SEC EXAMS Director Reminds Firms to Implement Enhanced Rules to Protect Consumer and Personal Information

Acting Director Keith E. Cassidy described the Division of Examination's approach to "operationalizing" Regulation S-P enhancements to protect the privacy of consumer financial information and safeguard personal information.

Speaking at the FINRA's annual conference, Mr. Cassidy explained that last year's rule amendments "expanded the applicability of Regulation S-P to cover additional financial institutions, modernized the rules relating to safeguards and disposal of customer information, and helped ensure customers of covered institutions receive timely and consistent notifications in the event of unauthorized access to or use of their information." (See related coverage.) He said that firms will need to "assess and adopt" (i) incident response programs, (ii) new customer notification requirements and (iii) enhanced oversight of third-party service providers.

On incident response, he explained that covered institutions must now maintain procedures "reasonably designed to detect, respond to, and recover from unauthorized access to, or use of, customer information," and that they must include steps to "assess the nature and scope of any incident" and "contain and control incidents to prevent further unauthorized access or use."

On customer notification, he said that "with limited exception," firms will be required to notify individuals "as soon as practicable (but no later than 30 days), after the covered institution becomes aware that unauthorized access to, or use of, customer information has occurred (or is reasonably likely to have occurred)."

On third-party relationships, he said: "covered institutions may outsource their operations, [but] they may not outsource their ultimate obligation to comply with Regulation S-P."

Mr. Cassidy urged firms not to view early examiner inquiries as enforcement. He said these inquiries "are intended to inform the Commission of where registrants are in the process of implementation." He said the Division will issue a Risk Alert if staff identify "trends or risks relevant across the sector."

Mr. Cassidy reported that there have been requests for the SEC to extend the compliance dates. (See related coverage.) Should the Commission choose to do so, he said the Division will adjust its timeline.