Jun 52024

U.S. SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Amendments Adopted

, , , ,
Andrew P. Blake, Colleen Theresa Brown, W. Hardy Callcott, Stephen L. Cohen, David Lashway, Charles A. Sommers, Alan Charles Raul and Sasha Hondagneu-Messner

On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to its Regulation S-P. These final amendments impose significant cybersecurity requirements for several SEC-registered entities and transfer agents registered with another appropriate regulatory agency, including with respect to these entities’ policies and procedures, incident response and notification procedures, and cybersecurity risk management.

(more…)

Read more
Sep 282023

SEC’s Cybersecurity Disclosure Rules Are Here. Is Your Company Ready to Comply?

, , , , , , ,
Sonia Gupta Barros, Colleen Theresa Brown and Samir A. Gandhi

Companies are facing more attacks on their information systems. And, as their cyber risk skyrockets, the SEC has stepped in with new regulations, telling businesses what to disclose about these incidents — and requiring detailed disclosures on cyber risk management more broadly. With the deadline for compliance fast approaching, businesses are scrambling to mitigate their legal risk and comply with regulations that some say may be an overreach.

(more…)

Read more
Jul 312023

U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date

, , , , , , ,
Sonia Gupta Barros, Colleen Theresa Brown, Paul L. Choi, Stephen L. Cohen, John P. Kelsh, David Lashway, Geeta Malhotra, Lara Mehraban, Alan Charles Raul, Andrea L. Reed, Michele L. Aronson and Sasha Hondagneu-Messner

On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.

(more…)

Read more
May 12023

Now You See Them, Now You Don’t: Regulatory Risks of Ephemeral Messages

, , ,
Data Matters Contributors

Corporate use of ephemeral messaging applications (communications that disappear after a set time) has become increasingly common across the globe in recent years, with companies recognizing its value in decreasing data storage costs and providing employees a convenient method for communicating quickly with customers and clients. However, the prevalence of these messaging applications in the corporate context has caused regulators to grow concerned about how encrypted and ephemeral messaging might affect regulatory obligations related to data preservation, employee monitoring, and compliance.

(more…)

Read more