SEC Proposes Enhancements to Regulation S-P
Last week, the Securities and Exchange Commission (the “SEC”) proposed amendments to Regulation S-P (the “Proposal”) that would require registered investment advisers (“RIAs”), broker-dealers (“BDs”), investment companies (“Funds”) and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of harm.[i] The proposal was released alongside other cybersecurity-related proposals, including an expansion and update to Regulation Systems Compliance and Integrity (Reg SCI) and the re-opening of the comment period for the previously proposed cybersecurity risk management rule for registered investment advisers and investment companies.[ii] Last February, we previously overviewed the SEC’s proposed rule for cybersecurity risk management for RIAs and Funds.
Below is a high-level overview of the Proposal.
Incident Response Program
If adopted as proposed, the Proposal would require RIAs, BDs, and Funds to adopt an incident response program as part of their policies and procedures under the safeguards rule. Under the Proposal, the incident response program must be reasonably designed to detect, assess, respond to, contain and control, and recover from unauthorized access to or use of customer information. Notably, the Proposal would also require that certain parts of the incident response programs also apply to RIAs’, BDs’, and Funds’ relationships with third party service providers.[iii]
Customer Notification Requirement
Additionally, if adopted as proposed, the Proposal would require RIAs, BDs and Funds to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The Proposal would require this notification to be made as soon as practicable, but no later than 30 days after the firm learned of the unauthorized access. If the firm determines that sensitive customer information is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience, notification would not be required.[iv]
Additionally, the Proposal would create a new defined term, “customer information,” referring to a record containing “nonpublic personal information” about a customer of a financial institution. Accordingly, the Proposal would apply to both nonpublic personal information that firm collects from its customers and to nonpublic personal information received from a third-party financial institution. The Proposal would also require firms to make and maintain written records documenting compliance with the requirements of the updated Regulation S-P.[v]
The public comment period for the Proposal will remain open for at least sixty days following publication of the proposing release on the SEC’s website. While RIAs, BDs and Funds already have compliance policies and procedures that address protection of customer records and information and the proper disposal of consumer report information, if the Proposal is adopted as proposed, policies and procedures would need to be updated to address unauthorized access to or use of customer information. Most RIAs, BDs and Funds are very familiar with and may already have policies and procedures that address unauthorized access/use of customer information. However, even firms with existing policies and procedures should note that the Proposal contains novel elements that may be inconsistent with existing requirements, such as its “inconvenience” standard for notification.[vi] While the Proposal is still pending, we suggest that RIAs, BDs and Funds review their Regulation S-P policies, procedures, and practices.
If you have any questions about the Proposal, or the regulation of registered investment advisers, broker-dealers, and registered investment companies generally, please feel free to contact us.
By the Investment Management and Broker-Dealer Team and Technology, Privacy & Cybersecurity Team at Kilpatrick Townsend
This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice. Viewers should not rely on the posted materials as advice about specific legal problems. Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved. Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer. If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.
Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.
[i] See, SEC Press Release, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information, March 15, 2023, available at https://www.sec.gov/news/press-release/2023-51 (“Press Release”).
[ii] See, SEC Press Release, SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets, March 15, 2023, available at https://www.sec.gov/news/press-release/2023-52; SEC Press Release, SEC Proposes to Expand and Update Regulation SCI, available at https://www.sec.gov/news/press-release/2023-53.
[iii] Press Release.
[iv] Press Release.
[v] Press Release.
[vi] SEC Proposed Rules, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, SEC Release No. IA-6262, available at https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.