Insight

SEC adopts amendments to Regulation S-P to address risks associated with the expanded use of technology

On May 16, 2024, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P (“Reg S-P”) that are intended to help protect investors’ privacy from the “expanded use of technology and corresponding risks”1 (“Reg S-P Amendments”). The Reg S-P Amendments represent a significant expansion.

Reg S-P requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures for the protection of “customer records and information”2 (the “Safeguards Rule”) and to properly dispose of “consumer report information”3 (the “Disposal Rule”)4 The Reg S-P Amendments apply to an expanded set of covered institutions that include transfer agents registered with the SEC or another appropriate regulatory agency5 in addition to broker-dealers (including funding portals), investment companies (including business development companies), and investment advisers.6

The Reg S-P Amendments generally require:

  • Covered institutions to implement an incident response program designed to detect, respond to, and recover from, unauthorized use or access to customer information, including customer information held by a service provider to the covered institution;
  • As part of their incident response programs, covered institutions must notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization; and
  • A broadened scope of information covered by Reg S-P.

Key Takeaways from the Reg S-P Amendments

The following sets out the key takeaways from the Reg S-P Amendments:

  • Incident Response Program: Under the Safeguards Rule, covered institutions are required to implement an incident response program designed to detect, respond to, and recover from unauthorized use or access to customer information, including procedures to assess the incident and take steps to contain the incident.[7] Covered institutions must also have policies and procedures governing oversight of service providers to ensure that they receive timely notification in case of a breach of customer information at the service provider, and that customers receive required notifications.
  • Notice Requirement:[8] As part of the incident response program, covered institutions must provide “clear and conspicuous” notice to affected individuals “as soon as practicable,” but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notice may be provided electronically for customers who agree to receive information electronically.[9] A covered institution may delay providing notice for an additional 30 days if the Attorney General determines that notification would pose a substantial risk to national security or public safety. If further delay is required, the SEC will consider a request on a case-by-case basis.
  • Expanded Scope of Information: The Reg S-P Amendments expand upon the Safeguards Rule to protect “customer information,” which includes any record containing nonpublic personal information in any form that is in the possession of a covered institution.[10] Under the amended Disposal Rule, covered institutions must properly dispose of consumer information and customer information. “Consumer information” captures any record about an individual that is or is derived from a “consumer report,”[11] such as a credit score. Covered institutions must document compliance with the Safeguards and Disposal Rules in accordance with applicable recordkeeping rules.
  • Privacy Notice Exception: While covered institutions are already required to provide annual privacy notices to customers under Reg S-P, the amendments codify a statutory exception[12] to this requirement if the institution: (i) only provides non-public personal information to third parties when an exception to third-party opt-out applies; and (ii) the institution has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers. When an institution no longer qualifies for the exception, it must resume providing annual privacy notices.

The Reg S-P Amendments Explained

Incident Response Program

As part of the incident response program, covered institutions must implement policies and procedures that: (i) assess the nature and scope of any incident and identify the customer information that may have been accessed or used without authorization; (ii) take steps to contain and control the incident; and (iii) notify impacted individuals, each further discussed below:

  • Assessment: Covered institutions must be able to identify the customer information systems and type of customer information that may have been accessed or used without authorization. For example, the assessment might include evaluating whether any data was lost or exfiltrated and the operational impact of the breach. Although the SEC did not propose specific steps a covered institution must take in carrying out its assessment; covered institutions should consider whether they maintain sufficiently granular information (e.g., logging data) to conduct this sort of assessment in the event of a cyber incident.
  • Containment and Control: The SEC noted that the strategy for containing and controlling an incident may involve making “complex judgment calls”[13] and for that reason, the strategies may vary based on the facts and circumstances. A covered institution may consider, for example, rotating private keys, changing all system passwords, and searching for other compromised systems. In creating policies and procedures addressing containment and control, covered institutions should also be prepared for the possibility that they will be denied access to or locked out of a particular system (e.g., through a ransomware attack) and make plans for business continuity.[14]
  • Notice Requirement: While the incident response program must address incidents involving any form of customer information,[15] a notification is only required when there has been unauthorized access or use of “sensitive customer information,” defined to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”[16] Examples of sensitive customer information include information uniquely identified with an individual such as a Social Security number, taxpayer identification number, or biometric records. Although not defined by the SEC, “substantial harm or inconvenience” can include theft, fraud, harassment, physical harm, impersonation, and intimidation.

    The Reg S-P Amendments set forth specific information that must be included in a notice, including: (i) a description of the incident and type of sensitive customer information that was accessed; (ii) contact information for the covered institution so that affected individuals can inquire about the incident; (iii) a recommendation that the individual obtain credit reports and how to obtain the same free of charge; and (iv) information about the availability of guidance from the Federal Trade Commission and usa.gov regarding how individuals can protect themselves against identity theft.

    It should be noted that the SEC adopted these amendments to provide a “consistent minimum federal notification standard.”[17] State laws need to be reviewed to determine the scope and timing of any additional notification requirements.

Oversight of Service Providers

The Reg S-P Amendments require that covered institutions’ incident response programs have written policies and procedures to oversee (through due diligence and monitoring) service providers,[18] and to ensure that service providers take appropriate measures to: (i) protect against unauthorized access to or use of customer information; and (ii) provide notification to the covered institutions no later than 72 hours after becoming aware of a security breach resulting in such unauthorized access.[19] While the obligation to provide notice to affected customers remains with the covered institution, a covered institution may satisfy that obligation by ensuring that the notice is provided by a service provider or vendor.

Upon receipt of a breach notification from a service provider (or upon independent detection of an incident of unauthorized access to or use of customer information), the covered institution must initiate its incident response program, as discussed above.

Expanded Scope of Safeguards Rule and Disposal Rule

The Safeguards Rule and the Disposal Rule will now be expanded to apply to all “customer information,” which includes any record containing nonpublic personal information in any form that is in the possession of a covered institution. Importantly, this definition includes information about customers of other financial institutions where such information has been provided to the covered institution.[20]

The Reg S-P Amendments also extend the Safeguards Rule and the Disposal Rule to all transfer agents, even if the transfer agent is registered with another regulatory agency.[21] Noting that transfer agents’ clients are generally the issuers whose securities are held by investors, not the individual investors themselves, the Reg S-P Amendments create a different definition for “customer” for transfer agents, as “as any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as a transfer agent.”[22] Certain transfer agents enter into agreements with issuer clients that prevent securityholders from receiving breach notices directly from a transfer agent. Transfer agents may need to evaluate and amend such agreements to comply with the Reg S-P Amendments. A transfer agent that experiences an incident affecting securityholders of another covered institution can coordinate with such covered institution so that securityholders only receive one notice.

Recordkeeping

The Reg S-P Amendments require covered institutions to make and maintain: (i) written policies and procedures to comply with the Safeguards Rule and Disposal Rule; (ii) written documentation of any detected unauthorized access to or use of customer information and any response to such event; (iii) written documentation of any investigation and determination made regarding whether customer notification would be required with respect to such an event; and (iv) written policies and procedures and contracts regarding service providers. These records will need to be kept for time periods which are consistent with existing recordkeeping rules for these entities, such as SEC Rule 17a-4 for broker-dealers.

Compliance Dates

The Reg S-P Amendments will become effective 60 days after publication in the Federal Register. “Larger entities,” will have 18 months and all other entities will have 24 months after the date of publication to comply with these amendments.

Larger entities include:

  • investment companies with net assets of $1 billion or more as of the end of the most recent fiscal year;
  • registered investment advisers with $1.5 billion or more in assets under management;
  • all broker-dealers that are not small entities under the Securities Exchange Act of 1934, as amended (the “Exchange Act”); and
  • all transfer agents that are not small entities under the Exchange Act.

Looking Ahead

Covered institutions should begin evaluating and updating their compliance programs to ensure that they will be able to comply with the Reg S-P Amendments within 18 or 24 months, as applicable to their institution. In particular, covered institutions may wish to consider taking the following steps:

  • Review and amend current policies and procedures governing compliance with Reg S-P, in particular the Safeguards and Disposal Rules;
  • Review practices of services providers to assess whether they have policies and procedures to protect against unauthorized access to or use of customer information and are able to satisfy notification requirements, and review contractual arrangements with service providers to ensure they meet the requirements of the Reg S-P Amendments;
  • Identify existing requirements under state law and compare such requirements to those under Reg S-P, as amended; and
  • Evaluate operational controls, including compliance tools and technology, to ensure that the covered institution can comply with Reg S-P, as amended.

Importantly, in addition to compliance with the Reg S-P Amendments, covered institutions and other financial institutions, should consider other applicable requirements associated with a cybersecurity incident, including notification to and/or filings with (i) relevant law enforcement agencies (e.g., FBI), (ii) federal e.g.(, SEC, FINRA, Federal Reserve Bank, FinCEN) and state regulators, and (iii) counterparties to contracts pursuant to confidential information and/or intellectual property provisions. Our cross-disciplinary team, which includes members of our Financial Services Advisory and Regulatory, Cybersecurity, Intellectual Property, Litigation, Privacy, and Capital Markets teams have extensive experience in advising clients on cybersecurity incidents globally and are available to discuss any questions you may have.

We invite you to reach out to A&O Shearman to discuss how Reg S-P may impact your institution.

Footnotes

1Securities Exchange Act Release No. 34-100155 (“Adopting Release”).

2. The term “customer records and information” is not specifically defined, but currently the Safeguards Rule only protects the “records and information” of individuals who are customers of the particular institution.

3. Consumer report information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer report information also means a compilation of such records. Consumer report information does not include information that does not identify individuals, such as aggregate information or blind data. 17 CFR 248.30(d)(1).

4. Reg S-P “governs the treatment of nonpublic personal information about consumers.” 17 CFR 248.1(a). Nonpublic personal information means: “(i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information.” 17 CFR 248.3(t).

5. When used with respect to a transfer agent, an appropriate regulatory agency includes the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (collectively, the “Banking Agencies”), and the SEC.

6. The Reg S-P Amendments are in addition to separate efforts by the SEC to address disclosure of cybersecurity processes and governance disclosure and the occurrence of cybersecurity incidents by public companies, which it did in its final rule “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. Please refer to our publication “New SEC Mandates New Cybersecurity Disclosures”.

7. The SEC noted the similarity of this incident response program to the Banking Agencies’ Incident Response Guidance. See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 FR 15736 (Mar. 29, 2005). However, there are significant differences between the Reg S-P Amendments and the Banking Agencies’ Incident Response Guidance, which are outside the scope of this publication.

8. State laws also have various notification requirements, and the required timing and content may vary. 

9. According to the Adopting Release, the notice must be transmitted by a means “designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing,” which can be satisfied through electronic means. 17 CFR 248.30(a)(4)(i). See also Adopting Release at pg. 249.

10. Note that many states may also impose requirements regarding the disposal of customer information. Covered institutions should be aware of state law requirements as well as any contractual obligations it may have to dispose of or destroy customer information.

11. “Consumer report” is defined in 15 U.S.C. 1681a(d)(1) as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living…”

12. The Reg S-P Amendments conform Reg S-P to the requirements of the Fixing America’s Surface Transportation Act , codified at 15 U.S.C. 6803(f).

13.See Adopting Release at pg. 23.

14.See Adopting Release at pg. 55.

15. “Customer information” will mean “any record containing nonpublic personal information as defined in Section 248.3(t) about a customer of a financial institution, whether in paper, electronic, or other form.” 17 CFR 248.30(d)(5). Nonpublic personal information means: “(i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information.” 17 CFR 248.3(t).

16. The SEC does not define “substantial harm or inconvenience” (withdrawing the proposed definition of “all personal injuries, as well as instances of financial loss, expenditure of effort, or loss of time when they are ‘more than trivial’”). However, the Adopting Release noted that the non-exhaustive list of examples of harms and inconveniences in the proposed rule could be a useful starting point (e.g., theft, fraud, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the misuse of information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise misuse the individual’s account). Adopting Release at pg. 49.

17. Adopting Release at pg. 32.

18. Service provider is defined as a “person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” 17 CFR 248.30(d)(10). This includes affiliates of a covered institution. In response to a question about whether service providers would include financial counterparties such as brokers, clearing and settlement firms, and custodial banks, the SEC stated that covered institutions should make this determination based on the facts and circumstances about the substance of the relationship with the covered institution, rather than the form of the entity in question. Adopting Release at pg. 92.

19. Certain covered institutions, such as broker-dealers, may have separate obligations to supervise service providers or vendors. For example, broker-dealers must comply with the principles set forth in FINRA NTM 05-48 and Regulatory Notice 21-29, which requires, among other things, that a firm have in place specific policies and procedures that will monitor the service providers’ compliance with the terms of any agreements and assess the service provider’s continued fitness and ability to perform the covered activities being outsourced. Further, FINRA Rule 3120 requires a member firm to have a written supervisory control system that will, among other things, test and verify their supervisory procedures regarding their outsourcing practices.

20. The SEC includes, as an example “information that a registered investment adviser has received from the custodian of a former client’s assets … if the former client remains a customer of either the custodian or of another financial institution, even though the individual no longer has a customer relationship with the investment adviser.” Adopting Release at pg. 99.

21. Transfer agents registered with the Banking Agencies are already subject to the Banking Agencies’ Incident Response Guidance and Safeguards Guidance and therefore may need to review their existing procedures under the Banking Agencies’ Guidance for compliance with the amendments.

22. This definition does not apply to any other rules, including those specific to transfer agents codified at 17 CFR 240.17Ad. Unless specified, securityholders of issuers are not customers of transfer agents for purposes of other rules.