SEC Proposes and Seeks Comments on New Cybersecurity Rules
At an open meeting on February 9, 2022, the Securities and Exchange Commission (“SEC”) voted three-to-one to propose new and amended rules regarding cybersecurity risk management, cyber incident reporting and cyber risk disclosure under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 (collectively, the “Proposal”). The Proposal applies to
SEC-registered investment advisers (“RIAs”), SEC-registered investment companies (“RICs”) and closed-end funds that have elected to be treated as business development companies under the Investment Company Act (together with RICs, “registered funds”).
Specifically, the Proposal would: (i) require RIAs and registered funds (collectively, “Covered Entities”) to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks; (ii) require RIAs to report “significant cybersecurity incidents” to the SEC within 48 hours of discovery, including such incidents related to the adviser or registered funds or private funds that the adviser manages; (iii) create enhanced disclosure requirements for Covered Entities regarding cybersecurity risks and significant cybersecurity incidents, including new requirements to file an amended Form ADV or a prospectus supplement in the event of a significant cybersecurity incident; and (iv) require Covered Entities to maintain certain books and records related to cybersecurity.
The SEC is currently soliciting comments on the Proposal. Comments can be submitted on the SEC’s website until April 11, 2022 (or 30 days after publication in the Federal Register, if later). More details about the Proposal can be found in Dechert’s related OnPoint available here.
Takeaway: If adopted in its current form, the Proposal would be the most significant update to federal privacy law as applied to registered funds and RIAs in nearly 20 years and would have a substantial impact on the asset management industry. While existing SEC rules require Covered Entities to implement policies and procedures that address the privacy and security of an individual customer’s information, the components of the Proposal are much more prescriptive and apply not only to customer information, but also to Covered Entities’ information systems and cybersecurity practices more broadly. The 48-hour time period is also more aggressive than most current applicable laws and will present unique challenges. Time will tell whether the Proposal will remain fully intact following what is likely to be an active comment period.
_____________________________________________________
New Safeguards for Restricted Transfers of Personal Data from the UK
On February 2, 2022, data protection clauses issued by the Information Commissioner’s Office (“ICO”) for transfers of personal data from the United Kingdom (“UK”) to third countries were laid before the UK Parliament for approval. These documents include:
If no objections are raised, the IDTA and Addendum will enter into force on March 21, 2022. A document setting out certain transitional provisions regarding the use of the current standard contractual clauses was also laid before Parliament (as explained below).
The new IDTA and Addendum are intended to replace the legacy standard contractual clauses as safeguards for transfers of personal data from the UK to third countries, as well as onward transfers of such data (so-called “restricted transfers”). Although the European Commission adopted new EU standard contractual clauses (“EU SCCs”) in June 2021, data controllers located in the UK have still been relying on an older version of the EU SCCs for data transfers, as the new EU SCCs are not valid for restricted transfers subject to the UK GDPR (for more details, see our OnPoint).
Any contracts concluded on the basis of the old EU SCCs on or before September 21, 2022 shall remain an appropriate safeguard for restricted transfers until March 21, 2024. However, this extension applies only if: (i) the underlying processing operations remain unchanged; and (ii) the transfer of personal data is subject to appropriate safeguards. Thus, contracts regarding restricted transfers from the UK entered into after September 21, 2022, will need to be based on the IDTA or the Addendum (unless an exemption of alternative safeguard applies).
The ICO states that the Schrems II decision of the Court of Justice of the EU has been taken into consideration in drafting the IDTA and Addendum. However, it is to be noted that when using the IDTA or the Addendum, organizations must still carry out a transfer risk assessment.
Takeaway: The UK’s IDTA is in a different form and style to the EU SCCs, but for organizations operating across the UK and the European Economic Area, the Addendum designed to sit alongside EU SCCs is a pragmatic option that is likely to be widely adopted. The transitional period also gives organizations time to amend contracts that rely on the old SCCs. Businesses can start this process by auditing existing contractual arrangements and identifying any changes that will be necessary. For new contracts, from March 21, 2022, the UK’s new documentation should be the default for transfers that are restricted under the UK GDPR. Organizations can also expect further guidance from the ICO on the IDTA and the Addendum, as well as on transfer risk assessments and international transfers soon.
_____________________________________________________
DHS Announces New Cyber Safety Review Board to Investigate Significant Cybersecurity Events
On February 3, 2022, the Department of Homeland Security (“DHS”) announced the establishment of the Cyber Safety Review Board (“CSRB”), a public-private initiative that will be tasked with reviewing and assessing “significant cybersecurity events so that government, industry, and the broader security community can better protect our nation’s networks and infrastructure."
The CSRB was originally announced in President Biden’s May 2021 Executive Order 14028: Improving the Nation's Cybersecurity, which was adopted in response to the SolarWinds attack.
The CSRB will be composed of 15 cybersecurity leaders from the government and private sectors. Robert Silvers, DHS Under Secretary for Policy, will serve as chair and Heather Adkins, Google’s senior director for security engineering, will serve as deputy chair. DHS’s Cybersecurity and Infrastructure Security Agency (“CISA”) will manage, support, and fund the CSRB and CISA Director Jen Easterly is responsible for appointing CSRB members, in consultation with the DHS Under Secretary for Policy, and for convening the CSRB following significant cybersecurity events.
The CSRB will not meet on a regular schedule but will be convened after “significant cybersecurity events,” defined under Presidential Policy Directive 41 (“PPD-41”) as “a cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” The CSRB’s first report will be delivered this summer and will focus on the Log4j software vulnerability discovered in December 2021. The report will include: (i) a review and assessment of vulnerabilities associated with Log4j, including “associated threat activity and known impacts;” (ii) recommendations on how to address ongoing vulnerabilities and threat activity; and (iii) recommendations on improving cybersecurity and incident response practices and policies based on “lessons learned.” “To the greatest extent possible,” the CSRB’s report will be shared publicly but in redacted form to preserve privacy and confidential information.
Takeaway: While the CSRB is not an enforcement agency, the recommendations identified in its reports will likely be seen as establishing market baselines for strong cybersecurity, and therefore relevant to all public and private sectors, and hopefully allow companies to identify gaps in existing cybersecurity measures and protect themselves better for increasingly sophisticated cyber threats. It also another helpful step in the right direction for the U.S. government to work alongside “industry” in combatting the ever-increasing cybersecurity threat landscape, rather than the “blame the victim” mentality that has too often permeated the government response when American companies are hit by cyber criminals.
_____________________________________________________
Two U.S. Senators Accuse CIA of Collecting Americans’ Data in Bulk
Newly declassified documents, including a letter that was declassified in redacted form from two members of the U.S. Senate’s Intelligence Committee, raise concerns that the CIA has been collecting data about Americans in bulk outside of judicial or Congressional oversight. Beginning in 2015, the Privacy and Civil Liberties Oversight Board (“PCLOB”), an independent agency, began a review of counterterrorism-related activities by the NSA and CIA, culminating in two classified reports called Deep Dive I & II. Last April, shortly after the Deep Dive II report was provided to the Senate Intelligence Committee, two members of the Committee (Sens. Ron Wyden, D-OR, and Martin Heinrich, D-NM) sent a letter to Director of National Intelligence Avril Haines and Director of the CIA William J. Burns.
The publicly available version of the letter does not detail exactly what data the CIA is collecting, but it accuses the agency of employing a “bulk program” that contravened “Congress’s clear intent” expressed in numerous statutes “to limit and, in some cases, prohibit the warrantless collection of Americans’ records.” Rather than operating through an established statutory framework such as FISA, Senators Wyden and Heinrich allege the CIA has operated its program under the Reagan-era Executive Order 12333 “entirely outside the statutory framework that Congress and the public believe govern this collection, and without any of the judicial, Congressional, or even executive branch oversight that comes with FISA collection.” The letter urges the CIA to expedite the declassification review of the Deep Dive reports, arguing that the public deserves to know the legal framework for this data collection along with the sources and nature of the information collected and how it is maintained and used.
In a February 10, 2022 statement, the CIA said that it was releasing in redacted form the Deep Dive I report and the “Staff Recommendations” from Deep Dive II, but that the remainder of Deep Dive II “must remain classified in full to protect sensitive tradecraft methods and operational sources.” The same day, Senators Wyden and Heinrich released a statement expressing dissatisfaction with that decision and calling for greater transparency.
Takeaway: The nature of the data the CIA is collecting on Americans and how it is using it remain unknown, but Senators Wyden and Heinrich’s letter highlights concerns about bulk data collection by the U.S. intelligence community. In addition, the allegation that the U.S. is engaged in unregulated bulk data collection may cause concerns in the ongoing negotiations on the EU-U.S. Privacy Shield framework following the Schrems II decision, as it may be seen as confirming ongoing suspicion about the lack of adequate restraint on U.S. government surveillance practices in general and EU personal data transferred to the U.S. in particular.
_____________________________________________________
The European Data Protection Supervisor Recommends A Ban on Spyware Tools Like Pegasus
On February 15, 2022, the European Data Protection Supervisor (“EDPS”) issued “Preliminary Remarks on Modern Spyware” (the “Report”). The Report was prompted by revelations that the spyware known as Pegasus was used by governments for, among other purposes, spying on cell phones used by opposition political figures, journalists, and human rights activists. In the EDPS’ view, it is highly unlikely that the use of Pegasus and similar spyware is permissible under EU law due to its severe interference with the right to privacy and its potential to cause unprecedented risks and damage to fundamental rights and freedoms.
The EDPS’ concerns are based on the differences between Pegasus’ technology and the capabilities of interception tools more routinely used by law enforcement agencies. Pegasus was a “game-changer” because once installed, the technology allows complete and unrestricted access to the targeted device, and because Pegasus’ intrusion is essentially a “zero-click” attack, which means that no action by the device’s user is required to trigger the malware’s insertion. In addition, the EDPS noted that Pegasus is “very difficult to detect,” and that its intrusions may be “very hard to prove” depending on the targeted device’s operating system. Because of these characteristics, the EDPS reasoned that “Pegasus should not be equated to ‘traditional’ law enforcement interception tools,” but instead as “hacking tools, and not just means for (lawful) interception of communication.” Thus, when viewed in terms of its potential effects on the privacy of cell phone users and those with whom they communicate, the EDPS determined that Pegasus’ “interference with the right of privacy is so severe that the individual is in fact deprived of it,” and that “[A]llowing [the technology’s] use even under strict conditions would create a permanent and strong risk of massive security breaches for all users, comparable in a way with encryption backdoors."
Consequently, the EDPS viewed “[A] ban on the development and the deployment of spyware with the capabilities of Pegasus,” as “the most effective option to protect our fundamental rights and freedoms” and found that the use of Pegasus was incompatible with the EU’s democratic values. To the extent such spyware tools may nevertheless be used in limited and exceptional cases – that is, “to prevent a very serious imminent threat” such as an imminent terrorist attack – the EDPS recommended a non-exhaustive list of measures intended to prevent unlawful usage, including strict implementation of the EU legal framework on data protection and ensuring that national security purposes are not used as an excuse for politically motivated surveillance.
Takeaway: The controversy surrounding Pegasus is a reminder of how innovation continues to challenge existing regulatory regimes and democratic values, as well as the tension between those values and highly sensitive law enforcement and national security interests. For the EU, these preliminary conclusions about the use of Pegasus and similar spyware are an additional component of the regulatory structure the EU is building to guide member states in their development and use of information and communications technology. The EDPS has concluded that deployment of technologies like Pegasus should be restricted to only the most critical situations and subject to significant safeguards.
