X

SEC Proposes Amendments to Reg S-P

Michael A. Kleinman Commentary by Michael A. Kleinman

The SEC proposed amendments to regulations on consumer financial privacy and information safeguards ("Reg S-P"). The proposed changes would, among other things, (i) require firms to implement written incident response plans, (ii) provide timely notification to affected individuals following data breaches and (iii) extend the protections of Reg S-P’s safeguards and disposal rules to cover information that a firm receives from another financial institution relating to that institution’s customers.

Proposed Rule

Incident Response Program. Covered broker-dealers, investment companies and investment advisers would be required to, for the first time, adopt and maintain policies and procedures to respond to data breach incidents as part of the written policies and procedures required under the Graham-Leach-Blilely Act. The proposed amendments would require that several elements be included in a financial institution’s incident response program including:

  • an assessment of the nature and scope of any incident involving unauthorized access to or use of customer information, including identifying the types of customer information and customer information systems accessed;
  • procedures to contain and control the incident;
  • procedures to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization (unless the financial institution determines after a reasonable investigation that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience); and
  • procedures to address the security risks posed by service providers with access to customer information and customer information systems, including through receipt of contractual guarantees to (i) ensure service providers are taking appropriate measures to protect customer information against unauthorized access or use and (ii) require the service provider to notify the financial institution as soon as possible, but no later than 48 hours after becoming aware of a breach.

Providing Notice to Affected Customers. Financial institutions would be required to notify affected customers of instances where their sensitive information was improperly accessed or used. The financial institution would be required to provide a "clear and conspicuous" notice to the affected customer(s) that is designed to assist the customer in addressing and potentially mitigating harm arising from the incident. The institution would be required to provide such notice as soon as practicable, and in any event within 30 days of becoming aware that unauthorized access to, or use of, customer information has occurred or is reasonably likely to have occurred. However, if the financial institution determines - within the 30-day time period - that the customer information accessed without authorization will not be used in a way that would cause harm to the customer, then the proposed amendments allow the financial institution to elect to not provide notice to the customer.

The proposal aims to set a "Federal minimum standard" for data breach notification to customers of covered financial institutions. The SEC stated it "recognize[d] that state laws require covered institutions to notify state residents of data breaches, [but] those laws are not consistent and exclude some entities from certain requirements." The SEC also stated that the proposed amendments account for innovations in technology that have increased the risk of unauthorized access to customer information.

Extended Protection of Other Financial Institutions’ Customer Information. The safeguards rule presently requires a financial institution to protect its own customers’ information. Recognizing, however, that financial institutions often have access to, and store, nonpublic personal information about other financial institution’s customers, the proposal would extend both the safeguards rule and the disposal rule to cover customer information that a covered institution receives from other financial institutions.

Commissioner Statements

SEC Chair Gary Gensler supported the proposal for "clos[ing] the gap" between Regulation S-P as it currently stands, which only requires firms to notify customers of how they use their financial information and the proposal, which would notify customers of breaches of their information.

Commissioner Caroline A. Crenshaw stated that the proposal would add to the protections provided under Regulation S-P in "meaningful ways," adding that it is the SEC’s "imperative to impose rigorous requirements on SEC registrants and ensure that customer information is adequately secured." She also applauded the proposal for creating a federal baseline in customer protections.

Commissioner Jaime Lizárraga supported the proposal, applauding it as an important disclosure that provides "consistent notification to consumers, regardless of state of residency" and timely notice of breaches. Mr. Lizárraga said that, on balance, it strengthens cybersecurity and increases investor protection.

Commissioner Mark T. Uyeda said that he supported the solicitation of public comment on the proposal, but was concerned about the potential for overlap with other agency proposals. He added that the "kitchen sink approach to cybersecurity" creates potential issues and added costs around duplicative policies and procedures.

Commissioner Hester M. Peirce agreed with the aim of the proposal to notify customers if their personal information has been compromised but made clear that her support was "far from unreserved." Ms. Peirce highlighted several concerns with the proposal which included:

  • failing to provide a "workable strategy" to firms if faced with the issue of addressing conflicting state and federal requirements with regard to customer notifications;
  • causing firms to feel the need to err on the side of caution and forgo the provision allowing firms to not notify customers of unauthorized access to their personal information if it does not pose a threat to them, which she cautioned could result in "too much of a good thing";
  • burdening firms with compliance costs to renegotiate their contracts with a "universe of service providers" due to the broad definition service providers covers; and
  • proposing a one-year compliance period, which Ms. Peirce said she "cannot understand how [that] is reasonable given the work firms will need to do."

Ms. Peirce also asserted that the proposal should include an exception for firms from alerting customer of a security breach when there is a "valid law enforcement or national security need for doing so."

Commentary

Michael A. Kleinman
Michael A. Kleinman

Portions of the proposal appear to reflect and respond to comments the SEC has received on its pending Investment Management Cybersecurity and Public Company Disclosure proposals. (Interestingly, the SEC yesterday also reopened the comment period window on its Investment Management Cybersecurity proposal.) For example, while both of those proposals recognized (but did not affirmatively address) the potential burden of having to comply with multiple, sometimes inconsistent, regulations on covered institutions, the Reg S-P proposal contains an in-depth analysis on how covered institutions can implement and revise their policies and procedures to reduce some burden on those institutions. In addition, while the Public Company Disclosure proposal does not contain any exception for delay in breach notification based on a pending law enforcement investigation into the breach - a topic of extensive discussion and comment following the proposal - the Reg S-P proposal does contain a narrow law enforcement delay provision. 

Given the sheer number of SEC proposals now pending - including yesterday’s Regulation SCI and Exchange Act Cybersecurity proposals - financial institutions would do well to begin mapping out their existing safeguards and cybersecurity policies and procedures to assess for potential gaps and synergies found in the new proposals. Special care should be provided to the precise notification obligations to consumers, regulators and the public that would be required under the various proposals and under existing state laws.

Email me about this

Primary Sources

  1. SEC Rule Proposal: Regulation S-P; Privacy of Consumer Financial Information and Safeguarding Customer Information
  2. SEC Fact Sheet: Proposed Enhancements to Regulation S-P
  3. SEC Press Release: SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information
  4. SEC Chair Gary Gensler Statement on Amendments to Regulation S-P
  5. SEC Commissioner Caroline A. Crenshaw Statement on Amendments to Regulation S-P
  6. SEC Commissioner Hester M. Peirce Statement on Regulation SP: Privacy of Consumer Financial Information and Safeguarding Customer Information
  7. SEC Commissioner Jaime Lizárraga Statement on Protecting Investors from Cyberattacks and Enhancing Cybersecurity in U.S. Capital Markets
  8. SEC Commissioner Mark T. Uyeda Statement on the Proposed Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Individuals
Caroline Crenshaw , Gary Gensler , Hester Peirce , Jaime Lizárraga , Mark T. Uyeda
Regulated Activities
Privacy
Regulated Entities
Adviser / CTA / CPO Broker-Dealers Investment Funds (SEC Exempt) Other Financial Firms
Sub-Entity
Transfer Agents
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC