SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information

The U.S. Securities and Exchange Commission (SEC) has published a press release to announce an upcoming consultation on revisions to Regulation S-P (17 CFR Part 248) which are aimed at enhancing (cyber) security management, customer information protection, and the disclosure of certain data breaches to customers. Among others, the Commission seeks to expand the current requirements under Regulation S-P to
(1) require covered institutions (brokers, dealers, investment companies, investment advisers, and transfer agents) to develop and maintain an Incident Response Program which would be triggered as soon as data security issues have been detected. The program would have to include policies and procedures pertaining to the detection, response, and the recovery from „unauthorized access to or use of customer information“. Such policies would need to include a description of steps that a covered firm must take to determine the scope and nature of an incident and measures that it needs to apply to recover from the incident. The Incident Response Program would also require firms to document any security breaches (unauthorized access) and any response measures taken following the incident and to keep those documents on record for a specified period of time.
(2) require covered institutions that are relying on third-party service providers to demand of such providers the implementation of protective measures to prevent security breaches. Covered institutions would also have to demand adequate notification of the institutions themselves, if any security issue has arisen at the third-party service provider’s (physical) location. Notifications would have to be made within 48 hours of the service provider becoming aware of such incident.
(3) require covered institutions to notify customers of any security breaches that may affect customers‘ personal data (unauthorized access, theft). The notification would have to be made as soon as „practicable“, but no later than 30 days following the detection of such incidence. Interestingly, the notification requirement would not apply „if the covered institution determines that the sensitive customer information was not actually and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience“.
Additionally, the SEC seeks to expand the definition of „customer information“ to include any information of customers held at the institution irrespective of whether or not the information was gained by an institution itself or was received from another institution. Furthermore, the SEC proposes to expand the applicability of Regulation S-P to also include transfer agents that are not registered with the Commission itself.
————-
The draft will be open for public consultation for 60 days following its publication in the Federal Register.