1. Compliance and Regulations
- Ensure adherence to SEC regulations with appropriate privacy and cybersecurity policies tailored to SEC requirements.
- Stay current on SEC-proposed cybersecurity and data privacy rules and risk alerts to help ensure policy alignment with the SEC’s expectations for registered funds and advisers.
- Incorporate state-specific regulations related to data protection and cybersecurity (e.g., California Consumer Privacy Act and Texas Data Privacy and Security Act) into company privacy and cybersecurity policies.
- Policies and procedures should encompass risk assessment, incident response, and data breach notification procedures. This includes planning for legal obligations to provide notice of reportable breaches to regulators and investors.
- Implement compliance with the General Data Protection Regulations (GDPRs) if dealing with investors who are European residents.
2. Contract Drafting and Revision
- Review client agreements, subscription documents, and investor disclosures to ensure compliance with privacy laws and cybersecurity best practices.
3. Vendor Risk Management
- Assess vendor’s security practices and protocol for personally identifiable information.
- Add Service Provider[1] statutory obligations, required by state consumer data privacy laws and cybersecurity controls into applicable agreements.
- Conduct due diligence on third-party Service Providers to ensure they adhere to cybersecurity best practices and regulatory requirements.
4. Regular Compliance Reviews
- Conduct regular reviews and audits of cybersecurity policies, procedures and controls, at least annually, to ensure ongoing compliance with SEC regulations and best practices.
5. Regulatory Examination Preparation
- Ensure preparedness for SEC examinations related to cybersecurity practices, including documentation readiness and compliance audits.
6. AI and Legal Tech Risk Assessment
- Counseling and policy/contract drafting and review.
- Gap/vulnerability assessment for types of AI usage (product v. customer facing).
- AI responsible use policy.
Contact:
Elizabeth Rogers
CIPP/US Certification Data Privacy & Cybersecurity
512.370.2834
erogers@winstead.com
[1] A “service provider” means a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose. Calif. Civil Code, Section 178.140 (ag).
Disclaimer: Content contained within this blog post provides information on general legal issues and is not intended to provide advice on any specific legal matter or factual situation. This information is not intended to create, and receipt of it does not constitute a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.