Last week, the Securities and Exchange Commission (the “SEC”) proposed amendments to Regulation S-P (the “Proposal”) that would require registered investment advisers (“RIAs”), broker-dealers (“BDs”), investment companies (“Funds”) and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of harm.[i]  The proposal was released alongside other cybersecurity-related proposals, including an expansion and update to Regulation Systems Compliance and Integrity (Reg SCI) and the re-opening of the comment period for the previously proposed cybersecurity risk management rule for registered investment advisers and investment companies.[ii]  Last February, we previously overviewed the SEC’s proposed rule for cybersecurity risk management for RIAs and Funds.

Below is a high-level overview of the Proposal.

Incident Response Program

If adopted as proposed, the Proposal would require RIAs, BDs, and Funds to adopt an incident response program as part of their policies and procedures under the safeguards rule.  Under the Proposal, the incident response program must be reasonably designed to detect, assess, respond to, contain and control, and recover from unauthorized access to or use of customer information.  Notably, the Proposal would also require that certain parts of the incident response programs also apply to RIAs’, BDs’, and Funds’ relationships with third party service providers.[iii]

Customer Notification Requirement

Additionally, if adopted as proposed, the Proposal would require RIAs, BDs and Funds to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.  The Proposal would require this notification to be made as soon as practicable, but no later than 30 days after the firm learned of the unauthorized access.  If the firm determines that sensitive customer information is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience, notification would not be required.[iv]

Other Items

Additionally, the Proposal would create a new defined term, “customer information,” referring to a record containing “nonpublic personal information” about a customer of a financial institution.  Accordingly, the Proposal would apply to both nonpublic personal information that firm collects from its customers and to nonpublic personal information received from a third-party financial institution.  The Proposal would also require firms to make and maintain written records documenting compliance with the requirements of the updated Regulation S-P.[v]

***

The public comment period for the Proposal will remain open for at least sixty days following publication of the proposing release on the SEC’s website.  While RIAs, BDs and Funds already have compliance policies and procedures that address protection of customer records and information and the proper disposal of consumer report information, if the Proposal is adopted as proposed, policies and procedures would need to be updated to address unauthorized access to or use of customer information. Most RIAs, BDs and Funds are very familiar with and may already have policies and procedures that address unauthorized access/use of customer information.   However, even firms with existing policies and procedures should note that the Proposal contains novel elements that may be inconsistent with existing requirements, such as its “inconvenience” standard for notification.[vi] While the Proposal is still pending, we suggest that RIAs, BDs and Funds review their Regulation S-P policies, procedures, and practices. 

If you have any questions about the Proposal, or the regulation of registered investment advisers, broker-dealers, and registered investment companies generally, please feel free to contact us.

By the Investment Management and Broker-Dealer Team and Technology, Privacy & Cybersecurity Team at Kilpatrick Townsend

This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice.  Viewers should not rely on the posted materials as advice about specific legal problems.  Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved.  Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer.  If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.

Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.

For more information, please refer to our Terms of Use and Privacy Policy.