Last week, the Securities and Exchange Commission (the “SEC”) proposed amendments to Regulation S-P (the “Proposal”) that would require registered investment advisers (“RIAs”), broker-dealers (“BDs”), investment companies (“Funds”) and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of harm.[i] The proposal was released alongside other cybersecurity-related proposals, including an expansion and update to Regulation Systems Compliance and Integrity (Reg SCI) and the re-opening of the comment period for the previously proposed cybersecurity risk management rule for registered investment advisers and investment companies.[ii] Last February, we previously overviewed the SEC’s proposed rule for cybersecurity risk management for RIAs and Funds.
Below is a high-level overview of the Proposal.
Incident Response Program
If adopted as proposed, the Proposal would require RIAs, BDs, and Funds to adopt an incident response program as part of their policies and procedures under the safeguards rule. Under the Proposal, the incident response program must be reasonably designed to detect, assess, respond to, contain and control, and recover from unauthorized access to or use of customer information. Notably, the Proposal would also require that certain parts of the incident response programs also apply to RIAs’, BDs’, and Funds’ relationships with third party service providers.[iii]
Customer Notification Requirement
Additionally, if adopted as proposed, the Proposal would require RIAs, BDs and Funds to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The Proposal would require this notification to be made as soon as practicable, but no later than 30 days after the firm learned of the unauthorized access. If the firm determines that sensitive customer information is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience, notification would not be required.[iv]
Other Items
Additionally, the Proposal would create a new defined term, “customer information,” referring to a record containing “nonpublic personal information” about a customer of a financial institution. Accordingly, the Proposal would apply to both nonpublic personal information that firm collects from its customers and to nonpublic personal information received from a third-party financial institution. The Proposal would also require firms to make and maintain written records documenting compliance with the requirements of the updated Regulation S-P.[v]
***
The public comment period for the Proposal will remain open for at least sixty days following publication of the proposing release on the SEC’s website. While RIAs, BDs and Funds already have compliance policies and procedures that address protection of customer records and information and the proper disposal of consumer report information, if the Proposal is adopted as proposed, policies and procedures would need to be updated to address unauthorized access to or use of customer information. Most RIAs, BDs and Funds are very familiar with and may already have policies and procedures that address unauthorized access/use of customer information. However, even firms with existing policies and procedures should note that the Proposal contains novel elements that may be inconsistent with existing requirements, such as its “inconvenience” standard for notification.[vi] While the Proposal is still pending, we suggest that RIAs, BDs and Funds review their Regulation S-P policies, procedures, and practices.
