On March 15, 2023, the Securities and Exchange Commission (SEC) proposed three rule changes that demonstrate its continued focus on cybersecurity. One of these proposals, and the only one to be unanimously approved (the Proposal), would amend Regulation S-P to require covered institutions to directly notify individuals of certain data breaches and implement written policies to minimize the resulting damage. The Proposal amends both the safeguards and disposal rules of Regulation S-P, which currently apply to broker-dealers, investment companies (including business development companies)[1] and registered investment advisers, and expands the scope of these rules to also apply to transfer agents (covered institutions). The Proposal further extends the personal information covered by these rules to include information that covered institutions collect from their own customers, as well as from other financial institutions.
These rule changes supplement prior amendments by the SEC that are also aimed at protecting customer information. Just over one year ago, the SEC proposed two cybersecurity amendments to Regulation S-P, including a February 2022 amendment that required written data protection and risk management policies (the February 2022 Amendment) and a March 2022 amendment that imposed mandatory reporting of cybersecurity incidents (the March 2022 Amendment).[2] The SEC recently reopened the comment period for the February 2022 Amendment, seeking comments related to how the present Proposal and other pending cybersecurity amendments might affect the February 2022 Amendment.
Covered institutions should ensure they have robust data protection plans in place to comply with existing requirements under Regulation S-P. Covered institutions should also consider how to implement the written policies set forth in the Proposal, as discussed below.
State laws currently govern a covered institution’s duty to notify individuals of cybersecurity breaches. All 50 states have breach notification laws, which vary widely in scope, timing and required content. These laws differ, for example, in the type and volume of exposed information that will trigger a duty to notify. Eleven of these laws have exceptions for entities subject to the Gramm-Leach-Bliley Act, which includes Regulation S-P. Thus, covered institutions may never be required to directly notify residents of certain states that their information was exposed. The SEC seeks to standardize breach notification duties nationwide, although covered institutions will still have to comply with state breach notification laws where applicable.
The Proposal would require covered institutions to notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. No notice would be required if the covered institution determines, after a reasonable investigation, that the exposure is not likely to result in substantial harm or inconvenience to the individual. Substantial harm or inconvenience is defined as “personal injury, or financial loss, expenditure of effort or loss of time that is more than trivial” and includes examples such as theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the “misuse of information to access, log in to, effect a transaction in, or otherwise misuse an individual’s account.”[3]
The notice must be clear, conspicuous and designed to help an individual understand the scope of the incident and its potential ramifications. The notice must include, for example, a description of the incident, the types of information exposed and what has been done to protect it from further unauthorized access or use. The notice must also advise individuals on how they can protect themselves, including how to obtain a credit report, how to place a fraud alert on a credit file and how to obtain guidance from the Federal Trade Commission on preventing identity theft. Finally, the notice must include contact information that allows the individual to inquire about the incident, including a telephone number, an email address or equivalent method, a postal address, and the name of a specific office to contact for further assistance from the covered institution.
The Proposal would require covered institutions to provide these notices as soon as practicable but in no event less than 30 days after becoming aware that unauthorized access to or use of customer information is reasonably likely to have occurred. According to the SEC, this uniform deadline is beneficial because 32 state breach notification laws do not provide any time limit for giving notice.
This is not the first effort by the SEC to increase transparency surrounding data breaches. The March 2022 Amendment imposed mandatory disclosures of cybersecurity incidents in Forms 6-K and 8-K, as well as periodic disclosures of risk management policies and corporate cybersecurity governance. However, the SEC found that such reports are directed to investors, regulators and the public at large, and do not provide sufficient notice to affected individuals that would allow them to protect their data following a breach.
Regulation S-P currently requires all covered institutions to adopt written policies to ensure the security, integrity and confidentiality of customer information. But the SEC found, through its enforcement and investigation efforts, that many covered institutions do not have sufficient procedures in place to remediate and respond to cybersecurity breaches.
The Proposal would require written incident response plans to “(i) assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization; and (ii) take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information.”[4] Covered institutions would retain broad discretion when drafting these policies, as the SEC recognizes that their content may vary based on the size, nature and sophistication of each business. The SEC believes having such policies in place before an incident occurs will speed up response and recovery efforts, thereby mitigating further damage.
The incident response plans must focus in particular on protecting the personal information of individuals rather than on general cybersecurity or data protection measures. These plans must also include procedures for timely notifying affected individuals and helping them respond to the misuse of their information. Finally, the incident response plans must also address the risks associated with sharing customer information with third-party vendors to include vendor management programs and contractual obligations for the vendor to notify the covered institution of any security breaches.
The safeguards rule currently applies to broker-dealers, registered investment advisers and investment companies, and requires them to adopt written policies that implement administrative, technical and physical safeguards to protect “customer records and information.” But the safeguards rule does not currently apply to transfer agents who increasingly handle customer information on behalf of these institutions. The Proposal would expand the safeguards rule to cover all transfer agents registered with the SEC as well as those registered with another regulatory agency as defined by the Exchange Act.
The safeguards rule also does not define the types of “customer records and information” that covered institutions must protect. But another rule under Regulation S-P (the disposal rule) currently requires covered institutions (including transfer agents) to properly dispose of “consumer report information.” The Proposal would unify the safeguards rule and the disposal rule with the newly defined term “customer information,” which includes “any record containing nonpublic personal information … about a customer of a financial institution, whether in paper, electronic or other form, that is handled or maintained by the covered institution or on its behalf.”[5] This new definition also expands the scope of the safeguards rule to cover not only information that the covered institution obtains from its own customers but also all such information that it obtains from another financial institution.
Despite this newly defined term, covered institutions should note that the proposed breach notification requirements discussed above do not apply to all “customer information.” Rather, the Proposal’s breach notification requirements may be triggered when “sensitive customer information” is exposed, which includes “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”[6] Under the Proposal, a covered institution may take into account the nature of the exposed information and any mitigating factors, such as encryption, when assessing whether notice is required.
Under the Proposal, covered institutions will also be required to make and maintain records documenting, among other things: (i) assessments of the nature and scope of any incidents involving the exposure of customer information; (ii) steps taken to contain and control such incidents; and (iii) any notices to affected individuals whose sensitive customer information was reasonably likely to have been exposed. Covered institutions must retain records of their activities under the Proposal for at least three years. This retention period is separate from other record retention requirements that may apply, which vary based on the type of covered institution at issue.
[1] Investment companies include mutual funds, closed-end funds such as business development companies, and unit investment trusts.
[2] See our prior alerts on the February 2022 Amendment here: (https://www.kramerlevin.com/en/perspectives-search/sec-proposes-cybersecurity-risk-management-requirements-for-investment-advisers-and-registered-funds.html); and on the March 2022 Amendment here: (https://www.kramerlevin.com/en/perspectives-search/sec-proposes-comprehensive-cybersecurity-reporting-rules-for-public-companies.html).
[3] See proposed rule 248.30(e)(9).
[4] See proposed rule 248.30(b)(3)(ii).
[5] See proposed rule 248.30(e)(5).
[6] Examples of sensitive customer information include information that can authenticate an individual’s identity, such as a Social Security number or government identification number; biometric records; a unique electronic identification number, address or routing code; and account information that could be used to gain access to an account. See proposed rule 248.30(e)(9).