Data Dive

New York Law Journal published an article by Akin Gump white collar defense and government investigations partner Ian McGinley discussing United States v. Trovias. The high-profile case is a “first of its kind prosecution [in which] the Southern District of New York (SDNY) brought an insider trading case against Apostolos Trovias for selling inside information on the Dark Web.”

The U.S. Securities and Exchange Commission (SEC) in a 3-1 vote on Wednesday, March 9, 2022, proposed amendments to enhance and standardize disclosures regarding cybersecurity governance and incident reporting by public companies. Such amendments are intended to more effectively inform investors about a company’s risk management, strategy and governance relative to cyber issues and to provide timely notification of material cybersecurity incidents. 

The banking regulators of the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of Currency jointly announced a new rule requiring banking organizations in the United States to notify regulators no later than 36 hours after identifying a cybersecurity breach likely to materially disrupt banking operations. According to the final rule, such an incident could include large-scale distributed denial of service (DDoS) attacks that disrupt customers’ access to their accounts and hacking incidents that shut down a bank’s operations for an extended period. The final rule also places separate notification requirements on companies that provide services to banks, such as data processing companies.

The Federal Trade Commission (FTC) announced significant updates to the Safeguards Rule, using more detailed requirements to strengthen data security protections for consumer financial information.

Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), signaled a new era of cybersecurity law (and accompanying enforcement) in his keynote address “Cybersecurity and Securities Laws” on January 24, 2022, at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Noting the ever-increasing risk of cyberattacks on the securities markets, Gensler identified new and expanded SEC initiatives and proposals to address those risks. The overall message was clear: under his direction, the SEC will seek to bolster data privacy and cybersecurity requirements, and to enhance its reporting and disclosure regime for cyber risks and cyber events.

Akin Gump published a client alert on the Department of Justice (DOJ) announcing twin programs focusing on monitoring contractor cybersecurity, and combating cryptocurrency used for illicit purposes. The announcement is part of the DOJ’s strategic cyber threat review, and follows a series of cyber incidents and subsequent federal efforts to shore up security among government agencies and contractors. To read the full alert, please click here.

Akin Gump published a client alert on the Securities and Exchange Commission announcing three enforcement actions against registered investment advisers for alleged cybersecurity failures involving cloud-based email systems. All three actions (which were settled) imposed six-figure penalties on the advisers, despite the Staff’s acknowledgement that none of the actions resulted in any unauthorized trades or fund transfers to unauthorized parties for any client accounts and despite the relatively small number of clients involved.

To read the full alert, please click here.