On May 16, 2024, the Securities and Exchange Commission (SEC) Final correction One year after the proposed amendments to Regulation SP were published, here)Regulation SP is a set of privacy rules that govern how certain financial institutions handle non-public personal information. These amendments apply to broker-dealers (including funding portals), investment companies such as mutual funds, closed-end funds, business development companies (BDCs), SEC registered investment advisers (RIAs), and transfer agents (collectively, The aim is to modernize the requirements for[1]This is to address the growing use of technology and the risks associated with it since the rules were first adopted in 2000.
The adopted rules expand the scope of information covered by Regulation SP and include new requirements under Regulation SP's Safeguards and Disposal Rule (Safeguards Rule) regarding covered entities' incident response plans, oversight of service providers, recordkeeping, and notification to individuals following a security incident. These adopted rules differ from additional cybersecurity requirements the SEC proposed for RIAs, registered funds, and BDCs in February 2022, which are also discussed below.
Incident Response Plan
The adopted rule requires covered agencies to implement incident response plans as part of their cybersecurity programs. Incident response plans must include policies and procedures that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” These policies and procedures must address the covered agency's ability to assess the nature and scope of any incident involving unauthorized access to customer information; identify systems and types of customer information that may have been compromised; and notify affected individuals. Sensitive If we determine that customer information has been or is likely to have been compromised, we will take appropriate steps to contain and control the incident to prevent further unauthorized access or use.
Sensitive customer information is defined as “any component of customer information whose disclosure, alone or in combination with other information, would reasonably be expected to create a risk of serious harm or inconvenience to an individual.” Examples of sensitive customer information include government issued identification numbers, biometric records, unique electronic identification numbers, addresses or routing codes, unique device or communication signal identifiers, and any information that identifies an individual or an individual's account number when combined with any of the above, or that allows access to an account, such as a security code.
The adopted regulations do not spell out in detail what steps an incident response plan must include. However, the adoption release states that covered institutions must periodically review and update their containment and control procedures to ensure they are appropriately designed.
Notification to individuals
Covered entities must notify affected individuals within 30 days of becoming aware that their sensitive customer information has been compromised. These notifications must include the following information:
- the nature and date of the incident, including any type of confidential customer information that has been or is reasonably believed to have been compromised;
- Contact information for covered institutions. At a minimum, it will include a phone number (toll-free if available), email address or equivalent, mailing address, and the name of a specific office where you can contact us for more information or support.
- Advise individuals to review relevant account statements and report suspicious activity
- Information about consumer credit files, including recommendations for individuals to obtain a copy of their credit report, how to obtain a copy, and how to place fraud alerts on their report.
- Information about online resources individuals can use to prevent identity theft
Notice is not required if a covered institution, after conducting a reasonable investigation, determines that “customer confidential information has not been used, or is reasonably unlikely to be used, in a manner that would result in significant harm or inconvenience.” The final amendments removed the definition of “significant harm or inconvenience” that was included in the original amendments. However, the removed definition may still be useful in determining whether harm or inconvenience requires notice (e.g., if it is likely to result in fraud, theft, harassment, physical harm, impersonation, intimidation, damage to reputation, diminished credit eligibility, or misuse of an individual's account or information to obtain financial products or services).
service provider
The adopted rules also require covered institutions to incorporate vendor management programs as part of their incident response plans, which must be reasonably designed to allow covered institutions to exercise oversight, including due diligence and monitoring, over service providers with which they share customer information. These policies and procedures must be designed to ensure that if a service provider experiences a security incident affecting customer information, the service provider will notify the covered institution as soon as possible, and in any event within 72 hours of discovery. The adopted rules provide that covered institutions may also require service providers to directly notify individuals affected by a security incident, but make clear that the responsibility for ensuring that all affected individuals receive notification ultimately rests with the covered institution.
The proposed amendments would have required covered institutions to enter into a written contract with their service provider stating the terms and conditions listed above. However, the final amendment removed the requirement to enter into such a contract. As discussed below, covered entities must continue to maintain accurate records of any such agreements they choose to enter into with service providers.
Record keeping
In addition to the incident response plan described above, the adopted regulations also require covered entities to create and maintain records documenting:
- Unauthorized access to customer information, and responding to and recovering from such access as required by your incident response program
- The investigation and determination made regarding whether customer notice was required, including the basis for the determination and a copy of any notice sent to individuals after the determination was made.
- Policies and procedures required to ensure monitoring of service providers
- Contracts concluded in accordance with the supervision requirements of service providers
The records that each covered entity must maintain are the same, but the retention periods vary by covered entity type and match the existing retention periods required for each type of entity.
Expanding the scope
The adopted regulations expand the definition of “customer information” to include “information held by a covered entity or processed or maintained by or on behalf of a covered entity, if such information (a) the covered entity has a customer relationship; (b) customers of other financial institutions to whom such information is provided to the covered institution).” In other words, the new rules will cover not only customer information of individuals who no longer have a customer relationship with a covered institution, but also information that a covered institution receives from third-party financial institutions.
For example, the information that an SEC RIA receives from a custodian of a former client's assets may be used even if the individual no longer has a client relationship with the investment adviser, if the former client remains a client of the custodian or another financial institution; Subject to adopted regulations. This expanded definition impacts both new notification requirements and existing requirements under the Safeguards Rule in Regulation SP.
The adopted rules also expand the scope of Regulation SP to apply to all transfer agents that are registered with the SEC or other appropriate regulatory agency. The changes to the definition of “customer information” described above now apply to transfer agents.
Comparison with previous cybersecurity proposals impacting RIAs, registered funds, and BDCs
In February 2022, the SEC separately proposed new requirements covering the cybersecurity practices and response measures of RIAs, registered funds, and BDCs (collectively, covered IM entities). While the rules adopted under Regulation SP and the February 2022 proposal cover certain similar requirements (including requiring covered IM entities to have policies and procedures for responding to security incidents), the February 2022 proposal is more extensive in that it would require disclosure of incidents to a broader audience, including current and prospective advisory clients and fund shareholders, in addition to reporting to the SEC. The disclosures required in the February 2022 proposal are focused on improving clients’ and shareholders’ ability to assess cybersecurity risks and incidents and their potential impact on advisor and fund operations. In contrast, the adopted amendments to Regulation SP are focused on notifying individuals about unauthorized access to sensitive client information.
The SEC recognizes that, given certain similarities between both sets of rules, covered IM entities could avoid duplicative efforts if they established a single set of policies and procedures designed to address all of the requirements under both the February 2022 proposal (adopted) and the adopted amendments to Regulation SP. The SEC also indicated that, if necessary, a single notice to customers and investors could be used to provide the disclosures required by both rules.
Timing and next steps
Large covered entities must comply with the adopted rules within 18 months and smaller covered entities must comply within 24 months from the date of publication in the Federal Register. The adopting release sets forth the following requirements for covered entities that are considered large entities that must comply within 18 months:
- An investment company that, together with other investment companies within the same affiliated group, has net assets of $1 billion or more as of the end of its most recent fiscal year.
- RIAs with assets under management of $1.5 billion or more
- All broker-dealers and transfer agents that are not small entities under the Securities Act for purposes of the Regulatory Flexibility Act.
All covered institutions will be required to begin reviewing and updating their privacy and data security policies and procedures to ensure compliance prior to the effective date appropriate to the institution's size and type.
[1]“Covered Institution” does not include investment advisers that are not subject to SEC registration (e.g., exempt reporting advisers) or private investment funds.
[View source.]
