Generally, the proposed changes to Regulation S-P would require covered institutions (which now include transfer agents) to add written policies and procedures outlining an “incident response program” that addresses unauthorized access to, or use of, customer information, including policies to provide notice, as soon as practicable but no later than 30 days after the covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, to individuals whose sensitive customer information was accessed or used without authorization. The proposed changes to Regulation S-P also enhance the “safeguards rule” and “disposal rule”.

Why This and Why Now?

The SEC’s 2023 Examination Priorities forecasted its focus on firms’ policies and procedures, governance practices, and response to cyber-related incidents, including those related to ransomware attacks, and broker-dealers’ and registered investment advisers’ compliance with Regulations S-P and S-ID, where applicable. Given the proliferation of information residing in registrants’ systems and stored through a third-party provider, the SEC believes the time is now to modify various aspects of these multiple relationships in order to further ensure the protection of consumer data and information.

Who is Subject to the Amendments to Regulation S-P and How?

The proposed changes to Regulation S-P will continue to affect the traditionally “covered institutions”: broker-dealers, investment companies, and investment advisers; however, the proposed changes would extend to and require transfer agents to comply with Regulation S-P and require more monitoring by covered institutions of third-party service providers.

The proposed amendment requires transfer agents—and not just those registered with the SEC—to protect consumer information in line with Regulation S-P. The SEC’s proposal emphasizes that “transfer agents that provide paying agent services on behalf of issuers play a significant role” within the securities markets and are also subject to data risks.  Failure to account for and mitigate those risks can lead to a direct “loss of funds or securities, including through theft or misappropriation.” Thus, in a change from the current rule, the term “transfer agent” as included in a “covered institution” will be defined as “a transfer agent registered with the Commission or another appropriate regulatory agency” (emphasis added). The proposed definitional change to “transfer agent” would mean all transfer agents which fall under the definition are required to comply with all applicable transfer agent requirements of Regulation S-P, including safeguard and disposal rules:

• Transfer agents will be required to protect customer information.
• Transfer agents must develop, implement, and maintain written policies and procedures addressing safeguarding of customer information including administrative, technical, and physical safeguards.
• Transfer agents must develop, implement, and maintain incident response programs to address unauthorized access to, or use of, customer information which includes customer notification provisions.

In addition, covered institutions must be cognizant of their third-party service providers’ access to customer information and notify customers of security incidents at any service providers. The proposed rule specifies that a covered firm must require its service providers to take “appropriate measures” to protect against unauthorized access to or use of customer information, including notifying the covered institution, pursuant to a written contract between the covered firm and the service provider. While service providers may not be “covered institutions” themselves, their relationship to a covered institution will bring them partially under the umbrella of Regulation S-P and could require additional changes to internal policies and procedures so that the covered institution maintains compliance with Regulation S-P.  

Expansion of Coverage

A notable change in proposed amended Regulation S-P is the expansion of types of information and also types of customers—or non-customers—whose information is required to be protected. Expansions in the proposed amendment include:

• “Sensitive customer information” is defined as “any component customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”
  • Notably, the harm or inconvenience does not have to be specifically a financial harm or inconvenience, it can include expenditure of effort or loss of time.
  • An example in the proposed amendment considers information that identifies a customer with their mother’s maiden name poses a wide risk of harm due to the likelihood of a mother’s maiden name being used for authentication purposes.

The proposed rule greatly expands Regulation S-P to cover “all consumer information that a covered institution maintains or otherwise possesses for a business purpose… regardless of whether such information pertains to the covered institutions own customers or to customers of other financial institutions and has been provided to the covered institution.” The implication would require broker-dealers, for example, to protect information of prospective investors and ultimate investors. The proposing release further provides, by way of example, that a covered transfer agent that receives consumer information through an omnibus account held by a broker-dealer would be required to protect that consumer information even though no account is specifically held at the transfer agent by that consumer.  We anticipate that broker dealers who do not currently custody customer assets will be particularly burdened if this amendment is adopted as their obligations to implement a meaningful response program will require, at a minimum, maintaining and tracking of contact information for individuals who are not their customers in the traditional sense.  Additionally, introducing and clearing firms will have to ensure that their clearing agreements (both omnibus and fully disclosed) clearly allocate responsibilities regarding the response program and notification requirements. 

Finally, the proposing release specifically addresses the post-pandemic increase in the number of covered institution employees who work from home and that covered institutions should be mindful of the impacts such arrangements have on compliance with the Regulation S-P and the proposed amendments, if adopted.

Changes in Controls

If finalized as proposed, covered institutions will have to update their controls to ensure compliance with the proposed changes to Regulation S-P. Significant changes include:

• Requiring an incident response program that will include:
  • Procedures to assess and identify the nature and scope of any incident and the customer information systems and types of customer information that may have been affected.
  • Procedures outlining appropriate steps to contain and control security incidents and prevent further damage and unauthorized access, including eradication measures.
  • Identifying ways that the nature and scope of the incident may inform the response.
• Revising written supervisory procedures to address the risk of harm posed by security compromises at service providers, including standards and requirements to enter into contracts with service providers to protect consumer information that outline obligations of service providers.
• Considering and revising supervisory procedures to address the risk of breach related to remote-working arrangements.
• Updates to the recordkeeping requirement of written procedures, assessments, and other compliance tools with respect to Regulation S-P, varied by the type of covered institution:
  • Broker-dealers and transfer agents have a not-less-than three-year recordkeeping requirement.
  • Investment companies have a not-less-than-six-years recordkeeping requirement, among other recordkeeping requirements.
  • Registered investment advisers have a five-year recordkeeping requirement, among other recordkeeping requirements.

Notification Requirements

Poignantly, the proposed amendments to Regulation S-P set forth notification requirements in the event of a security incident. New Regulation S-P would propose federal minimal standards and requirements for notification, harmonizing the previously disparate state notification standards and requirements. Key aspects of the notification standards and requirements include:

• An affirmative requirement for a covered institution to provide notice to individuals whose sensitive information was, or is reasonably likely to have been, accessed or used without authorization.
  • If rebutting the affirmative presumption, the covered institution must document why it determined notice was not required.
• Notice must be given within 30 days of the covered institution’s discovery of the incident, regardless of the covered institution’s ultimate conclusions of the incident.
• Notices must be designed to give the affected individual an opportunity to respond and timely remediate issues, and the notice must include ways the affected individual can respond and protect themselves. Additionally, the notices must provide contact information for specific individuals or departments at the covered institution available to provide the customer more information.
• The delivery method of the notice must be designed to ensure the individual can be reasonably expected to receive the actual notice.

Takeaways

The proposed amendments to Regulation S-P will create a slew of regulatory changes resulting in significant modifications to existing operational processes for covered institutions to navigate, including managing and entering contracts with third-party service providers, assessing onboarding and introducing mechanisms to respond to the expansion of covered “consumer” information, creating notice plans that can be quickly deployed, and revising and creating new written supervisory procedures.