It is no surprise that with the increased use of technology and its' ever-evolving advancements, comes an increased rate in cyber-crime and threats to personal consumer information. In response to these developments, and to modernize and improve the protection of consumer information, on May 16, 2024, the Securities and Exchange Commission (SEC), announced the adoption of amendments to Regulation S-P. These rules apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfers agents (collectively "covered institution(s)").
Background
Regulation S-P was initially adopted in 2000 and served as privacy rules pursuant to the Gramm-Leach-Bliley Act (GLBA) and, later, to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The Regulation included safeguard and disposal rules which required certain financial institutions (i) to adopt written policies to ensure safeguards were in place to protect customer information and (ii) to properly dispose of consumer report information.
Implications
The amendments to Regulation S-P will require covered institutions to implement an Incident Response Program. This program must:
- be reasonably designed to detect, respond, and recover from unauthorized access or use of customer information, and
- include procedures to assess the nature and scope of any incident that arises and steps to contain the incident to prevent further damage and access to customer information.
The amendment also require covered institutions to implement a customer notification system to promptly notify affected individuals whose "sensitive customer information" was, or reasonably likely to have been, accessed or used without permission. The Amendments define sensitive customer information in broad terms as either information that can be uniquely identified with an individual (e.g., Social Security number) or information that can be used to access a customer account (e.g., customer's username and password).
The SEC considers appropriate timing of notification to be as soon as practical but no later than 30 days after the covered institution becomes aware of the incident. However, the covered institution does not need to notify a customer if it has been determined that the sensitive customer's information has not been, or not reasonably likely to be, used in a way that would cause substantial inconvenience or harm.
It is the responsibility of the covered institution to evaluate what constitutes substantial inconvenience or harm based on the facts and circumstances. While not defining this term, the adopting release provides some examples that serve as a starting point for covered institutions when performing an analysis over an incident. These examples include "personal injury, financial loss, expenditure of effort, or loss of time" and can include circumstances such as "theft, harassment, physical harm, impersonation, intimidation, damaged reputation."
Further, the Incident Response Program is required to include written policies reasonably designed to include oversight, through due diligence and monitoring, of service providers. This will require covered institutions to ensure that service providers protect customer information from unauthorized use or access and the ability to provide customers with timely notice if there has been a breach to their information. Covered institutions need to ensure they are provided notification by the service provider of a breach as soon as practical but no more than 72 hours after the service provider has become aware of the breach to allow the covered institution to execute their Incident Response Program and customer notification systems. Implementation of oversight over service providers and what those policies and procedures consist of is the responsibility of the covered institution and should be tailored based on each individual service provider relationship.
The amendment to Regulation S-P elaborates and improves upon the fundamentals of the existing guidance. The amendments expand on the safeguard and disposal rules already in place. Regulation S-P has been expanded to consider personal customer information the covered institution receives from another financial institution about the financial institution's customers. Covered institutions will be required to retain written and formal documentation of ongoing compliance with the updated safeguard and disposal rules. Covered institutions will also be required to conform annual privacy notice delivery provisions to the terms of an exception provided by the FAST Act which states that covered institutions are not obligated to deliver an annual privacy notice if certain conditions are met.
Timeline and Next Steps
These Amendments became effective on August 2, 2024. Any broker-dealer not considered a small entity under the Securities Exchange Act of 1934 and any RIA with $1.5 billion or more in assets under management will have 18 months from August 2, 2024 to comply. Broker-dealers that are considered a small entity and RIA's with less than $1.5 billion in assets under management will have 24 months from August 2, 2024 to comply.
While there is a timeframe of adoption between 18-24 months, beginning the process of assessing current policies and procedures is important for covered institutions. Some steps that can be taken include:
- Assess existing policies surrounding customer information and enhancing them to comply with the Amendments.
- Assess the process for customer notification of incidents that will be necessary to ensure the response time is appropriate and in compliance with the new rules.
- Review their service provider agreements to ensure compliance with the Amendments. While written agreements between the covered institutions and its service providers are not a requirement, written agreements could be beneficial in ensuring compliance.
- Ensure the appropriate people are knowledgeable and up to date on the nature of the sensitive customer information they or their service providers have access to if or when the covered institution must execute their customer notification system.
Other Regulators
It is important that covered institutions consider other regulators' rules and definitions regarding customer information safeguards that affect them. For example, private funds may be subject to FTC Safeguards, which were recently amended, which require target financial institutions to establish and maintain an extensive and comprehensive information security program, including an incident response plan, to protect customer financial information. The FTC Safeguards define "comprehensive information security program" and discuss the requirements related to the role and use of service providers by these financial institutions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.