SEC Proposes Enhancements to Regulation S-P and Takes Other Steps Related to Cybersecurity
The SEC recently proposed1 to enhance Regulation S-P’s provisions requiring investment advisers and investment companies to protect customer (e.g., fund limited partner and investment company shareholder) information, including a new requirement to notify individuals when their information was accessed or used without authorization.2
Regulation S-P, adopted in 2000, broadly requires covered institutions like registered investment advisers, broker-dealers, investment companies and transfer agents to: (i) adopt written policies and procedures to safeguard customer records and information; (ii) properly dispose of customer information in a manner that protects against unauthorized access or use; and (iii) implement required privacy policy notice and opt-out provisions.
Noting the evolution of the technological landscape and the ease with which individuals’ personal information can be shared, the SEC proposed to:
- require covered institutions to adopt an incident response program reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information, and to make and maintain records documenting compliance;
- generally require covered institutions to notify impacted customers as soon as practicable, but within 30 days of becoming aware that unauthorized access to or use of such customers’ information has occurred or is reasonably likely to have occurred;
- define and broaden the scope of information covered under Regulation S-P’s safeguards and disposal rules3; and
- conform Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception provided by a 2015 statutory amendment.
The public comment period for the proposals will remain open until 60 days after the date of publication of the proposing release in the Federal Register.
The proposals are part of a rapidly evolving landscape of financial industry cybersecurity requirements from the SEC and other regulators, and this alert will be followed by a separate Golden Flag AIM providing additional detail and commentary. Please contact the Golden Flag regulatory attorneys with whom you regularly work if you have questions regarding these proposals.
1. The SEC fact sheet summarizing the Regulation S-P Release is available through this link: static/file/2023-copyright-developments ↩
2. Separately, the SEC also proposed a new rule that would require broker-dealers and certain other market participants to adopt written policies and procedures to address cybersecurity risk and provide the SEC with immediate notice of significant cybersecurity incidents , which follows and generally aligns with the SEC’s February 2022 investment adviser cybersecurity risk management proposal. The SEC Fact Sheet summarizing the Cybersecurity Proposal is available through this link: static/file/2023-copyright-developments ↩
Concurrently, the SEC also reopened the public comment period for the February 2022 investment adviser cybersecurity proposal to allow commenters to consider effects of the Regulation S-P proposal and the newly proposed broker-dealer rule on the investment adviser proposal. See our prior Golden Flag AIM on the subject, SEC Proposes Significant New Cybersecurity Rules for Investment Advisers, Golden Flag AIM (March 14, 2022) /publications/kirkland-aim/2022/03/sec-new-cybersecurity-rules-investment-advisers
3. The proposal is intended to consolidate, and expand the scope, of customer information previously used in privacy regulations, and is intended to reach any record containing “nonpublic personal information” of any customer of a covered institution, whether in paper, electronic or other form. In the Proposal, the SEC is seeking industry comment regarding the information that should be included or excluded from the definition. ↩