Proposed changes for Reg S-P will enhance the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to notify individuals who have been affected by a data breach that may put them at risk of identity theft or other harm.
The proposal comes as part of a batch of a series of new updates this week, such as requirements to address cybersecurity risks, to modernize Reg SCI, and also to update Reg S-P.
“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” said SEC Chair Gary Gensler. “I think we should close this gap. Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves.”
Data breach
Today, Regulation S-P requires financial bodies to implement written policies and procedures for the protection of customer records and information (“safeguards rule”), including a proper disposal of consumer report information (“disposal rule”).
The proposed changes would update the rule’s requirements to address the expanded use of technology and corresponding risks which were originally adopted in 2000.
“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches.”
SEC Chair Gary Gensler
The new proposal will require broker dealers, investment companies, registered investment advisers, and transfer agents to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. It will also require most covered institutions to notify individuals whose sensitive data has or is likely to have been accessed or used without authorization. The notification will have to be provided as soon as possible, and not longer than 30 days after the breach.
Customer information
Other proposed amendments to Reg S-P include:
- To broaden and align the scope of the safeguards rule and the disposal rule to cover the new term “customer information”. This change will extend the protections of both rules to nonpublic personal information that a financial body collects on its customers, and to nonpublic personal information that an institution receives about customers of other financial institutions;
- To extend the scopes of the safeguards rule and the disposal rule to include transfer agents that are registered with the SEC or other proper regulatory agency; and
- To conform Regulation S-P’s existing provisions in relation to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.