Incident reporting on the SEC’s radar as regulator seeks to mandate a federal breach notification standard
A steady increase in the threat that data breaches pose to individual investors has spurred the Securities and Exchange Commission to revisit the issue of safeguarding customer information. On March 15th, 2023, the SEC published proposed changes for Regulation S-P. The proposal is designed to provide registered investment advisers’ clientele with sufficient notice of any data breaches that may put their data at risk of identity theft or similar harm.
Regulation S-P, otherwise known as the “safeguards” rule, requires brokers and registered investment advisers to create written policies and procedures to protect all records and information in their possession and to disclose information collection, storage, and sharing practices in privacy notices.
Regulation S-P was adopted in 2000, only two years after Google was first founded. The expansion of an interconnected workforce enabled by the Internet since that time has brought many technological efficiencies. Unfortunately, it has also increased the opportunities for individuals’ data to be compromised. This proposal, if adopted, would amend Regulation S-P to include additional requirements:
- Firms would need to adopt written policies/procedures for an incident response program to address any unauthorized access to the use of customer information.
- Firms would need to provide notice to individuals whose sensitive information was accessed without authorization. Notice should be provided as soon as possible, but firms must inform affected clients no later than 30 days after the institution becomes aware of the breach.
While all 50 states have enacted laws mandating that customers be notified in the event of data breaches, notification standards vary state by state. For example, states differ in deciding what sort of unauthorized information access may trigger a duty to notify. Additional differences include notice requirement dates, deadlines to deliver notice, and what sort of information needs to be included in a notification. With the introduction of federal data breach regulation, firms that operate in multiple states would defer to one standard for how they would need to navigate the crisis. In some states, the federal requirement would be more stringent than the existing state breach notification requirement.
Additionally, firms would have to broaden their policies to cover “customer information,” which is specifically defined to include any personal record containing “nonpublic personal information” about “a customer of a financial institution.” This information is covered, regardless of whether it’s recorded on paper or electronically. Moreover, registered transfer agents would become subject to the safeguards rule.
As it stands, Regulation S-P only requires firms to share information with natural person clients about how the institution uses their information; There is no requirement to notify customers about breaches. Although many financial firms have enhanced their cybersecurity policies over the years to include incident response plans, incident response plans were not specifically mentioned in the original Regulation S-P’s descriptions of “administrative, technical, and physical safeguards,” likely a factor of the timing of the 2000 release before the evolution of the current Internet.
As the SEC staff noted in its 2019 Risk Alert concerning Regulation S-P, significant deficiencies in incident response plans, among other areas, were observed in examinations of registered investment advisers and broker-dealers. The message at the time was clear: financial firms needed to do a better job safeguarding the information entrusted to them by clients. The SEC’s latest volley would raise the collective bar of information security by mandating stronger incident response processes.
Confluence’s Cybersecurity services team assists financial firms in developing comprehensive information security plans and conducting tabletop testing exercises of those plans, in addition to conducting cybersecurity testing and risk assessments. Firms interested in Confluence’s cybersecurity services can contact us at [email protected]
The public has at least until Sunday, May 14th, 2023 to submit comments regarding the proposal.
The proposed rule is available at: https://www.sec.gov/rules/proposed/2023/34-97141.pdf
Disclaimer
The content provided by Confluence Technologies, Inc. is for general informational purposes only and does not constitute legal, regulatory, financial, investment, or other professional advice. It should not be relied upon as a substitute for specific advice tailored to particular circumstances. Recipients should seek guidance from appropriately qualified professionals before making any decisions based on this content.
Unless otherwise stated, Confluence Technologies, Inc. (or the relevant group entity) owns the copyright and all related intellectual property rights in this material, including but not limited to database rights, trademarks, registered trademarks, service marks, and logos.
No part of this content may be adapted, modified, reproduced, republished, uploaded, posted, broadcast, or transmitted to third parties for commercial purposes without prior written consent.
About Confluence® Technologies
Confluence is a global leader in enterprise data and software solutions for regulatory, analytics, and investor communications. Our best-of-breed solutions make it easy and fast to create, share, and operationalize mission-critical reporting and actionable insights essential to the investment management industry. Trusted for over 30 years by the largest asset service providers, asset managers, asset owners, and investment consultants worldwide, our global team of regulatory and analytics experts delivers forward-looking innovations and market-leading solutions, adding efficiency, speed, and accuracy to everything we do. Headquartered in Pittsburgh, PA, with 700+ employees across North America, the United Kingdom, Europe, South Africa, and Australia, Confluence services over 1,000 clients in more than 40 countries. For more information, visit www.confluence.com.