive data analytics and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. In this post, we first discuss the scope of the Proposed Rules, provide a summary of key provisions, and discuss some key implications regarding the scope and application of the rules if adopted as proposed.

8. A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations (March 20, 2023)

On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include proposed new cybersecurity rules for broker dealers, amendments to Regulation S-P, and amendments to Regulation SCI. In this post, as well as our accompanying webcast, we outline the key requirements of the Proposed Rules and offer key takeaways to help firms navigate and prepare for the likely adoption of a version of these complex regulations. The SEC’s Fall 2023 Regulatory Agenda was posted on December 6, 2023. The SEC has indicated its plans to issue final rules for Market Entities, Amendments to Reg SCI, and Amendments to Reg S-P in April 2024.

9. Webcast: Getting Ready for the New SEC Cyber Rules for RIAs and BDs (March 22, 2023)

In this webcast, we discussed the SEC’s proposed cybersecurity rules for registered investment advisers and funds, broker-dealers, and other major market participants and the SEC’s proposed amendments to Reg S-P. This webcast covered: (1) the SEC’s proposed cybersecurity rules for RIAs and BDs and S-P amendments; (2) lessons learned from recent SEC cybersecurity exams and enforcement trends; and (3) getting ready for compliance with the rules

To access an on-demand recording of this webcast, please click here.

10. Using Technology to Benefit Markets and Investors (October 23, 2023)

Among its many uses in the financial world, technology can improve operational efficiencies, reduce risk and provide valuable information and services to clients. In this joint post with SIFMA, we explore how new rules proposed by the U.S. SEC, purportedly focused on predictive data analytics, are fundamentally flawed, would inhibit the use and adoption of technology, and should not be adopted as proposed.

***

To subscribe to the Data Blog, please click here.

Author

Andrew J. Ceresney is a partner in the New York office and Co-Chair of the Litigation Department. Mr. Ceresney represents public companies, financial institutions, asset management firms, accounting firms, boards of directors, and individuals in federal and state government investigations and contested litigation in federal and state courts. Mr. Ceresney has many years of experience prosecuting and defending a wide range of white collar criminal and civil cases, having served in senior law enforcement roles at both the United States Securities and Exchange Commission and the U.S. Attorney’s Office for the Southern District of New York. Mr. Ceresney also has tried and supervised many jury and non-jury trials and argued numerous appeals before federal and state courts of appeal.

Author

Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and cybersecurity regulatory counseling and defense.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Ben Pedersen is a partner in the firm’s Capital Markets Group and member of the Special Situations team. His practice focuses on a broad range of capital markets transactions, regularly representing issuers, private equity firms and underwriters in public and private offerings of debt and equity securities, and advising public and private companies on securities laws, disclosure, corporate governance and general corporate matters. He can be reached at brpedersen@debevoise.com.

Author

Julie M. Riewe is a litigation partner and a member of Debevoise's White Collar & Regulatory Defense Group. Her practice focuses on securities-related enforcement and compliance issues and internal investigations, and she has significant experience with matters involving private equity funds, hedge funds, mutual funds, business development companies, separately managed accounts and other asset managers. She can be reached at jriewe@debevoise.com.

Author

Jeffrey L. Robins is a corporate partner and a member of the Debevoise Banking Group. His practice focuses on representing broker-dealers, swap dealers, banks, securities exchanges, industry associations and buy-side institutions in regulatory and transactional matters. He can be reached at jlrobins@debevoise.com.

Author

Paul Rodel is a corporate partner and a member of Debevoise’s Capital Markets, Private Equity and Latin America Groups. He represents clients in the financial services, healthcare, insurance, technology and media industries in registered, private and offshore capital markets transactions.

Author

Kristin Snyder is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities-related regulatory and enforcement matters, particularly for private investment firms and other asset managers.

Author

Matthew Kelly is a litigation counsel based in the firm’s New York office and a member of the Data Strategy & Security Group. His practice focuses on advising the firm’s growing number of clients on matters related to AI governance, compliance and risk management, and on data privacy. He can be reached at makelly@debevoise.com

Author

Sheena Paul is a counsel in the Investment Management Group’s U.S. regulatory practice, based in the firm’s Washington, D.C. office. Ms. Paul focuses her practice on providing regulatory advice to investment managers, with a particular focus on private equity clients. She works closely with the firm’s other practices on regulatory advice related to domestic and cross-border corporate and capital markets transactions, and enforcement matters. She can be reached at spaul@debevoise.com

Related Posts