Incident Reporting on the SEC’s Radar as Regulator Seeks to Mandate a Federal Breach Notification Standard
A steady increase in the threat that data breaches pose to individual investors has spurred the Securities and Exchange Commission to revisit the issue of safeguarding customer information. On March 15th, 2023, the SEC published proposed changes for Regulation S-P. The proposal is designed to provide registered investment advisers’ clientele with sufficient notice of any data breaches that may put their data at risk of identity theft or similar harm.
Regulation S-P, otherwise known as the “safeguards” rule, requires brokers and registered investment advisers to create written policies and procedures to protect all records and information in their possession and to disclose information collection, storage, and sharing practices in privacy notices.
Regulation S-P was adopted in 2000, only two years after Google was first founded. The expansion of an interconnected workforce enabled by the Internet since that time has brought many technological efficiencies. Unfortunately, it has also increased the opportunities for individuals’ data to be compromised. This proposal, if adopted, would amend Regulation S-P to include additional requirements:
- Firms would need to adopt written policies/procedures for an incident response program to address any unauthorized access to the use of customer information.
- Firms would need to provide notice to individuals whose sensitive information was accessed without authorization. Notice should be provided as soon as possible, but firms must inform affected clients no later than 30 days after the institution becomes aware of the breach.
While all 50 states have enacted laws mandating that customers be notified in the event of data breaches, notification standards vary state by state. For example, states differ in deciding what sort of unauthorized information access may trigger a duty to notify. Additional differences include notice requirement dates, deadlines to deliver notice, and what sort of information needs to be included in a notification. With the introduction of federal data breach regulation, firms that operate in multiple states would defer to one standard for how they would need to navigate the crisis. In some states, the federal requirement would be more stringent than the existing state breach notification requirement.
Additionally, firms would have to broaden their policies to cover “customer information,” which is specifically defined to include any personal record containing “nonpublic personal information” about “a customer of a financial institution.” This information is covered, regardless of whether it’s recorded on paper or electronically. Moreover, registered transfer agents would become subject to the safeguards rule.
As it stands, Regulation S-P only requires firms to share information with natural person clients about how the institution uses their information; There is no requirement to notify customers about breaches. Although many financial firms have enhanced their cybersecurity policies over the years to include incident response plans, incident response plans were not specifically mentioned in the original Regulation S-P’s descriptions of “administrative, technical, and physical safeguards,” likely a factor of the timing of the 2000 release before the evolution of the current Internet.
As the SEC staff noted in its 2019 Risk Alert concerning Regulation S-P, significant deficiencies in incident response plans, among other areas, were observed in examinations of registered investment advisers and broker-dealers. The message at the time was clear: financial firms needed to do a better job safeguarding the information entrusted to them by clients. The SEC’s latest volley would raise the collective bar of information security by mandating stronger incident response processes.
Confluence’s Cybersecurity services team assists financial firms in developing comprehensive information security plans and conducting tabletop testing exercises of those plans, in addition to conducting cybersecurity testing and risk assessments. Firms interested in Confluence’s cybersecurity services can contact us at firstname.lastname@example.org
The public has at least until Sunday, May 14th, 2023 to submit comments regarding the proposal.
The proposed rule is available at: https://www.sec.gov/rules/proposed/2023/34-97141.pdf
Disclaimer: The information contained in this communication is for informational purposes only. The opinions expressed herein are those of the author and do not necessarily reflect those of Confluence. Confluence is not providing legal, financial, accounting, compliance, or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business.