On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed amendments (the “Proposal”) to Regulation S-P, which governs the treatment of nonpublic personal information about consumers by broker-dealers, registered investment advisers, registered investment companies, and transfer agents. The Proposal would broaden the existing “safeguards” and “disposal” rules under Regulation S-P, and would require the entities to adopt “incident response programs.”
The Proposal was announced simultaneously with two additional cybersecurity-related proposals that affect regulated entities other than registered investment advisers: (i) proposed amendments to Regulation SCI, which applies to entities the SEC has deemed important to the infrastructure of the U.S. securities markets; and (ii) a new Proposed Rule 10, which would impose certain notification requirements on a wide array of market participants in the event of significant cybersecurity incidents. We discuss these proposals further in a separate Alert Memorandum.
Applicability to Various Types of Entities
Current Regulation S-P has two main components: (i) the “safeguards rule,” which requires entities to adopt written policies and procedures to safeguard “customer records and information;” and (ii) the “disposal rule,” which requires entities to dispose of “consumer report information.” The safeguards rule and disposal rule both apply in full to broker-dealers, registered investment companies, and registered investment advisers, while only the disposal rule applies to transfer agents.
The Proposal would amend the safeguards and disposal rules to broaden the information covered under both rules, and to apply both rules to transfer agents. In addition to changes to existing rules, the Proposal’s new requirements—the “incident response program” and the “customer notification requirement”—would apply to SEC-registered broker-dealers, registered investment companies, registered investment advisers and transfer agents (collectively, “Covered Institutions”), but not to Exempt Reporting Advisers (“ERAs”). Taken together, these changes would “establish a Federal minimum standard” for how Covered Institutions must protect against and respond to data breaches.
Incident Response Program
The Proposal would require that a Covered Institution maintain written policies and procedures that include a program reasonably designed to “detect, respond to, and recover from” unauthorized access to or use of customer information. The program must include procedures for the Covered Institution to (1) assess the nature and scope of any incident involving unauthorized access to or use of customer information, (2) take appropriate steps to contain and control such incidents to prevent further unauthorized access to or use of customer information, and (3) notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
Customer Notification Requirement
The notification requirement would be triggered where “sensitive customer information” was, or was reasonably likely to have been, accessed or used without authorization, unless the Covered Institution determines, after a reasonable investigation of the incident, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in “substantial harm or inconvenience.” “Sensitive customer information” would be defined to include information “which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” “Substantial harm or inconvenience” would be defined as “personal injury, or financial loss, expenditure of effort or loss of time that is more than trivial.” This standard is not a model of clarity, and we expect comments on what personal injury, financial loss, expenditure of effort, or loss of time would be “more than trivial” for purposes of the reporting requirement.
Any required notification under the Proposal must meet the following criteria:
- It must be given as soon as practicable, but not later than 30 days, after the Covered Institution becomes aware that the unauthorized access to or use of customer information has occurred (or is reasonably likely to have occurred).
- The Proposal would allow a Covered Institution to delay this notification for an additional 15 days if the Attorney General of the United States informs the Covered Institution, in writing, that the required notice poses “a substantial risk to national security.” After the additional 15 days, however, the notification would be required under the Proposal, regardless of any continuing risk to national security and regardless of whether the Attorney General wants the Covered Institution not to make such a notification. This delay would only be allowed for written notice from the Attorney General, and not, for example, from a state regulator or some other regulatory agency that is conducting an investigation.
- It must be issued to the person who is reasonably likely to be harmed by the breach.
- In the event that it cannot be determined whose information was specifically breached (e.g. due to a system breach), then notice must be provided to “all individuals whose sensitive information resides in the affected system.”
- It must be “clear and conspicuous,” meaning the notice would need to be in writing and “reasonably understandable.”
- It must include “key information with details about the incident, the breached data, and how affected individuals could respond to the breach to protect themselves.”
- It must include the Covered Institution’s contact information.
This notification requirement would be additive to any required state law notifications, and there would be no carve-out for entities that have already notified all customers pursuant to state law-required notifications. The SEC notes an expectation that Covered Institutions would likely be able to send a single notice to cover both state law obligations and Reg S-P obligations as part of the incident response, though of course, that notice would need to cover each requirement of both regimes.
In accordance with the aims of the Gramm-Leach-Bliley Act, the requirements for an incident response program would be focused on information pertaining to individuals, not entities. While many data breaches result in access (or potential access) to information relating to individuals, a data breach that only reached corporate information would seemingly not result in a requirement under the Proposal that a Covered Institution’s incident response program be triggered.
This notification requirement would also work in tandem with the notification requirement in Proposed Rule 10, which would require many of these same market participants (though again, not registered investment advisers) to make notifications to the SEC in the case of any “significant cybersecurity incident.” Taken together, these proposals demonstrate the SEC’s focus on requiring broad disclosure in the wake of data breaches and other cybersecurity incidents.
Service Providers
The Proposal would also require the incident response program to include policies and procedures that account for risks posed by service providers. Such policies and procedures would need to require the service providers to “take appropriate measures that are designed to protect against unauthorized access to or use of customer information,” which must include notification to the Covered Institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider.
Covered Institutions would be allowed to delegate the responsibility of notifying customers to service providers as part of the institution’s incident response program. Notwithstanding the delegation, the Covered Institution would remain liable for any failure to notify on behalf of the service provider.
As has become a pattern for the SEC in recent years, the Proposal would not directly regulate service providers for Covered Institutions, and would instead put the obligation on the Covered Institution.[1] We expect that Covered Institutions will face challenging negotiations with service providers, as well as increased costs as a result of the representations and warranties included through such negotiations, which in many cases would be passed down to customers.
Safeguards Rule and Disposal Rule Amendments
Current Safeguards Rule
Regulation S-P’s safeguards rule requires broker-dealers, registered investment advisers, and registered investment companies to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. A “customer” is defined as “a consumer who has a customer relationship with” those entities. If a customer relationship does not exist, that consumer’s information is not currently captured by the safeguards rule.
Current Disposal Rule
Regulation S-P’s disposal rule requires broker-dealers, registered investment advisers, registered investment companies, and transfer agents to properly dispose of “consumer report information.” This term differs from the “customer records and information” in the safeguards rule and is defined to mean “any record about an individual … that is a consumer report or is derived from a consumer report.”
Amendments
The Proposal would standardize the definitions in the two rules, using a single new defined term of “customer information”. This term would be defined to include, for Covered Institutions other than transfer agents, any record containing “nonpublic personal information” about “a customer of a financial institution.” For transfer agents, the term would be defined to include “any record containing nonpublic personal information … identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as a transfer agent, that is handled or maintained by the transfer agent or on its behalf.” The SEC explained that the reason for the distinction in definitions between transfer agents and other Covered Institutions is that transfer agents typically do not have “consumers” or “customers” for the purposes of Regulation S-P, because their clients generally are not individual securityholders, but rather the issuers in which the individual securityholders invest.
The Proposal would also expand the safeguards rule to include transfer agents along with broker-dealers, registered investment companies, and registered investment advisers.
Remote Work Considerations
The SEC noted the additional challenges in Covered Institutions enforcing the safeguards and disposal rules caused by the increase in work-from-home arrangements coming out of the COVID-19 pandemic. The Proposal explains that Covered Institutions would likely need to consider “any additional challenges raised by the use of remote work locations within their policies and procedures.” While the proposed amendments do not explicitly address work-from-home arrangements, the SEC did seek comment on whether the Proposal should be amended to account for such arrangements or whether the SEC should provide specific guidance on these issues.
Recordkeeping
The Proposal would amend the recordkeeping requirements under the Advisers Act and the Investment Company Act to require registered investment advisers and registered investment companies to make and maintain written records documenting compliance with the requirements of the safeguards and disposal rules, as well as the incident response program. Notably, the Proposal would extend these recordkeeping requirements to unregistered investment companies as well (such as employees’ securities companies), though not to unregistered investment advisers (such as ERAs and foreign private advisers).
[1] Rule 206(4)-1 under the Advisers Act (the “Marketing Rule”), which imposes requirements on how registered investment advisers market their services, requires registered investment advisers to, among other things, have a “reasonable basis” to believe that any testimonial or endorsement made by a paid endorser (such as a placement agent) is in compliance with the terms of the Marketing Rule. See Marketing Rule Adopting Release, December 22, 2020, and our Firm’s Alert Memorandum. In addition, the SEC’s proposed new Rule 223-1 (the “Safeguarding Rule”), which would replace the current Custody Rule, would require registered investment advisers to obtain certain “reasonable assurances” from qualified custodians that such qualified custodians will, among other things, indemnify the adviser’s client against the risk of loss, including for simple negligence. See Safeguarding Rule Proposing Release, February 15, 2023, and our Firm’s Alert Memorandum.