Summary

On May 16, 2024, the SEC adopted amendments to Regulation S-P (“Reg S-P”). The finalized amendments (the “Amendments”) to Reg S-P are designed to address the expanded use of technology and corresponding risks that have emerged since Reg S-P’s original adoption. The Amendments include requirements related to: (1) incident response programs; (2) 30-day customer notifications of data breaches; (3) service provider oversight; (4) expanding the scope of the Safeguards and Disposal Rules; (5) recordkeeping; and (6) an exception to the annual privacy notice delivery requirement. Firms will have either 18 or 24 months (for larger and smaller entities, respectively) from the date of publication in the Federal Register to come into compliance.

Background

Since its initial adoption in 2000, Reg S-P has governed how certain financial institutions treat consumers’ nonpublic personal information. Reg S-P requires broker-dealers, funding portals, investment companies, registered investment advisers, and transfer agents (collectively, “Covered Institutions”) to: (1) adopt written policies and procedures to safeguard customer records and information (the “Safeguards Rule”); (2) properly dispose of consumer report information (the “Disposal Rule”); and (3) implement privacy policy notices and opt out provisions. The Amendments represent a substantial expansion of the protections available to the customers of institutional securities market participants under the federal securities laws and establishes a new federal minimum standard for Covered Institutions to provide data breach notifications to affected individuals. We further discuss Reg S-P’s new and expanded requirements, as well as important considerations for compliance, below.

Overview of the Amendments

A. Incident Response Program

To protect against harms resulting from security incidents involving customer information, the Amendments now require Covered Institutions to adopt an incident response program as a part of their written policies and procedures under the Safeguards Rule. The incident response program must be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” 17 CFR § 248.30(a)(3). Specifically, the Amendments require that incident response program procedures include the following:

• Assessment: To assess the nature and scope of any such incident. § 248.30(a)(3)(i).
• Containment and Control: Appropriate steps to contain and control such incidents to prevent further unauthorized assess or use. § 248.30(a)(3)(ii).
• Notice to Affected Individuals: A requirement to notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. § 248.30(a)(3)(iii).

The Amendments do not prescribe specific steps a Covered Institution must undertake when carrying out its incident response, stating that the rule instead offers flexibility and “thereby enables Covered Institutions to create policies and procedures best suited to their particular circumstances.”[1]

While the Amendments do not mandate how frequently incident response programs should be updated, the Adopting Release notes that Covered Institutions should “consider reviewing and updating the containment and control procedures periodically to ensure that the procedures remain reasonably designed.”[2]

B. Customer Notification Requirement

The Amendments establish “a Federal minimum standard for Covered Institutions to provide data breach notifications to affected individuals.”[3] As part of their incident response programs, the final rule provides that Covered Institutions will be required to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. § 248.30(a)(4)(i).

While the Amendments provide for a “presumption of notification,” notice will not be required if a Covered Institution determines, after a reasonable investigation, that the “sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.” § 248.30(a)(4)(i).

Covered Customers. Amended Reg S-P expands the definition of “customer information” to include not only information of individuals with whom the Covered Institution has a customer relationship, but also information about “customers of other financial institutions where such information has been provided to the Covered Institution.” [4] Thus, Covered Institutions are expected to notify affected individuals even if they do not have a customer relationship with them. This is discussed further below under Service Provider Oversight.

Definition of Sensitive Customer Information. Notice is only required when there has been unauthorized access to or use of sensitive customer information. The Amendments define “sensitive customer information” as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” § 248.30(d)(9)(i). This includes customer information that, by itself, could create a substantial risk of harm or inconvenience to an individual whose personal information (e.g., a Social Security number and username or partial passcode) has been compromised.

Scope of Affected Individuals. If unauthorized access has occurred or is reasonably likely to have occurred, but a Covered Institution is unable to identify which specific individuals’ information was accessed or used without authorization, the Amendments require that the Covered Institution “provide notice to all individuals whose sensitive information resides in the customer information system that was, or was reasonably likely to have been, accessed without authorization.” § 248.30(a)(4)(ii).

Timing of Notification. This notice must be provided as soon as reasonably practicable, but not later than 30 days, after the Covered Institution becomes aware that unauthorized access or use of customer information has, or is reasonably likely to have, occurred.

Method and Content of Notification. Under the Amendments, a customer notice must be clear and conspicuous and provided by a means designed to ensure that each affected individual can reasonably be expected to receive it. § 248.30(a)(4)(i). The Amendments outline the required content for notifications to customers, including the nature of the incident and the type of sensitive information involved, the date of the incident, and the Covered Institution’s contact information for an affected individual to contact to inquire about the incident.

C. Service Provider Oversight

The Amendments to the Safeguards Rule include new provisions that address the use of service providers[5] by Covered Institutions, making clear that while Covered Institutions may use service providers to provide any required notice, they will retain the obligation to ensure that affected individuals are notified in accordance with the notice requirements.

Covered Institutions’ incident response programs must include policies and procedures reasonably designed to require oversight, including through due diligence on and monitoring of service providers, including to ensure that that the Covered Institution satisfies customer notification requirements. The policies and procedures must be reasonably designed to ensure service providers take appropriate measures to: “(A) protect against unauthorized access to or use of customer information; and (B) provide notification to the Covered Institution as soon as possible but no later than 72 hours after becoming aware of a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.” § 248.30(a)(5)(i).

While these measures do not need to be provided for in a written contract between the Covered Institution and its service providers, the Amended Reg S-P’s recordkeeping requirements (discussed below) include a requirement for Covered Institutions to maintain “written documentation of any contract or agreement entered into pursuant to § 248.30(a)(5).”

D. Expanded Scope of Safeguards and Disposal Rules

The Amendments both broaden the scope of information covered by both the Safeguards and Disposal Rules and extend the rules’ applicability to transfer agents.

As discussed above, the Amendments broaden the scope of the Safeguards and Disposal Rules by applying them not only information that pertains to individuals with whom the Covered Institution has a customer relationship, but also to customers of other financial institutions where such information has been provided to the Covered Institution.

The Amendments also extend both the Safeguards and Disposal Rules to apply to transfer agents. The SEC reasoned that because transfer agents maintain sensitive information related to securityholders, the systems managed by transfer agents are subject to security threats and hazards, just like other market participants. This results in similar risks of substantial harm and inconvenience to individuals whose information is maintained by other Covered Institutions. Prior to the Amendments, the Safeguards Rule did not apply to any transfer agents, and the disposal rule applied only to those transfer agents registered with the SEC.

The Amendments also include a definition of customer that is specific to transfer agents.[6]

E. Recordkeeping

The Amendments require Covered Institutions (other than funding portals[7]) to make and maintain written records documenting compliance with the requirements of the Safeguards and Disposal Rules, as outlined in the table below:

F. Exception to Annual Delivery of Privacy Notice

The Amendments modify Reg S-P’s annual privacy notice requirement, now conforming it to the requirements of the Fixing America’s Surface Transportation Act (“FAST Act”), which provides an exception to the annual privacy notice requirement (provided certain requirements are met). If the institution: (1) only provides non-public personal information to non-affiliated third parties when an exception to third-party opt‑out applies; and (2) the institution has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers, then the Covered Institution is not required to deliver an annual privacy notice. § 248.5(e)(1)(i) and (ii).

G. Compliance Period

The Commission is providing an 18-month compliance period after the date of publication in the Federal Register for “larger entities,” and a 24-month compliance period after the date of publication in the Federal Register for “smaller entities.” The table below outlines which entities will be considered “larger entities” for these purposes; smaller entities will be those Covered Institutions that do not meet these standards.

Key Takeaways

• Covered Institutions should carefully review the Reg S-P amendments and ensure their existing policies and procedures comply by the relevant compliance period. This includes updates to incident response programs and ensuring timely notice of security incidents, updates to existing safeguards and disposal policies to account for the expanded definition of “customer information,” and ensuring that existing contracts or other agreements with service providers include sufficient oversight for compliance.
• These Reg S-P amendments increase the customer and data privacy requirements and evidence the SEC’s increasing focus on privacy, data security, and cyber related risks. Read a previously published client alert on proposed rules in the data privacy and cybersecurity in financial services. Covered Institutions will need to assess notifications requirements imposed by both federal and state law and ensure that their internal notification programs are in alignment (e.g., FTC and GDPR).
• These amendments will have flow through impact for third-party service providers who are often in a position to identify that there has been a data breach (e.g., cloud service providers). Lastly, Covered Institutions will need to ensure that their document retention policies are compliant.

[1] See Securities Exchange Release No. 97141 (May 16, 2024) (File No. S7-05-23) (the “Adopting Release”) at Section II.A.

[2] Id. at Section II.A.2.

[3] https://www.sec.gov/files/34-100155-fact-sheet.pdf.

[4] Adopting Release at Section II.A.3.

[5] “Service provider” means “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a Covered Institution.” § 248.30(d)(10).

[6] For a transfer agent, a “customer” means any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as a transfer agent. § 248.30(d)(4)(ii).

[7] Pursuant to Regulation Crowdfunding under the Exchange Act, funding portals must comply with the requirements of Regulation S-P as they apply to broker-dealers. However, funding portals are not subject to the recordkeeping obligations for broker-dealers set forth in Rule 17a-4 under the Exchange Act.

[View source.]