Last month, the Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer (the “Amendments” can be found here). The Amendments address certain requirements for Covered Institutions handling data security incidents that affect customers’ nonpublic personal information. “Covered Institutions” under the Amendments are registered investment advisers, broker-dealers, registered investment companies, and transfer agents registered with the SEC, Comptroller of the Currency, Board of Governors of the Federal Reserve System, or Federal Deposit Insurance Corporation.
The Amendments require Covered Institutions to: (i) develop and implement a written incident response program that reasonably responds to unauthorized access to or use of customer information; (ii) in connection with incidents involving such unauthorized access or use, provide notice to affected individuals no later than 30 days; (iii) establish, maintain, and enforce written policies and procedures designed to require oversight of service providers; and (iv) prepare and keep compliance records to document policies and procedures to better safeguard and dispose of customer information. Below is a brief description of additional requirements required under the Amendments.
Written Incident Response Program
As amended, a Covered Institution must adopt an incident response program with written policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
The Amendments require an incident response program that identifies how the institution will:
- Assess the nature and scope of a data breach and identify which customer information systems and customer information may have been affected.
- Take steps to contain and control the data breach to prevent further unauthorized access to or use of customer information.
- Notify each customer whose information was, or is reasonably likely to have been, accessed or used of the breach, unless after a reasonable investigation, it is likely that the sensitive customer information has not been, and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.
The Amendments allow the incident response program to be tailored based on the size and complexity of the institution and the nature and scope of its activities. A Covered Institution’s program should be reasonably designed to include oversight, due diligence, and monitoring of service providers to ensure that the Covered Institution itself notifies affected individuals. A “service provider” refers to any person or entity that receives, maintains, processes, or has access to customer information through the services it provides directly to a Covered Institution. Covered Institutions must establish written policies and procedures reasonably designed to ensure oversight of their service provider’s compliance with the rule. A service provider must notify the covered institution as soon as possible but no later than 72 hours after becoming aware of a breach.
Notification Requirements
Covered Institutions are required to provide a clear and conspicuous notice to each affected individual by a means designed to ensure that the individual can reasonably be expected to receive actual notice in writing. The notice must be provided within 30 days after the Covered Institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred (subject to national security, public safety, and other exceptions). The notice must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves (e.g., reviewing account statements for suspicious activity or instituting fraud alerts and credit monitoring). However, the notification is not required if a Covered Institution determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
“Customer Information”
The Amendments broaden and more closely align Reg S-P’s safeguard rule and disposal rule so that they both apply to all “customer information,” which covers any record containing nonpublic personal information in any form that is in the possession of a Covered Institution regardless of whether such information pertains to individuals with whom the covered institution has a customer relationship or the customers of other financial institutions where such information has been provided to the covered institution. The Amendments also expand the applicability of Reg S-P’s safeguards rule and disposal rule to transfer agents registered with the SEC.
Recordkeeping
The Amendments require Covered Institutions to prepare and maintain: (i) written policies and procedures about administrative, technical, and physical safeguards for the protection of customers under the incident response program; (ii) written documentation of any detected unauthorized access to or use of customer information and any response; (iii) written documentation of any investigation and determination made regarding whether notification to affected individuals is required; (iv) written policies, procedures, and any related contracts with service providers adopted pursuant to the Amendments; and (v) written policies, procedures to address the proper disposal of consumer information and customer information.
Annual Delivery of Privacy Notice Exception
Before the Amendments, Reg S-P generally required that Covered Institutions send annual notices to customers regarding their privacy practices. The Amendments introduce an exception to the annual privacy notice requirement, provided that certain conditions are met. To qualify for the exception, the institution must (i) only share nonpublic personal information with nonaffiliated third parties when an exception to third-party opt-out applies, and (ii) has not made any changes to its policies and practices regarding the disclosure of nonpublic personal information since the most recent disclosure sent to customers.
Compliance Date
The Amendments were published in the Federal Register on June 3, 2024. Larger entities (as defined in the Amendments) will have until December 3, 2025, to comply, while smaller entities (as defined in the Amendments) will have until June 3, 2026.
Key Takeaways
Covered Institutions should be prepared for an increased risk of enforcement action related to customer information and cybersecurity. Covered Institutions should consider the following steps:
- Examine and update existing compliance programs, policies, and procedures to ensure that they comply with new requirements of Amendments within either 18 or 24 months (as applicable).
- Review service provider agreements to ensure that there is sufficient oversight for compliance. Further, confirm that service providers have the necessary policies and procedures in place to protect customer information from unauthorized access or use and to meet the notification requirements, as applicable.
- Identify other applicable federal or state laws associated with cybersecurity incidents and compare them to the requirements under Reg S-P, as amended.