On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) proposed new rules for broker-dealers (Proposed Rule 15(1)-2) and investment advisers (Proposed Rule 211(h)(2)-4) on the use of predictive data analytics (PDA) and PDA-like technologies in any interactions with investors.1 However, as discussed below, the scope of a “covered technology” subject to the rules is much broader than what most observers would consider to constitute predictive data analytics. The proposal would require that anytime a broker-dealer or investment adviser uses a “covered technology” in connection with engaging or communicating with an investor (including exercising investment discretion on behalf of an investor), the broker-dealer or investment adviser must evaluate that technology for conflicts of interest and eliminate or neutralize those conflicts of interest. The proposed rules would apply even if the interaction with the investor does not rise to the level of a “recommendation.”
On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective 30 days following publication in the Federal Register. The Final Rule applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934, including foreign private issuers, smaller reporting companies, and business development companies, and will require disclosure of material cybersecurity incidents on Form 8-K and Form 20-F and periodic disclosure of cybersecurity risk management, strategy, and governance in annual reports on Form 10-K and Form 20-F.
This week, two committees in the House of Representatives will mark up legislation intended to clarify the regulatory framework applicable to digital assets in the United States. Earlier this month, leaders in the U.S. Senate also introduced legislation to establish a comprehensive and unified regulatory scheme for digital assets and digital asset derivatives.1 Both the House and Senate bills seek to integrate the regulation of digital assets and digital asset derivatives into the existing U.S. regulatory framework — primarily that of the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) — rather than create a standalone framework, but both bills face significant barriers to enactment.
On June 13, 2023, the Office of Management and Budget released its Spring 2023 Unified Agenda of Regulatory and Deregulatory Actions, which includes updates on Securities and Exchange Commission (“SEC”) proposed rules. The SEC pushed back its estimate for the final action date to October 2023 for its proposed cybersecurity rules related to public companies, as well as for its investment advisers and funds proposal. Notably, the SEC’s timelines are typically estimates for implementation, and the proposed rules could be introduced sooner or later than these dates. However, the updated timeline indicates that the SEC is prioritizing finalizing its cybersecurity rules related to public companies and investment advisers and funds.
On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed three rules related to cybersecurity and the protection of consumer information and reopened the comment period for a proposed cybersecurity rule for investment advisers and funds. This significant action would impose new cybersecurity requirements for several SEC-registered entities, including with respect to these entities’ policies, incident response and notification procedures, and cybersecurity risk management. This Sidley commentary and analysis discusses the key features of each proposal, including new requirements and differences among each of the proposals.
On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.
This Sidley Update highlights certain key disclosure considerations for preparing your annual report on Form 10-K for fiscal year 2022, including recent amendments to U.S. Securities and Exchange Commission (SEC) disclosure rules and other developments that impact 2022 Form 10-K filings, as well as certain significant disclosure trends and current areas of SEC focus for disclosures. As always, we invite you to contact us with any questions on these topics or any other SEC reporting and compliance matters.
On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers. Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically. The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program. As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.
**This article originally appeared on Lawfare
As nation-state actors increase their malicious cyber capabilities toward companies, U.S. regulators such as the SEC have understandably increased their regulatory focus on cybersecurity. The SEC is of course a well-intended member of Team Cyber, and investors in public companies might benefit from some aspects of the SEC’s proposal: Increased knowledge of a company’s cybersecurity risks, experience, governance, and resiliency could be important to their decision-making. But the proposal is dangerous to the extent that it jeopardizes important safety, security, and geopolitical interests in the name of disclosure. Put simply, the SEC’s proposal must be revised to assure responsible (not reckless) public disclosure. The SEC should not force public companies to choose between SEC liability and effective collaboration with the government’s cybersecurity-focused agencies. As is, the proposed rule could increase the risk to the U.S.’s critical infrastructure, economy, homeland, and allies. The proposal should include deference for exigent law enforcement, national security, and judicial needs, and allow delay where appropriate for ongoing, unpatched incidents when premature disclosure could harm a broad swath of vulnerable companies and even government agencies.
On June 15, 2022, the U.S. Securities and Exchange Commission (Commission) issued a request for comment with respect to whether certain index, model, pricing, and other information providers should be regulated as investment advisers under the Investment Advisers Act of 1940. The Commission suggests fresh consideration is needed in light of changes in technology and market practices in the decades since these topics were last given significant attention — especially given the continuing expansion of index-based investment strategies. Responses to the request for comment are due the later of August 16, 2022, or 30 days after publication of the release in the Federal Register. (more…)