1. Compliance and Regulations
- Ensure adherence to SEC regulations with appropriate privacy and cybersecurity policies tailored to SEC requirements.
- Stay current on SEC-proposed cybersecurity and data privacy rules and risk alerts to help ensure policy alignment with the SEC’s expectations for registered funds and advisers.
- Incorporate state-specific regulations related to data protection and cybersecurity (e.g., California Consumer Privacy Act and Texas Data Privacy and Security Act) into company privacy and cybersecurity policies.
- Policies and procedures should encompass risk assessment, incident response, and data breach notification procedures. This includes planning for legal obligations to provide notice of reportable breaches to regulators and investors.
- Implement compliance with the General Data Protection Regulations (GDPRs) if dealing with investors who are European residents.
2. Contract Drafting and Revision
- Review client agreements, subscription documents, and investor disclosures to ensure compliance with privacy laws and cybersecurity best practices.
3. Vendor Risk Management
- Assess vendor’s security practices and protocol for personally identifiable information.
- Add Service Provider[1] statutory obligations, required by state consumer data privacy laws and cybersecurity controls into applicable agreements.
- Conduct due diligence on third-party Service Providers to ensure they adhere to cybersecurity best practices and regulatory requirements.
4. Regular Compliance Reviews
- Conduct regular reviews and audits of cybersecurity policies, procedures and controls, at least annually, to ensure ongoing compliance with SEC regulations and best practices.
5. Regulatory Examination Preparation
- Ensure preparedness for SEC examinations related to cybersecurity practices, including documentation readiness and compliance audits.
6. AI and Legal Tech Risk Assessment
- Counseling and policy/contract drafting and review.
- Gap/vulnerability assessment for types of AI usage (product v. customer facing).
- AI responsible use policy.
[1] A “service provider” means a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose. Calif. Civil Code, Section 178.140 (ag).
