February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

December 9 Looms as Compliance Date for Private Investment Funds and Certain Investment Advisers to Comply With New Cybersecurity Requirements

As we discussed in our March 3 Advisory, on October 27, 2021, the Federal Trade Commission (FTC) announced revisions (the 2021 Revisions) to its information "Safeguards Rule" (the Rule) adopted under the Gramm-Leach-Bliley Act (GLBA). The Rule was first enacted in 2002 to ensure that financial institutions under the jurisdiction of the FTC protect nonpublic personal information (NPI) of their natural person clients and investors (each, a Customer). Financial institutions under the FTC's jurisdiction include private investment funds (Private Funds) and any investment advisers that are not registered with the Securities Exchange Commission (SEC) such as state registered investment advisers. The 2021 Revisions were adopted in response to the significant harm caused to consumers, including monetary loss, identity theft and other forms of financial distress as a result of data breaches and other cybersecurity concerns.

The 2021 Revisions became effective on December 9, 2021, with an initial compliance date of December 9, 2022, for most substantive changes. However, for various reasons, including lack of personnel and supply chain equipment issues, on November 15, 2022, the FTC extended the compliance deadline until June 9, 2023 for several aspects of the 2021 Revisions. Nonetheless, the compliance date for other aspects of the 2021 Revisions remains December 9, 2022. Below are the 2021 Revisions for those requiring compliance by December 9, 2022 and for those which compliance was delayed until June 9, 2023.

2021 Revisions Requiring Compliance by December 9, 2022

Each financial institution must:

  • develop and implement an information security program;

  • base the information security program on a specific risk assessment;

  • test or otherwise monitor the effectiveness of the information security program's key controls;

  • oversee service providers by taking reasonable steps in selecting and retaining service providers;

  • require service providers by contract to implement and maintain appropriate safeguards for Customer NPI; and

  • evaluate and adjust the information security program in light of the results of any tests or risk assessments.

2021 Revisions Requiring Compliance by June 9, 2023

Each financial institution must:

  • designate a qualified individual to oversee its information security program;

  • develop a written risk assessment identifying reasonably foreseeable internal and external risks to security, confidentiality and integrity of Customer NPI;

  • limit and monitor personnel that can access Customer NPI;

  • encrypt all Customer NPI held or transmitted by the financial institution both in transit over external networks and at rest;

  • provide training to personnel regarding information security risks;

  • develop an incident response plan designed to limit the consequences of cyber-attacks against the financial institution's information systems;

  • periodically assess the data security practices of service providers; and

  • implement multi-factor authentication or another method with equivalent protection for any individual accessing Customer NPI through the financial institution's information systems.

Separately, as discussed in our March 3 Advisory, on February 9, 2022, the SEC proposed new rules 206(4)-9 under the Investment Advisers Act of 1940 and 38a-2 under the Investment Company Act of 1940 (collectively the Proposed Rules) to address cybersecurity risks. The Proposed Rules have yet to be adopted, and we will continue to update you on any developments with respect to those proposals.

Lance Zinman also contributed to this article. 

©2023 Katten Muchin Rosenman LLPNational Law Review, Volume XII, Number 340

About this Author

Vlad M. Bulkin Attorney Finance Katten Law Firm Washington DC

Vlad Bulkin understands the unique needs of business development companies (BDCs) and registered closed-end funds (CEFs). From fund formation to capital raising activities, he brings industry-leading experience to clients at any stage. He has extensive transactional experience for BDCs and CEFs, including public and private securities offerings and strategic transactions.

Capital markets experience backed by strong regulatory knowledge.

Vlad taps into his deep regulatory and transactional knowledge to advise a broad...

Wendy E. Cohen, Financial Services Lawyer, Katten Muchin Law firm

Wendy E. Cohen represents investment managers and other sponsors of domestic and offshore securities and commodities hedge funds, funds of funds and other public and private pooled investment vehicles, as well as their service providers, including their managers, brokers, financial intermediaries and other financial institutions, and investment professionals. She provides advice on all corporate and related matters facing investment funds, including structure and organization, ongoing operations, restructuring and dissolution.

Having practiced for...

David Y. Dickstein, Financial Services Lawyer, Katten muchin law firm

David Dickstein represents broker-dealers, investment advisers, investment companies and hedge funds in connection with a variety of regulatory, compliance and operational matters. David regularly counsels investment advisers on registration and regulatory matters, such as the need for registration, conflict of interest disclosures, soft dollars and best execution, firm advertising and marketing, federal and state pay-to-play matters, trade allocations and personal trading. He also advises broker-dealers on registration and ongoing compliance matters, mutual fund supermarkets...

Richard D. Marshall, Katten Muchin, SEC Representation Lawyer, Finance Attorney, New York,

Richard D. Marshall focuses his practice on the representation of financial institutions and employees subjected to investigations by the Securities and Exchange Commission, Department of Justice, Financial Industry Regulatory Authority and state securities regulators. Rick also counsels broker-dealers, investment companies and investment advisers on regulatory issues, particularly relating to SEC and FINRA regulations. He also frequently counsels clients on compliance and risk management issues and the handling of inspections.

Rick provides...

Trisha Sircar Privacy, Data and Cybersecurity Attorney Katten Muchin Rosenman New York, NY

The value of data as an asset has increased substantially in today's global digital economy. In the high-stakes environment of global intellectual property and technology services, businesses, consumers and individuals need protection. With more than a decade of experience in helping to protect a wide range of businesses — including one of the world's largest insurance companies — Privacy, Data and Cybersecurity partner Trisha Sircar provides practical guidance and creative solutions regarding global privacy and data security risks and compliance issues.

Operating at the...