SEC Adopts Significant Cybersecurity Amendments to Regulation S-P | Kramer Levin Naftalis & Frankel LLP
On May 16, 2024, the Securities and Exchange Commission (SEC) adopted final amendments to Regulation S-P, one year after issuing the proposed amendments (discussed here). Regulation S-P is a set of privacy rules that govern how certain financial institutions handle nonpublic personal information. These amendments seek to modernize requirements for broker-dealers (including funding portals); investment companies such as mutual funds, closed-end funds and business development companies (BDCs); SEC-registered investment advisers (RIAs); and transfer agents (collectively, “Covered Institutions”)[1]to address the expanded use of technology and corresponding risks that have developed since the rules were first adopted in 2000.
The adopted rules broaden the scope of information covered by Regulation S-P. Moreover, they contain new requirements under the Safeguards and Disposal rules of Regulation S-P (the Safeguards Rules) regarding a Covered Institution’s incident response plan, service provider oversight, recordkeeping and notices to individuals following a security incident. These adopted rules are distinct from additional cybersecurity requirements that the SEC proposed for RIAs, registered funds and BDCs in February 2022, which are also discussed below.
Incident Response Plans
The adopted rules now require Covered Institutions to implement an incident response plan as part of their cybersecurity program. The incident response plan must contain policies and procedures “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” These policies and procedures must address the Covered Institutions’ ability to assess the nature and scope of any incident involving unauthorized access to customer information; identify the systems and types of customer information that may have been compromised; notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, compromised; and take appropriate steps to contain and control the incident to prevent further unauthorized access or use.
Sensitive customer information is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual.” Examples of sensitive customer information include government ID numbers; a biometric record; a unique electronic ID number, address or routing code; unique device or telecommunications signal IDs; and information identifying an individual or the individual’s account number combined with any of the information listed above, or any information that would allow access to the account, such as a security code.
The adopted rules do not detail what procedures must be included in an incident response plan. However, the adopting release states that Covered Institutions should review and update the containment and control procedures periodically to ensure that they remain reasonably designed.
Notice to Individuals
Covered Institutions must notify affected individuals within 30 days of becoming aware that individuals’ sensitive customer information was compromised. These notices need to include the following information:
- The nature and date of the incident, including any types of sensitive customer information that was or is reasonably believed to have been compromised
- Contact information for the Covered Institution, including at least a telephone number (toll-free if available), an email address or equivalent, a postal address, and the name of a specific office to contact for more information and assistance
- A recommendation that the individual review any related account statements and report suspicious activity
- Information regarding consumer credit files, including a recommendation that the individual obtain a copy of their credit report, how to obtain a copy and how to place a fraud alert on the report
- Information regarding online resources that individuals can use to prevent identity theft
Notification is not required if the Covered Institution determines, after a reasonable investigation, that “sensitive customer information has not been, or is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.” The final amendments removed the definition of “substantial harm or inconvenience” that was originally included in the proposed amendments. However, the removed definition may still be helpful when determining whether a harm or inconvenience may require notification (e.g., in cases that may lead to fraud, theft, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or misuse of an individual’s account or information to obtain a financial product or service).
Service Providers
The adopted rules also require Covered Institutions to include a vendor management program as part of the incident response plan, which must be reasonably designed to implement oversight, including through due diligence and monitoring, of any service providers with whom the Covered Institution shares customer information. These policies and procedures must also be designed to ensure that service providers notify the Covered Institution as soon as possible, and in any event within 72 hours of discovery, of any security incident suffered by the service provider that affects customer information. The adopted rules state that Covered Institutions may also require their service providers to directly notify any individuals affected by a security incident, but make clear that the responsibility to ensure that all affected individuals receive notice ultimately remains with the Covered Institution.
The proposed amendments would have required Covered Institutions to enter into written agreements with their service providers that memorialize the terms described above. However, the requirement to enter into such contracts was removed in the final amendments. As noted below, Covered Institutions must still keep accurate records of any such contracts that they choose to enter into with service providers.
Recordkeeping
In addition to the incident response plan described above, the adopted rules also require Covered Institutions to make and maintain records documenting:
- Any unauthorized access of customer information, as well as any response to and recovery from such unauthorized access required by the incident response program
- Any investigation and determination made regarding whether notification to customers is required, including the basis for any determination and a copy of any notices transmitted to individuals following such determination
- Policies and procedures required to ensure service provider oversight
- Any contract entered into pursuant to the service provider oversight requirements
While the records that each Covered Institution is required to keep are the same, the retention period varies based on the type of Covered Institution, and falls in line with the existing required retention periods for each type of entity.
Expanded Scope
The adopted rules expand the definition of “customer information,” which now includes “information in the possession of a covered institution or information that is handled or maintained by the covered institution or on its behalf, regardless of whether such information pertains to (a) individuals with whom the covered institution has a customer relationship or (b) the customers of other financial institutions where such information has been provided to the covered institution.” This means that the new rules now cover customer information of individuals who no longer have a customer relationship with the Covered Institution, as well as information that the Covered Institution receives from third-party financial institutions.
For example, information that an SEC RIA receives from the custodian of a former client’s assets is covered under the adopted rules if the former client remains a customer of either the custodian or another financial institution, even though the individual no longer has a customer relationship with the investment adviser. This expanded definition impacts both the new notification requirements and existing requirements under the Safeguards Rules of Regulation S-P.
The adopted rules also expand the scope of Regulation S-P to apply to any transfer agent registered with the SEC or another appropriate regulatory agency. The modifications to the definition of “customer information” described above now extend to transfer agents.
Comparison to Prior Cybersecurity Proposals Affecting RIAs, Registered Funds and BDCs
In February 2022, the SEC separately proposed new requirements covering the cybersecurity practices and response measures of RIAs, registered funds and BDCs (collectively, Covered IM Entities). Although the adopted rules under Regulation S-P and the February 2022 proposals cover certain similar requirements (including requiring Covered IM Entities to have policies and procedures to respond to security incidents), the February 2022 proposals are broader in that they would require incident disclosures to a wider audience, including current and prospective advisory clients and fund shareholders, as well as reporting to the SEC. The disclosures required under the February 2022 proposals focus more on improving clients’ and shareholders’ ability to evaluate cybersecurity risks and incidents and their potential effects on adviser and fund operations. By contrast, the adopted amendments to Regulation S-P focus more on providing notice to individuals about unauthorized access to their sensitive customer information.
The SEC has recognized that, given certain similarities in both sets of rules, Covered IM Entities would be able to avoid duplicating efforts if they establish a single set of policies and procedures designed to address all of the requirements under both the February 2022 proposals (if adopted) and the adopted amendments to Regulation S-P. The SEC has also indicated that, as appropriate, a single notice to clients and investors could be used to provide the disclosures required by both sets of rules.
Timing and Next Steps
Large Covered Institutions will have 18 months, and smaller Covered Institutions will have 24 months, from the date of publication in the Federal Register to comply with the adopted rules. The adopting release sets forth the following qualifications for which Covered Institutions will be considered a large entity that must comply within 18 months:
- Investment companies that, together with other investment companies in the same group of related companies, have net assets of $1 billion or more at the end of the most recent fiscal year
- RIAs with $1.5 billion or more in assets under management
- All broker-dealers and transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act
All Covered Institutions should begin reviewing and updating their privacy and data security policies and procedures to ensure compliance before the effective date for their size and type of institution.
[1]“Covered Institutions” does not include investment advisers not subject to SEC registration (e.g., exempt reporting advisers) or private investment funds.
[View source.]