IAA Requests Extension on Compliance Deadline for Reg S-P Amendments
The Investment Adviser Association ("IAA") requested (i) clarification on the SEC amendments to Regulation S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information") and (ii) a twelve month extension of the compliance deadline.
The SEC rule amendments mandated that covered institutions adopt incident response programs, including procedures for providing timely notification to affected individuals about the theft of sensitive customer information. The amendments also broadened the scope of information covered by the requirements for safeguarding and disposing of customer records. (See previous coverage.)
In a comment letter to SEC Chairman Paul S. Atkins, the IAA urged the SEC to grant a 12-month extension for compliance with the final amendments citing the "overly prescriptive" nature of the requirements and the complexity of aligning them with existing federal and state data privacy laws. The IAA stated that advisers needed additional time to complete gap analyses, update their policies and renegotiate breach notification terms with vendors.
The IAA also asked the SEC to clarify:
-
Key Definitions. The IAA urged the SEC to narrow the definitions of "customer information" and "sensitive customer information." The IAA recommended limiting customer information to "nonencrypted" data and specifying the types of data that qualify as "sensitive."
-
Provider Definition. The IAA asked the SEC to confirm that adviser affiliates sharing information on security infrastructure would not be considered "service providers" to each other. The IAA also requested that brokers and custodians be excluded from the definition, along with entities with which advisers have no contractual relationship.
-
Notification Triggers. The IAA urged clarification on when breach notification requirements begin. The IAA recommended that the clock should not start until a "reasonable forensic investigation" concludes that unauthorized access has occurred or is likely to occur.
-
Risk-Based Oversight. The IAA recommended a principles-based framework for advisers’ oversight obligations when vendors are unwilling or unable to fully cooperate.
-
Notification Obligations. The IAA asked the SEC to confirm that advisers are only required to notify individuals or institutions with whom they have a preexisting relationship.
-
Law Enforcement Exception. The IAA argued that the existing exception for national security or public safety was too narrow. The IAA also urged the SEC to allow notification delays in cases where disclosure could jeopardize "an active investigation or similar risks."
Related Articles
-
Financial and trade associations urged the SEC to extend the compliance dates on adopted rule amendments that intended to enhance the privacy of consumer financial information and safeguard personal information.
-
The SEC adopted a final rule mandating that covered institutions develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information.
-
The Financial Information Forum, Nasdaq, CME and Investment Company Institute recommended changes to the SEC's proposed rules on cybersecurity risk management practices.
-
SIFMA, the Bank Policy Institute, the Institute of International Bankers and the American Bankers Association urged the SEC to revise its proposals on cybersecurity related regulations, emphasizing the need for clear guidance across government agencies and collaboration with the securities industry.
-
The SEC proposed amendments to regulations on consumer financial privacy and information safeguards that would, among other things, require firms to implement written incident response plans and provide data breach notifications to customers.
