RISK MANAGEMENT—SEC requires firms to notify customers of data breaches - 17 May 2024
Broker-dealers, investment companies, advisers, and transfer agents will have to provide prompt notice of a security incident.
The SEC adopted amendments to Regulation S-P to require securities firms to notify customers of a data breach. The millennium-era rule already required firms to notify customers about the use of their information, but the amendments will also require notification of security breaches and expand on the requirements for disposal of customer information. The requirements will also extend to transfer agents (SEC, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, RIN 3235-AN26 (May 16, 2024)).
Covered institutions. The amendments apply to broker-dealers, investment companies, SEC-registered investment advisers, funding portals, and SEC- or otherwise-registered transfer agents.
Incident response. Since its adoption in 2000, Regulation S-P has required broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures to safeguard customer records and information. The new amendments expand on the safeguards rule by also requiring the policies and procedures to include an incident response program. This program must:
Be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
Include procedures to assess the nature and scope of an incident and take appropriate steps to prevent further unauthorized access or use;
Require oversight of service providers, including through due diligence and monitoring.
Customer notification. Under the new amendments, a covered institution must notify affected individuals whose information was, or is reasonably likely to have been, accessed or used without authorization. However, no notification is required if the firm determines that the customer information has not been, and is not reasonably likely to be, used in a way that would result in substantial harm or inconvenience.
Notification must be made as soon as practicable and in any event within 30 days after becoming aware of the breach. (Limited delays are available if notice would pose a risk to national security or public safety, as determined by the Attorney General). The notices must include details about the incident, the breached data, and how those affected can protect themselves.
Information subject to rules. In addition to the safeguards rule, Regulation S-P incorporates a requirement that firms properly dispose of consumer report information to protect against unauthorized access or use. The amended rule expands both the safeguards rule and disposal rule to cover both information that a covered institution collects about its own customers and information it receives from another firm about that firm’s customers.
Compliance. Larger firms will have 18 months from publication in the Federal Register to comply with the new amendments; smaller firms have 24 months. This is a longer transition period than the 12 months originally proposed.
Need for amendments. In a statement prior to the vote on the amendments, SEC Chair Gary Gensler emphasized the age of Regulation S-P and quipped that “Investors would benefit from a financial privacy rule more modern than the AOL era.” While the original rule requires a firm to notify customers of its privacy policy, the new amendments close a gap by requiring notification of data breaches.
Commissioners Jaime Lizárraga and Hester Peirce also supported the rule, albeit with reservations in Peirce’s case. Lizárraga called the amendments “important and balanced” and highlighted that this new federal standard is a minimum; customers in states with more stringent protections will continue to benefit from those.
Peirce also agreed that the amendments are important. “All of us have given our personal information to a business with a tinge of fear that our information is at risk,” she said. But she worries that firms will err on the side of providing unnecessary notices, leading to a glut of disclosures that customers eventually start to ignore. During implementation, SEC staff should work with the securities industry to achieve the right balance of providing a framework for adequate notification without encouraging a default position of over-notification. “The Commission needs to show that it will not use Regulation S-P to set up well-intentioned firms for enforcement actions,” Peirce said.
The release is No. 34-100155.
© 2021 CCH Incorporated and its affiliates and licensors. All rights reserved.