On March 15, 2023, the Securities and Exchange Commission (SEC) announced proposed changes to Regulation S-P (“Reg S-P”) that would impose new cybersecurity incident response requirements on broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”). If adopted as proposed, the amendment to Reg S-P would also impose additional burdens on covered institutions when it comes to handling consumer data and information and contracting with service providers.
All five SEC commissioners supported the proposal to update Reg S-P, which was adopted in 2000 to protect the privacy of consumer financial information. Reg S-P contains, among other provisions, the “safeguards rule”—which requires brokers, dealers, investment companies, and registered investment advisers to adopt written policies and procedures to safeguard customer records and information—and the “disposal rule”—which requires proper disposal of consumer report information by covered institutions. The proposed amendment would update Reg S-P to address the changing risk landscape regarding cyber threats.
The proposed amendments to Reg S-P are the latest of many privacy and cybersecurity developments that financial institutions should be staying on top of. Companies in this space should be aware of a recent proposal in Congress to modernize the Gramm-Leach-Bliley Act, which, if passed, will require updated privacy practices (similar to what is required under some of the comprehensive privacy laws that have passed at the state level). Financial institutions that fall under the Federal Trade Commission’s jurisdiction should also be aware of the agency’s updates to the Safeguards Rule, which may also require companies to reevaluate their cybersecurity compliance practices.
We will continue to provide updates on major developments of federal privacy law and more. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.
- Incident response program requirement. Covered institutions would be required to adopt a written incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The incident response plan would need to include procedures to assess the nature and scope of an incident and to contain and control such incidents.
- Incident notification requirement. If sensitive customer information was or is reasonably likely to have been accessed without authorization, covered institutions would be required to notify affected individuals as soon as practicable, but no later than 30 days after the institution becomes aware. However, a covered institution would not need to provide notice if the institution determines that the sensitive customer information was not actually and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.
- Applying safeguards and disposal rules to “customer information.” The proposed amendment would add the defined term “customer information”—a record containing nonpublic personal information—which would be covered by the safeguards and disposal rules. Thus, both rules would apply to nonpublic personal information that is collected by a covered institution about its own customers as well as information that a covered institution receives from another financial institution (i.e., an introducing broker or dealer) about that particular institution’s customers.
- Service providers. The incident response program must include policies and procedures requiring the covered institution to have a written contract with its service providers that requires the service providers to “take appropriate measures that are designed to protect against unauthorized access to or use of customer information” and also requiring notification no later than 48 hours after a service provider becomes aware of a breach in security “resulting in unauthorized access to a customer information system maintained by the service provider.”
- Recordkeeping requirement. Covered institutions would be required to maintain written records documenting compliance with the safeguards and disposal rules.
- Updating the annual privacy notice requirement language. The amendment would update Reg S-P to reflect that covered institutions are not required to deliver an annual privacy notice if certain conditions are satisfied. This exception to the annual privacy notice provision was added by the 2015 Fixing America’s Surface Transportation Act.
- Extending the safeguards and disposal rules’ coverage for transfer agents. The amendment would extend the safeguards rule to transfer agents (as they obtain, share, and maintain personal information on behalf of securityholders who could be harmed by the unauthorized use or access to such information) registered with the Commission or another appropriate regulatory agency and extend the disposal rule from covering only transfer agents registered with the Commission to also transfer agents registered with another regulatory agency.
- Nexus between cybersecurity and identity theft. In numerous places throughout the proposed rule, the SEC articulates its view on the relationship between cybersecurity and identity theft prevention, which is addressed specifically by Regulation S-ID (“Reg S-ID”) (which the SEC has begun to enforce with greater vigor after charging three broker-dealers in July 2022, the first enforcement actions since 2018). For example, the SEC notes that customer information exposed via security incident could be used “as part of an account takeover scheme” or to engage in “new account fraud by using compromised customer information to establish a brokerage account.” Additionally, the SEC explains that Social Security Numbers “without any other information linked to the individual, would be sensitive because they have been used in “Social Security number-only” or “synthetic” identity theft. Moreover, the SEC recognizes in the proposed rule that some covered institutions may be subject to both Reg S-P and Reg S-ID, noting that it is reasonable to expect Reg S-ID policies and procedures incorporate red flags related to potential compromise of customer information “[a]s some compromise of customer information is generally a prerequisite for identity theft.”
Once the proposing release is published in the Federal Register, the public comment period will remain open for 60 days. With respect to compliance, the SEC proposes a compliance date twelve months after the effective date of any adoption of the proposed amendments.
In the meantime, current covered institutions and transfer agents should consider reviewing and revising their policies and procedures related to: (i) incident response (and may want to consider creating consumer notice plans); (ii) service provider onboarding (including required language for entering contracts with service providers); (iii) safeguards and disposal in the context of the newly defined “customer information”; and (iv) recordkeeping.
Even if the proposed amendments to Reg S-P undergo substantial revision after the comment period closes, the SEC’s 2023 Examination Priorities (announced on February 7th) indicates that cybersecurity will be a priority for the SEC. Covered institutions should accordingly consider reviewing their cybersecurity governance and incident response practices as well as more general compliance with Reg S-P and Reg S-ID (also included as a priority related to information security and operational resiliency) where applicable.