SEC Adopts Amendments to Regulation S-P That Require Reporting Breaches of "Sensitive Customer Information"

On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting "sensitive customer information," which is "any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information."

The amendments were originally proposed on March 15, 2023 (covered in this previous post). The amendments will go into effect 60 days after they are published in the Federal Register.

Summary of the Amendments

The amendments to Reg S-P, which implement provisions of the Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transactions Act (FACT Act or FACTA), require asset managers, broker-dealers, mutual funds, and transfer agents to notify affected individuals whose "sensitive customer information" "was, or was reasonably likely to have been, accessed or used without authorization." Sensitive customer information is defined as "any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information." Based on this broad definition of "sensitive customer information," entities covered by Reg S-P will have to notify affected individuals of breaches affecting a much wider range of personal information than is required under state data breach laws. Notification to the SEC is not required.

Notification to affected individuals would be required under the Reg S-P amendments "as soon as practicable, but not later than 30 days" after a covered institution determines that the breach occurred or is reasonably likely to have occurred. Notification would not be required if "after a reasonable investigation of the incident, [a covered institution determines] that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience." The amended regulations do not define "substantial harm or inconvenience" but do include an apparent encryption safe harbor, stating: "Given the computational complexity involved in deciphering information encrypted using modern encryption algorithms and secure procedures, the compromise of such encrypted information would generally not give rise to 'a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.'"

Financial institutions covered by Reg S-P also are now required to develop "an incident response program to address unauthorized access to or use of customer information." Previously, Reg S-P only imposed a general requirement to "protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer." The new incident response program would need to include policies and procedures to assess the nature and scope of incidents involving unauthorized access to or use of customer information, take "appropriate steps" to contain and mitigate the incident, and notify each individual "whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization." A covered financial institution's incident response program would need to address handling of incidents at their service providers—not just at the covered entities themselves. Among other things, covered financial institutions would have to require their service providers to notify them of a data breach within 72 hours (this was increased from 48 hours as originally proposed). Other amendments to Reg S-P include:

• Harmonizing the scope of personal information covered by Reg S-P's "safeguards rule" and "disposal rule." Previously, the two rules applied to different sets of information. Under the amendments, both rules apply to "customer information," which is defined as "any record containing nonpublic personal information about a customer of a financial institution whether in paper, electronic or other form, that is handled or maintained by the covered institution or on its behalf."
• Extending the safeguards rule and disposal rule to apply to registered transfer agents—entities that work for securities issuers to track ownership records, cancel old certificates, and provide other services. Under the amendments, both rules would apply to transfer agents registered with the SEC or any "appropriate regulatory agency" as defined in 15 U.S.C. § 78c(34)(B).
• Implementing a statutory exception to GLBA's annual privacy notice requirement. In 2015, Congress enacted the Fixing America's Surface Transportation Act (FAST Act), which exempted entities that only share nonpublic personal information in limited circumstances, such as to service providers and to detect fraud, from providing annual privacy notices to their customers under GLBA.

SEC's Continued Emphasis on Cybersecurity

The Reg S-P amendments are part of a broader emphasis by the SEC to address cybersecurity within the financial sector. For example:

• The SEC finalized its rule requiring public companies to publicly disclose material cybersecurity incidents (discussed in our post here).
• The SEC charged SolarWinds and its CISO with securities fraud over alleged failure to disclose known material cybersecurity risks and vulnerabilities (discussed in our post here).
• The SEC also just this week entered into a settlement agreement with a group of companies, including the New York Stock Exchange (NYSE), that failed to notify of a cybersecurity incident in violation of Reg SCI.

DWT's privacy and security and financial services practice groups advise broker-dealers, RIAs, funds, and other SEC-regulated entities on data privacy and security requirements under federal securities laws and other laws at the federal and state levels. We will continue to monitor the SEC's activities and other regulatory developments in this space.