The SEC has unanimously voted to adopt significant cybersecurity amendments to Regulation S-P that largely adopt the proposed amendments the agency issued last year. Reg S-P is shorthand for the SEC’s Privacy of Consumer Financial Information and Safeguarding Personal Information rule.
The amendments represent a substantial expansion of the protections available to the customers of institutional securities market participants under US securities law.
The final rule establishes a new federal minimum standard for data breach notification at such firms, expands the definition of “customer information,” requires the adoption of policies and procedures for incident response and service provider oversight, and imposes new recordkeeping obligations.
Firms will have either 18 or 24 months, depending on their size, from the date of publication in the Federal Register to come into compliance. Covered institutions under the rule include broker-dealers (including crowdfunding portals), investment companies, transfer agents and registered investment advisers
Reg S-P requirements
The finalized amendments to Reg S-P include significant requirements related to:
- Incident Response Programs: They must include an assessment to assess the nature and scope of any incident; the steps to contain and control an incident to prevent further unauthorized access; and processes to notify each individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
- Thirty-Day Customer Notifications of Data Breaches: This analysis turns on whether sensitive customer information (such as Social Security Numbers) has been, or is reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
- Service Provider Oversight: Policies and procedures must be reasonably designed to ensure service providers take appropriate measures to protect against unauthorized access to or use of customer information and provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.
- Scope of the Safeguards and Disposal Rules: The definition of customer information now includes “information in the possession of a covered institution or information that is handled or maintained by the covered institution or on its behalf.”
- Recordkeeping Requirements: While the books and records that each type of covered institution is required to keep under amended Reg S-P are the same, the retention period varies based on the type of institution and tracks the existing required retention periods for each type of entity.
- Annual Privacy Notice Requirement Exception: To qualify for the new exception, a covered firm must only provide non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies, and must not have changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers.
Statements from commissioners
SEC Chair Gary Gensler highlighted why this rule update is so needed right now.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. Complaints about identity theft have more than doubled in just the four years from 2018 to 2022, per the FBI’s Internet Crime Complaint Center,” he said.
“Investors would benefit from a financial privacy rule more modern than the AOL era. Though the current rule requires covered firms to notify customers about how they use their nonpublic personal information, these firms have no requirement to notify customers about breaches. I think we should close this gap,” he added.
SEC Commissioner Hester Peirce, who voted in support of the amendments, expressed concern with the breadth of the new rules, saying they could force firms to send so many breach notices that customers would simply ignore them. “How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?” she wondered.
Commissioner Mark Uyeda pointed out the changes to the proposed rule that he felt made it easier for firms to comply with, particularly the updated rule’s use of the Gramm-Leach-Blilely Act’s (GLBA) “substantial harm or inconvenience” standard. He said this was an improvement over the proposal’s overly complex one – an ill-defined “more than trivial” standard – that he said appeared to be at odds in certain respects with the GLBA.
Compliance considerations
Businesses should consider reviewing and updating their policies and procedures to be ready for these compliance dates, particularly to account for the expanded definition of “customer information,” updates to what must be in an incident response program, and updates to vendor risk management policies and procedures.
The firms covered by the amended rule already have notification obligations to other federal and state regulations and these new ones under Reg S-P must fit into those existing notification processes and timing mandates. This is tricky, as it likely entails an audit review of emails and delivered files to ensure the notifications were properly delivered, which could require outside resources.
(In keeping with the above, last year, the SEC adopted final rules that require public companies to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. They took effect in late December.)
The service provider obligations also deserve special attention. Firms should consider reviewing existing contracts to provide for sufficient oversight for the compliance team and standard contract provisions might need to be updated to ensure oversight for new service providers going forward suit the parameters of the updated rule.
The books and records provisions in the amended rule mean that retention schedules likely need to be updated accordingly as well.