On May 15, 2024, the Securities and Exchange Commission (the “SEC”) issued final amendments (the “Amendments”) to Regulation S-P (originally adopted in 2000), which governs the treatment of a customer’s nonpublic personal information by certain financial institutions. The Amendments aim to modernize and enhance the customer protections established under Regulation S-P by expanding the scope of the existing safeguards rule and the disposal rule and the categories of financial institutions covered by Regulation S-P (“covered institutions”). Under the Amendments “covered institutions” include broker-dealers, investment companies, SEC-registered investment advisers, and SEC-registered transfer agents or transfer agents similarly registered with another appropriate regulatory agency (“transfer agents”).

General

The Amendments require covered institutions to create and maintain written policies and procedures for incident response programs to protect against and minimize the effects of unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The Amendments also extend the application of requirements to safeguard customer records and information to transfer agents; broaden the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information; impose requirements to maintain written records documenting compliance with the amended rules; and conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act.

Incident Response Program

The Amendments require a covered institution to develop, implement, and maintain written policies, and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The incident response program must include written policies and procedures to:

• Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization;
• Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and
• Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in accordance with the notification obligations discussed below.

The Amendments do not specify the steps a covered institution must take when carrying out its incident response program, or designate who must undertake oversight responsibilities, thus providing covered institutions flexibility to determine whether and how to appropriately assign or divide such responsibilities.

Customer Notification Requirement

As a part of the incident response program, covered institutions are required to notify individuals if their sensitive data was, or is reasonably likely to have been, accessed or used without authorization. Such notice must be provided as soon as practicable, but not later than 30 days, after becoming aware that the incident has occurred or is reasonably likely to have occurred. Notifications to affected individuals must be clear and conspicuous, contain specified information, and be distributed in a manner that ensures each affected individual can reasonably be expected to receive the notice.

No notification is required if the institution determines, through reasonable investigation, that the sensitive customer information has not been, or is reasonably likely not to be, used in a manner that would result in substantial harm or inconvenience. The Amendments presume notification will be required. Accordingly, if a covered institution is unable to identify which specific individuals’ sensitive customer information has been accessed or used without authorization, the Amendments require the covered institution to provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed without authorization (“affected individuals”). Further, a covered institution (other than a funding portal) that determines no notice is required, must maintain a record of the investigation and basis for its determination.

While the incident response program must address data breaches involving any “customer information”, the notice requirement only applies to “sensitive” customer information, a subset of “customer information.” The Amendments define the term “sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” This definition is broader than that used by some states and the banking agencies’ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The SEC determined that, given the varied and evolving nature of security practices across covered institutions, it would be impractical to provide an exhaustive list of data elements whose exposure could put affected individuals at risk of substantial harm or inconvenience.

The Amendments also do not define “substantial harm or inconvenience” as this determination would depend on the particular facts and circumstances surrounding an incident. The SEC acknowledges that the concept of “substantial harm or inconvenience” underlying the Amendments’ presumption of notification is likely to require notifications where no notice would be required under many state laws and other federal regulations.

The Amendments do not include an exception or safe harbor in the definition of sensitive customer information for encrypted information. However, the SEC states that a covered institution may consider encryption as a factor in determining whether the compromise of customer information could create a reasonably likely harm risk to an individual identified with the information.

Service Providers

The Amendments require a covered institution utilizing service providers to establish, maintain, and enforce written policies and procedures implementing oversight mechanisms, including thorough due diligence and monitoring. The written policies must require service providers to notify to the covered institution if they become aware of a security breach, as soon as possible but not later than 72 hours after becoming aware of such breach. The Amendments define “service providers” as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.”

Institutions utilizing service providers remain obligated to ensure potentially affected individuals are notified in accordance with the notice requirements described above. To avoid requiring multiple covered institutions to notify the same affected individuals for a given incident, the Amendments require that, when an incident occurs at a covered institution or at one of its service providers that is not itself a covered institution, the covered institution has the obligation to ensure that a notice is provided to affected individuals, regardless of whether the covered institution has a customer relationship with the individuals. If the covered institution received the customer information from another covered institution, the two covered institutions can coordinate with each other to decide who will send the notice.

Scope

The Amendments aim to reconcile information protected under the safeguards rule and information protected under the disposal rule by applying the protections under both sets of rules to the newly defined term, “customer information.” The new term includes information in the covered institution’s possession as well as customer information handled or maintained on the covered institution’s behalf. The new definition also includes customers that have a customer relationship with the covered institution as well as customers providing information to other financial institutions when such information has then been provided to the covered institution.

The Amendments also extend the scope of the safeguards rule to cover any transfer agent registered with the SEC or another appropriate regulatory agency and extend the disposal rule to transfer agents registered with a regulatory agency other than the SEC. The Amendments account for the fact that transfer agents’ clients generally are the issuers whose securities are held by investors, not the individual investors themselves, by defining “customer” with respect to a transfer agent as any natural person who is a security holder of an issuer for which the transfer agent acts or has acted as a transfer agent.

Record Keeping Requirements

The Amendments incorporate increased record keeping requirements in order to track compliance with the safeguards rule and disposal rule. The recordkeeping requirements and retention periods vary based on the differing types of covered institutions, but are consistent with existing recordkeeping rules for these entities to the extent they have pre-existing recordkeeping obligations. Required records to be kept include: (1) written policies and procedures adopted to address administrative, technical, and physical safeguards protecting customer information, (2) documentation of unauthorized access to or use of customer information, (3) investigations and determinations made regarding notification to affected individuals during unauthorized access incidents, (4) written policies and procedures governing use of service providers, and (4) written policies and procedures addressing disposal of consumer and customer information.

Annual Privacy Notice Exception

Regulation S-P currently requires broker-dealers, investment companies and registered investment advisers to provide customers with annual notices on the institution’s privacy practices. The Amendments create an exception, conforming to the requirements of the Fixing America’s Surface Transportation (FAST) Act, exempting a covered institution from providing an annual privacy notice, if the institution: (1) only provides personal information to non-affiliated third parties when an exception to the third-party opt-out applies and (2) has not changed its privacy practices with regard to disclosing non-public personal information from its last disclosure to customers.

Compliance Timelines

Larger entitles (investment companies with at least $1 billion of net assets, including assets of related investment companies; registered investment advisers with at least $1.5 billion of assets under management; and broker-dealers and transfer agents that are not small entities under the Securities Exchange Act of 1934 for purposes of the Regulatory Flexibility Act) will have 18 months after publication date to comply with the Amendment’s provisions while smaller entities (all other covered institutions) will have 24 months after the date of publication.

Next Steps

Developing and implementing an incident response program that complies with amended Regulation S-P as well as other over-lapping and, in some circumstances, inconsistent state and federal requirements, will likely be a complex undertaking. Our Cybersecurity, Privacy & Data Protection attorneys work closely with our clients to minimize potential risks by developing and maintaining incident response plans (IRP) and compliance programs. A well-designed IRP incorporates four key elements: (1) preparation; (2) detection and analysis; (3) containment, eradication, and recovery; and (4) post-incident activity/lessons learned.

See The Critical Role of A Cyber Incident Response Plan in Today’s Cyberthreat Environment – Hinckley Allen.

Our Cybersecurity, Privacy & Data Protection attorneys also provide critical advice and assistance when a potential cybersecurity or data security incident is identified or discovered. The first 24 hours after an organization discovers a data breach are critical to restoring network security, obtaining and preserving evidence for the cyber investigation, and complying with an organization’s legal and contractual obligations to mitigate potential liability risks. Our attorneys have the expertise to assist covered institutions as they work to comply with these new requirements.

See ABA_Whitepaper_2023.