On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposals to amend Regulation SP: Consumer Financial Information Privacy and Protection of Customer Information (the “Proposed Amendment”), along with Made two additional publications of interest. Reopens the comment period for the previously proposed Cybersecurity Risk Management Rule released in February 2022. Population – including investment advisors. However, the proposed amendments have already been subject to criticism, most notably pointed out by Commissioner Pierce in the accompanying statement. [3due to the likely burdens and
costs of implementation, as well as the potential for conflicts
with existing state laws. Moreover, the Proposed Amendments would
create additional exam and enforcement risk where disclosure of
certain cyber events is deemed – after the fact – not to have been
prompt or accurate enough.
Background
Regulation S-P (“Reg. S-P”) requires, among other
things, covered firms to adopt written policies and procedures
designed to protect the personally identifiable information of such
firms’ natural person customers contained in its records (the
“Safeguards Rule”). Reg. S-P applies to SEC registered
investment advisers, investment companies, broker dealers and
transfer agents (“covered firms”); 4 it does not apply to
unregistered advisers (e.g., exempt reporting advisers) or private
funds relying on sections 3(c)(1) or 3(c)(7) under the Investment
Company Act.5 RegS-P was adopted in 2000, before
widespread use of mobile devices, remote work and the
“cloud.” In the early years following Reg. S-P’s
adoption, compliance efforts often amounted to adopting policies
and procedures that were focused on the physical security of paper
files containing covered customer information (e.g., by requiring
the use of locked file cabinets). It has since evolved, however,
into a framework for the protection and safeguarding of covered
information largely stored electronically.
In recognition of the significant changes to business operations
and the extensive reliance on (and vulnerabilities posed by)
electronic storage and communications, the Proposed Amendments
would amend the Safeguards Rule to enhance required procedures by
mandating an incident response plan to address security breaches.
The Proposed Amendments would also expand the scope of information
and customers covered by these requirements. Additionally, if the
Proposed Amendments are adopted, the privacy notice requirement of
Reg. S-P would be simplified through the implement of a 2015
legislative change, which limits the need for annual delivery of
the privacy notice in certain cases.
Adoption of an Incident Response Plan
The centerpiece of the Proposed Amendments is a new requirement
for covered firms to adopt a written incident response program
(“IRP”) as part of its written Reg. S-P policies that is
“reasonably designed to detect, respond to, and recover from
unauthorized access to or use of customer information.” IRPs
would be required to provide for:
Assessment of the scope and scale of a breach, including the
systems, customers and information accessed or used without
authorization;
Steps to contain and control further unauthorized access or
use; and
Notification protocols for those customers whose
“sensitive information” was, or was likely to have been,
involved in the breach.
The Proposed Amendments would also require covered firms to
enter into a written agreement with each service provider that
requires the service provider to (i) take appropriate measures to
safeguard customer information, and (ii) notify the covered firm in
the event of unauthorized access to a customer information system
maintained by the service provider (no later than 48hours after
becoming aware of the breach). This would encompass a very broad
universe of service providers, including email, CRM system,
cloud-based and other technology vendors. As noted by Commissioner
Peirce, however, renegotiating existing contracts with service
providers may prove to be expensive and time consuming and may not
be feasible in all cases.6
Establishing a Federal Minimum Standard for Notification of an
Information Breach
Covered firms are currently subject to a patchwork of state
privacy laws across all 50 states, ranging in degree of compliance
burden depending on where they and their clients or investors are
located. The SEC intends to create a federal minimum standard for
notification requirements of covered firms that experience an
information breach. Such notification would be required where the
information breach is likely to result in “sensitive customer
information”7 being used in a manner that would
result in substantial harm or inconvenience. The Proposed
Amendments call for the notification:
To be made to each affected individual or, if the specific
individual(s) is not ascertainable, all individuals for which the
covered firm possesses sensitive customer information;
To be made within 30 days of becoming aware of such
unauthorized access or use (with a limited 30-day extension for
matters of national security);8
To include the following: (i) a description of the incident in
general terms and information to have been accessed or used, (ii) a
description of any remedial action and preventative measures, (iii)
the date or estimated date of the incident, (iv) a point of contact
at the covered firm for the individual to inquire into the matter,
(v) a recommendation for the individual to review their account
statements (if applicable), (vi) an explanation of what a fraud
alert is and information to assist the individual in establishing a
fraud alert in their credit report, (vii) a recommendation that the
individual periodically obtain and review a credit report and have
any fraudulent transaction deleted, (viii) an explanation of how
the individual may obtain a free credit report, (ix) instructions
on how to obtain additional online guidance from the Federal Trade
Commission (“FTC”) and usa.gov, and (x) a statement
encouraging the individual to report incidents of identity theft to
the FTC.
While the Proposed Amendments are intended to establish a
minimum set of standards that would be consistent with (or at least
more stringent than) applicable state laws, and while the SEC
appears to have extensively reviewed state privacy laws in
connection with these proposals, the SEC has nevertheless requested
comments as to whether the Proposed Amendments would conflict with
any specific state laws.9
Annual Privacy Notice Requirements
Reg. S-P requires covered firms to deliver an annual privacy
notice to its customers. The Proposed Amendments would implement a
2015 legislative change, which created an exception to the annual
privacy notice requirements where the covered firm’s policies
and practices regarding customer information are unchanged.
Intersection with the SEC’s Investment Management
Cybersecurity Proposal
There is significant overlap between the Proposed Amendments and
the SEC’s Cybersecurity Proposal issued in February 2022,
applicable to registered investment advisers and other regulated
entities, which is summarized in our previous Client Alert. The Cybersecurity
Proposal requires the adoption of a cybersecurity incident response
program, which is similar to the incident response plan called for
by the Proposed Amendments. Additionally, the Cybersecurity
Proposal creates an obligation to report “significant
cybersecurity incidents” to the SEC. Under the Proposed
Amendments, an information breach that triggers mandatory customer
notification (within 30 days), would also amount to a significant
cybersecurity incident that triggers an SEC reporting requirement
(within 48 hours). The SEC acknowledges this overlap in the
Proposed Amendments and offers assurances that entities required to
comply with both rules, if adopted, would be able to avoid
duplicative efforts by adopting one set of policies or providing a
single notice, where applicable.
Intersection with the SEC’s Examination and Enforcement
Efforts
The SEC has long been focused on the risks that cybersecurity
incidents pose to covered firms and, by extension, to their
investors, clients and customers. That focus extends beyond
rulemaking and includes significant devotion of resources to
examination and enforcement. The Division of Examinations has made
information security and resilience an examination priority every
year since 2014, and it did so again in 2023.10 Similarly, the
Division of Enforcement has repeatedly brought enforcement actions
in this area, including fourteen relating to cybersecurity controls
and safeguarding customer information since 2015,11 pursuing these
actions through its dedicated Crypto Assets and Cyber Unit which
recently almost doubled in size to fifty professionals.12 In
addition to pursuing violations uncovered during the course of
routine compliance examinations, the Examinations and Enforcement
Divisions also proactively investigate potential violations of
which they become aware, either through whistleblowers or public
news reports of prominent security breaches, such as the late 2020
SolarWinds cyber breach.13 SEC examination and enforcement
focus in this area can therefore be expected to continue – and
possibly even increase – creating more risk for firms as compliance
obligations expand.
Timing and Applicability
Comments are due within 60 days after the Proposed Amendments
are published in the Federal Register, which coincides with the
re-opening of the comment period for the Cybersecurity Proposal.
There would be a 12-month transition period if the Proposed
Amendments were to be adopted.
Footnotes
1. Cybersecurity Risk Management
Proposed Rule for Broker-Dealers, Clearing Agencies, Major
Security-Based Swap Participants, the Municipal Securities
Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories,
Security-Based Swap Dealers, and Transfer Agents, Exchange Act
Release No. 34-97142 (Mar. 15, 2023) (“Exchange Act
Cybersecurity Proposal”), and Regulation Systems Compliance and
Integrity, Exchange Act Rel. No. 34-97143 (Mar. 15, 2023)
(“Regulation SCI Proposal”).
2. Cybersecurity Risk Management for
Investment Advisers, Registered Investment Companies, and Business
Development Companies, Securities Act Rel. No. 11028 (Feb. 9,
2022) (“Cybersecurity Proposal”).
3. Commissioner Hester M. Peirce,
Statement on Regulation SP: Privacy of Consumer Financial
Information and Safeguarding Customer Information, March 15,
2023 (“Pierce Statement”).
4. The
Proposed Amendments define “covered institution” as
“any broker or dealer, any investment company and any
investment adviser or transfer agent registered with the Commission
or another appropriate regulatory agency (“ARA”) as
defined in Section 3(a)(34)(B) of the Securities Exchange Act of
1934.” Rule 248.30(e)(3).
5. Exempt
reporting advisers and private funds are subject to the Consumer
Financial Protection Bureau’s Regulation P, 12 CFR Part 1016,
and the Federal Trade Commission’s Standards for Safeguarding
Customer Information, 16 CFR Part 314.
6. Pierce
Statement (“How much will it cost to renegotiate all of those
contracts? Will it even be possible to do so? What happens to a
covered institution whose service provider chooses not to play
ball?”).
7. The
Proposed Amendments add the new term “sensitive customer
information,” and defines it as customer information that
could create a substantial harm or inconvenience in the event of an
information breach. Sensitive customer information would include,
for example, a customer’s: social security number; official
State or government issued driver’s license or identification
number; alien registration number; government passport number;
employer or taxpayer identification number; a biometric record; a
unique electronic identification number; address; or routing
code.
8.
Notably, the Proposed Amendments do not provide for exceptions
where delay is needed for other law enforcement-related reasons
beyond national security. However, the SEC has requested comments
as to whether to include such exceptions. Proposed Amendments,
request for comment 56 at p. 63. See also Pierce Statement
(“While I support customer notification, the rule should
include a law enforcement exception permitting covered institutions
to delay alerting customers about an unauthorized incursion when
there is a valid law enforcement or national security need for
doing so. We are making the small concession of allowing the
Attorney General to obtain a delay of up to 30 days, if he can cite
a substantial risk to national security in
writing.”).
9.
Proposed Amendments, request for comment 34 at p. 46. See also
Pierce Statement (“What is a firm that finds itself pinched
between competing state and federal notification rules supposed to
do? Rather than preempting or deferring to state law, we dance
around the problem we are creating and provide no workable strategy
for firms to manage the conflict.”).
[10] SEC Examination Division, 2023 Examination Priorities, pp. 13-14.
11. SEC Website, Crypto Assets and Cyber Enforcement Actions – Regulated Entities – Cyber Security Controls and Protection of Customer Information.
12. SEC Press Release, SEC Nearly Doubles Size of Enforcement Crypto Asset and Cyber Unit, May 3, 2022.
13. Reuters, US SEC, Investigating SolarWinds Client Cyber Breach Disclosure – Source, June 22, 2021.
The SEC is reviewing Regulation SP after 20 years of information technology innovation.
