SEC Proposes Robust Amendments to Regulation S-P
Introduction
At an open meeting on March 15, 2023, the U.S. Securities and Exchange Commission voted unanimously to propose rule amendments to Regulation S-P (Proposed Rule) and published an accompanying release (Release).1 The Proposed Rule would apply to investment advisers registered with the SEC, broker-dealers and investment companies (collectively, Covered Institutions). Certain provisions also would apply to transfer agents. If adopted, the Proposed Rule would represent the first comprehensive update to Regulation S-P since it was adopted in 2000.2
The Proposed Rule has five primary components:
- First, it would amend the Safeguards Rule to require Covered Institutions and transfer agents to implement a written incident response program designed to detect, respond to and recover from unauthorized access to or use of customer information. As part of the incident response program, the Proposed Rule would also require such entities to notify affected individuals of certain data security incidents involving “sensitive customer information,” thereby creating what the SEC has characterized as a “federal minimum standard” for data breach reporting by Covered Institutions.
- Second, the Proposed Rule would adjust the scope of Regulation S-P’s “Safeguards Rule” and “Disposal Rule” by applying each to all “customer information”—a newly defined term—and requiring Covered Institutions (other than notice-registered broker-dealers) and transfer agents to adopt written policies and procedures to properly dispose of “customer information” and “consumer information.”
- Third, the Proposed Rule would expand the categories of customer information that would be subject to the safeguards requirements of Regulation S-P by requiring entities to appropriately safeguard customer information received from other financial institutions, as well as their own customers’ information.
- Fourth, the Proposed Rule would impose new recordkeeping obligations on Covered Institutions and transfer agents to align with the new requirements under the Proposed Rule.
- Finally, the Proposed Rule would align the text of Regulation S-P with certain 2015 amendments to the Gramm-Leach-Bliley Act (GLBA) contained in the Fixing America’s Surface Transportation Act (FAST Act), which permits certain Covered Institutions to forego delivering an annual privacy notice if specific conditions have been met.
This is not the only cybersecurity and data privacy proposal on the SEC’s busy rulemaking agenda. At the same open meeting on March 15, 2023, the SEC voted to propose a cybersecurity risk management rule for various market entities, including broker-dealers and transfer agents (Market Entity Cyber Proposal).3 There is overlap between the Proposed Rule and the Market Entity Cyber Proposal, particularly with respect to requirements for broker-dealers and transfer agents. Further, the Proposed Rule comes on the heels of the SEC’s February 2022 cybersecurity risk management rule proposal (2022 Cyber Risk Management Rule Proposal), which proposed new and amended rules regarding cybersecurity risk management, cyber incident reporting and cyber risk disclosure for SEC-registered investment advisers, SEC-registered investment companies and closed-end funds that have elected to be treated as business development companies under the Investment Company Act of 1940.4 As discussed in additional detail below, it remains to be seen how the SEC will harmonize the often overlapping requirements of these various rule proposals.
Comments on the Proposed Rule and the Market Entity Cyber Proposal are due on or before June 5, 2023. Notably, the SEC has also re-opened the comment period for the 2022 Cyber Risk Management Rule Proposal, and comments are due on or before May 22, 2023.5
This Dechert OnPoint summarizes the main elements of the Proposed Rule and identifies key takeaways.
Background
Regulation S-P currently requires investment companies (including certain types of investment companies that are not registered with the SEC), SEC-registered investment advisers and broker-dealers to: (i) deliver initial and annual privacy notices to individual consumers and customers; (ii) adopt written policies and procedures to (a) ensure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of such records; and (c) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer (Safeguards Rule). Regulation S-P also requires such entities, as well as transfer agents registered with the SEC, to properly dispose of “consumer report information” (Disposal Rule).6
Incident Response Program Requirements for Covered Institutions
The Proposed Rule would amend the Safeguards Rule to require Covered Institutions to adopt a written incident response program consisting of policies and procedures “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information” (such an event is referred to as an “incident” in the Proposed Rule) and procedures for notifying individuals following certain incidents (Incident Response Program). The Incident Response Program requirement is general, and the Proposed Rule does not prescribe specific steps that Covered Institutions must take. However, the Release makes clear that Covered Institutions must “tailor their policies and procedures to their individual facts and circumstances.” Specifically, the Proposed Rule makes clear that an Incident Response Program would need to include policies and procedures designed to:
- Assess the nature and scope of any incident involving the unauthorized access to or use of customer information.
- Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information.
- Identify customer information systems and types of customer information that may have been accessed or used without authorization.
- Notify affected individuals whose “sensitive customer information” was, or is reasonably likely to have been, accessed or used without authorization, subject to the “risk of harm” exception discussed below.
The SEC noted in the Release that Covered Institutions should take steps to ensure the continuing effectiveness of their Incident Response Programs. For instance, the Release provides that assessment procedures and control procedures should be evaluated and revised periodically to ensure that they remain reasonably designed to accomplish the Covered Institution’s security goals.
The Proposed Rule would also require Covered Institutions to include as part of their Incident Response Programs written policies and procedures that address the risk of harm posed by security compromises affecting a “service provider.”7 Covered Institutions would be required to have certain specified provisions in their written contracts with service providers. For example, service provider contracts would be required to specify that the service provider take appropriate measures that are designed to protect against unauthorized access to or use of customer information8 and notify the Covered Institution “as soon as possible,” but in any event within 48 hours, upon becoming aware of any breach of security resulting in unauthorized access to a “customer information system”9 maintained by the service provider.
Related Request for Comment
The SEC is requesting comment on the proposed requirements for an Incident Response Program, including regarding: (i) the appropriateness of the proposed Incident Response Program elements; (ii) whether the rule should prescribe more specific steps for the Incident Response Program within the framework of the procedures; (iii) best practices with respect to the types of measures that can be implemented as part of an Incident Response Program; (iv) whether an Incident Response Program should set forth a specific timeframe for implementing incident response activities; (v) whether the Incident Response Program should be more expansive in scope, so that it would cover additional activity beyond the unauthorized access to or use of customer information; (vi) the definition of service provider; and (vii) the extent to which Covered Institutions already have written policies and procedures that contractually require service providers to take appropriate measures to protect against unauthorized access to or use of customer information.
Data Breach Notification Requirements for Covered Institutions
One of the most notable aspects of the Proposed Rule is the proposed creation of a federal data breach reporting standard for Covered Institutions. Covered Institutions would be required to notify customers whose “sensitive consumer information” was, or is reasonably likely to have been, accessed or used without authorization. The Proposed Rule’s notification standard would include a “risk of harm” component, making clear that a Covered Institution would not need to provide notice to individuals if, after a reasonable investigation, it determines that the individuals’ “sensitive customer information” has not been, and is not reasonably likely to be, “used in a manner that would result in substantial harm or inconvenience”. “Sensitive customer information” is defined broadly to mean “any component of customer information alone or in conjunction with any other information, the compromise of which would create a reasonably likely risk of substantial harm or inconvenience10 to an individual identified with the information.” The SEC recognizes that all 50 states have data breach notification laws, however, the Release states that “those laws are not consistent and exclude some entities from certain requirements.” The Release goes on to note that “a Federal minimum standard” would ensure that disclosures regarding breaches of sensitive customer information are provided to all affected individuals regardless of state residency.
With respect to timing, the Proposed Rule would require Covered Institutions to provide notice to affected customers as soon as practicable, but not later than 30 days, from the date an “incident” occurred or is reasonably likely to have occurred.11 Notice would need to be provided in a “clear and conspicuous” manner and communicated in a way that is designed to ensure that each affected individual could reasonably be expected to receive it. In addition, the notice would need to include certain disclosures, such as: (i) a description of the incident and the sensitive customer information impacted; (ii) if possible, the date, estimated date, or date range during which the incident occurred; (iii) a recommendation to obtain credit reports and information about how to do so free of charge; and (iv) an explanation of what a “fraud alert” is and how an individual may place a fraud alert in credit reports. Covered Institutions would be permitted to contractually require service providers to provide notifications, though the Covered Institution would remain responsible for any failure to provide notice.
Related Request for Comment
The SEC is requesting comment on the data breach notification requirements, including regarding: (i) whether the SEC should provide additional examples for consideration in assessing the nature and scope of an “incident;” (ii) whether it should modify the definition of or provide additional examples of “sensitive customer information;” (iii) the definition of “substantial harm or inconvenience;” (iv) the proposed timing requirements for notices; and (v) the information proposed to be included in notifications to individuals.
Expanded Scope of Safeguards Rule and Disposal Rule
New Definition of Customer Information
The current Safeguards Rule requires the safeguarding of “customer records and information,” a term that is not currently defined. The current Disposal Rule requires that covered entities adopt written policies and procedures to address the proper disposal of “consumer report information.” Due to the different terms used, the Safeguards Rule and Disposal Rule do not currently apply to the same information.
The Proposed Rule aims to eliminate this gap by using a new defined term: “customer information.” When applied to Covered Institutions that are not transfer agents, the term “customer information” would mean “any record containing nonpublic personal information” regarding “a customer of a financial institution, whether in paper, electronic or other form, that is handled or maintained by the covered institution or on its behalf.” When applied to Covered Institutions that are transfer agents, “customer information” would mean information of any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent. Under the Proposed Rule, the Safeguards Rule would apply to all “customer information” and the Disposal Rule would apply to both “consumer information”12 as well as “customer information.”
Written Policies and Procedures
The Proposed Rule would modify the Disposal Rule to require the adoption of written policies and procedures related to the proper disposal of customer information and consumer report information.
When Nonpublic Personal Information Must Be Protected
Another notable aspect of the Proposed Rule is its proposed expansion of the circumstances under which Covered Institutions would be required to safeguard and properly dispose of “nonpublic personal information.” Currently, covered entities are only required to protect their own consumers’ nonpublic personal information. Under the Proposed Rule, the Safeguards Rule and Disposal Rule would apply to all customer information in the possession of a Covered Institution, and all consumer information that a Covered Institution maintains or otherwise possesses for a business purpose, regardless of whether such information pertains to individuals with whom the Covered Institution has a customer relationship, or customer of other financial institutions that has been provided to the Covered Institution.
Related Request for Comment
The SEC is requesting comment on the expanded scope of the nonpublic personal information to be protected under Regulation S-P, including: (i) whether the Proposed Rule would result in Covered Institutions treating all nonpublic personal information about individuals (and not just information about individuals who are its customers) as subject to the Safeguards Rule and Disposal Rules; and (ii) whether employees’ nonpublic personal information should be protected under the safeguards rule.
Recordkeeping Requirements
The Proposed Rule’s amendments to the Safeguards and Disposal Rules require Covered Institutions to make and maintain written records documenting compliance with the requirements of both rules. Covered Institutions would also be required to make and maintain written records documenting, among other things: (i) their assessments of the nature and scope of any “incidents” involving unauthorized access to or use of customer information; (ii) steps taken to contain and control such “incidents” to prevent future unauthorized access to or use of customer information; and (iii) notifications to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
Recordkeeping requirements would vary by Covered Institution. However, the recordkeeping retention requirements would remain consistent with existing recordkeeping rules: broker-dealers and transfer agents would be required to preserve the records for a period of not less than three years; investment companies registered under the Investment Company Act and unregistered investment companies would be required to preserve the records for a period of not less than six years; and SEC-registered investment advisers would be required to preserve the records for five years. All applicable records would be required to be preserved in an easily accessible place.
Related Request for Comment
The SEC is requesting comment on the proposed recordkeeping requirements, including regarding: (i) whether the records the SEC proposed to require are appropriate; and (ii) whether the proposed periods of time for preserving records are appropriate, or should certain records be preserved for different periods of time.
Annual Privacy Notice Delivery Requirement
As discussed in our previous Dechert OnPoint, Congress amended the GLBA in 2015 to enable financial institutions to forego providing their customers with an annual privacy notice under certain circumstances (Amendment).13 The Amendment made clear that if a financial institution does not share nonpublic personal information outside the permitted exceptions to the GLBA and has not changed its policies and procedures with respect to how it shares nonpublic personal information from the policies and practices disclosed in its most recent privacy notice, it is not required to send a privacy notice to its customers annually. The SEC is proposing amendments to Regulation S-P to align with the Amendment. The Proposed Rule would also clarify the circumstances under which a Covered Institution would be required to resume delivering an annual privacy notice to customers and the technical requirements around such delivery.
Applicability to Transfer Agents
The Proposed Rule would expand the categories of transfer agents that have obligations under Regulation S-P. The Safeguards Rule currently does not apply to any transfer agents, and the Disposal Rule currently only applies to transfer agents that are registered with the SEC. Under the Proposed Rule, all transfer agents registered with the SEC or another appropriate regulatory agency14 would be subject to the Safeguards Rule, Incident Response Program requirements and new recordkeeping requirements. In addition, all transfer agents (not just those registered with the SEC) would be required to comply with the amended Disposal Rule.
Key Takeaways
Time will tell whether the Proposed Rule will remain fully intact following what is likely to be an active comment period. It is critical that stakeholders provide their views to the SEC during the public comment period. Covered Institutions submitting comments should focus particular attention on the following key takeaways:
- There Is Considerable Overlap Between the Proposed Rule and (i) the Proposed 2022 Cybersecurity Risk Management Rules for SEC Registered Advisers and Funds, and (ii) the Market Entity Cyber Proposal. The Release notes that the SEC has proposed other cybersecurity-focused rules affecting the asset management industry and discusses the differences and similarities between the various proposals. The Release notes that the Proposed Rule is limited to protecting a certain type of information — records related to individuals, i.e., customer records and consumer report information — whereas the Market Entity Cyber Proposed Rule would require market participants to maintain cybersecurity risk policies and procedures that cover information and systems beyond consumer information. The Release also notes that there are similar policies and procedures requirements under both the Proposed Rule and the 2022 Cyber Risk Management Rule Proposal. For example, both sets of proposed rules would require policies and procedures related to security incidents, and each also address service provider oversight. Under these overlapping proposals, the same data breach could potentially require entities to make disclosures to the public and the SEC under both the 2022 Cyber Risk Management Proposal and the Market Entity Cyber Proposal, as well as to affected individuals under the Proposed Rule. The Release notes that the SEC believes that duplicative compliance efforts can be avoided by developing a single set of policies and procedures that address the requirements of each of the proposals. We expect that there will be considerable industry comment around the feasibility of this approach and whether the various proposals strike the right balance with respect to creating a workable cybersecurity framework.
- The Notification Standard in the Proposed Rule Differs from the Reporting Standard in the 2022 Cyber Risk Management Rule Proposal. Standards for what constitutes a reportable breach differ across the SEC’s various active cybersecurity proposals. Although the Proposed Rule focuses on breaches involving customer information and notifications to individuals, and the 2022 Cyber Risk Management Proposal covers reporting of “significant cybersecurity events” to the SEC and the public, the combination could result in impacted institutions navigating multiple federal reporting regimes under extremely tight timeframes.
- The New Definition of “Customer Information” May Not Have Significant Impact. Because Regulation S-P has not previously defined “customer records and information” in the Safeguards Rule, many Covered Institutions have, in practice, treated it as covering “nonpublic personal information” as defined in Regulation S-P. Many financial institutions have also historically protected “consumer report information,” and not solely limited their protection of such information to the Disposal Rule. As a result, the new definition of “customer information” may not, alone, result in significant changes to the scope of Covered Institutions’ information security programs.
- The Federal Minimum Standard for Breach Notifications May Conflict With Some State Laws. The Proposed Rule’s individual customer notification requirement may come as a surprise, but the fact that it allows for a “risk of harm” analysis will be welcomed. Unfortunately, many state breach notification laws do not incorporate a risk of harm analysis. The Proposed Rule’s definition of “sensitive customer information” may also be broader than many states’ definition of “personally identifiable information.” In practice, this would mean that rather than creating a streamlined reporting standard, Covered Institutions would need to analyze their reporting requirements under state laws, as well as their requirements under federal law. In addition, the 30-day notification rule likewise would create confusion and introduce yet another timeline into the mix for companies already dealing with a patchwork of state data breach notification laws. This would further complicate the notice process for companies and consumers alike.
- Compliance with the Proposed Notification Requirements Appears to Mean Consumers May Receive Multiple Notices About a Single Data Breach. Under state breach notification laws, the data owner with the direct customer relationship typically is the entity that is required to notify individuals. Data licensors, or service providers that act solely on behalf of the primary entity, are merely required to notify the entity of the data breach that impacted, or may have impacted, the entity’s customers. The SEC appears to recognize this framework in the Proposed Rule, as Covered Institutions would need to contractually require their service providers to notify them within 48 hours in the event of any breach of security resulting in unauthorized access to a customer information system maintained by the service provider. However, the Proposed Rule also extends the incident response program requirements, including the requirement to notify individuals to transfer agents. Covered Institutions are also responsible for safeguarding their own customers’ information, as well as customer information other financial institutions have provided to them. As a result, under the Proposed Rule, it appears that individuals may receive multiple notices from different Covered Institutions about a single data breach. We expect Covered Institutions to push back on this concept and make clear they are best positioned to determine whether notification to their customer is appropriate.
- Expansion of the Safeguards Rule to Transfer Agents is Significant. Advisers and funds are often in the business of renegotiating agreements with service providers, such as fund administrators and transfer agents, to account for fast-shifting privacy and data security requirements and norms. As such, advisers and funds will likely welcome transfer agents being subject to the same safeguard requirements as funds and advisers, and to those requirements being enforceable by the SEC and not simply required as a result of private contractual obligations.15
- The Annual Notice Delivery Exception Is Largely a Technical Revision. Many Covered Institutions have been relying on the FAST Act Amendments to the GLBA and, beginning in 2016, have foregone delivering an annual privacy notice to customers when they meet the applicable requirements (which is often the case). Covered Institutions are still likely to be pleased with the technical revisions to align Regulation S-P with the GLBA but will want to give careful consideration to whether the Proposed Rule’s new requirements for restarting annual delivery are workable.
Footnotes
1) Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Release Nos. 34-97141; IA-6262; IC-34854 (Mar. 15, 2023).
2) The SEC previously proposed amendments to Regulation S-P in 2008 but did not ultimately adopt them. Regulation S-P was, however, revised in 2004 pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), when the SEC adopted the Disposal Rule (applicable to Covered Institutions and transfer agents registered with the SEC) and required Covered Institutions to adopt written policies and procedures to safeguard customer records and information.
3) Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 34-97142 (Mar. 15, 2023).
4) Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release Nos. 33-11028; 34-94197; IA-5956; IC-34497 (Feb. 9, 2022). For additional information regarding the 2022 Cyber Risk Management Rule Proposal, please refer to Dechert OnPoint, SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds.
5) See Securities and Exchange Commission, SEC Reopens Comment Period for Proposed Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds, 2023-54, (Mar. 15, 2023).
6) Currently, “consumer report information” means “any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report.” “Consumer report” is defined by reference to the definition in the Fair Credit Reporting Act.
7) The Proposed Rule defines as a “service provider” as “any person or entity that is a third party and receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a Covered Institution.” Under the Proposed Rule the term would expressly include “affiliates” of Covered Institutions.
8) Note that this “take appropriate measures” standard regarding service provider cybersecurity is less prescriptive than the service provider requirements of the 2022 Cyber Risk Management Rule Proposal, which would require that service providers agree by contract to comply with certain technical requirements of proposed Rule 38a-2. Several commenters criticized this aspect of the 2022 Cyber Risk Management Rule Proposal as impractical and unworkable, particularly in the cloud hosting and SaaS space.
9) The term “customer information systems” would mean “the information resources owned or used by a covered institution, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of customer information to maintain or support the covered institution’s operations.”
10) “Substantial harm or inconvenience” would mean “personal injury, or financial loss, expenditure of effort or loss of time that is more than trivial.”
11) This timeframe could be modified in the event that the Attorney General of the United States provides written notice to the Covered Institution that the notice would pose a substantial threat to national security.
12) Under the Proposed Rule, “consumer information” would be defined to have a meaning consistent with the term “consumer report information” under the current rule.
13) Dechert OnPoint, Congress Eliminates Annual Privacy Notice for Certain Financial Institutions.
14) The term “transfer agent” would be defined to have the same meaning as in section 3(a)(25) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).
15) In responding to the SEC’s 2022 Cyber Risk Management Proposal, some commentors expressed confusion as to why it did not cover transfer agents. Notably, the SEC’s Market Entity Cyber Proposal does cover transfer agents.