close
close

SEC Adopts Significant Cybersecurity Changes to Regulation SP | Kramer Levin Naftalis & Frankel LLP

Posted on by darion

On May 16, 2024, the Securities and Exchange Commission (SEC) adopted final corrections to the SP Regulations, one year after the issuance of the proposed changes (discussed Here). Regulation SP is a set of privacy rules that govern how certain financial institutions treat nonpublic personal information. These changes are intended to modernize the requirements for broker-dealers (including financing portals); investment companies such as mutual funds, closed-end funds and business development companies (BDCs); SEC Registered Investment Advisors (RIA); and transfer agents (collectively, “Covered Institutions”)(1)to address the wider use of technology and the associated risks that have arisen since the rules were first adopted in 2000.

The adopted rules expand the scope of information covered by the SP Regulation. Furthermore, they include new requirements under the Security and Disposal Principles of Regulation SP (Security Principles) regarding a covered institution’s incident response plan, service provider oversight, recordkeeping, and notification of individuals following a security incident. These adopted rules differ from the additional cybersecurity requirements the SEC proposed for RIAs, registered funds and BDCs in February 2022, which are also discussed below.

Incident response plans

The adopted rules currently require obligated institutions to implement an incident response plan as part of the cybersecurity program. The incident response plan must include policies and procedures “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” These policies and procedures must address Covered Institutions’ ability to evaluate the nature and scope of any incident involving unauthorized access to customer information; identify systems and types of customer information that may have been compromised; notify interested persons whom sensitive customer information has been or is reasonably likely to have been compromised; and take appropriate steps to contain and control the incident to prevent further unauthorized access or use.

Sensitive customer information is defined as “any item of customer information, alone or in combination with other information, the breach of which would create a reasonably probable risk of material harm or inconvenience to an individual.” Examples of sensitive customer information include government identification numbers; biometric recording; a unique electronic identification number, address or billing code; unique identifiers of telecommunications devices or signals; and information identifying the individual or that individual’s account number in combination with any of the information listed above or any information that would allow access to the account, such as a security code.

The adopted rules do not specify what procedures should be included in the incident response plan. However, the implementing release states that covered institutions should periodically review and update their retention and control procedures to ensure that they are reasonably designed.

Notice to individuals

Covered institutions must notify affected individuals within 30 days of becoming aware of a breach of an individual’s confidential customer information. These notifications must include the following information:

  • The nature and date of the incident, including any type of sensitive customer information that has been or may reasonably be believed to have been compromised
  • Covered Institution contact information, including at least telephone number (toll-free, if available), email address or equivalent, postal address, and the name of the specific office to contact for further information and assistance
  • Advising the individual to review any related account statements and report suspicious activity
  • Information regarding consumer credit records, including directions for an individual to obtain a copy of the credit report, how to obtain a copy, and how to include a fraud alert on the report
  • Information about online resources you can use to prevent identity theft

Notification is not required if the Covered Institution, after making a reasonable investigation, determines that “sensitive customer information has not been or is not likely to be used in a manner that would cause substantial harm or inconvenience.” The final amendments removed the definition of “substantial harm or inconvenience” that was originally included in the proposed amendments. However, the removed definition may still be helpful in determining whether a harm or inconvenience may require notification (e.g., in cases that may result in fraud, theft, harassment, physical harm, impersonation, intimidation, reputational damage, creditworthiness damage or misusing an individual’s account or information to obtain a financial product or service).

Service providers

The adopted principles also require Covered Institutions to include a vendor management program as part of the incident response plan, which must be reasonably designed to provide oversight, including through due diligence and monitoring, of any service providers with which the Covered Institution shares customer information . These policies and procedures must also be designed to ensure that service providers notify the Covered Institution as soon as possible, and in any event within 72 hours of discovery, of any security incident experienced by the service provider that affects for customer information. The adopted policy provides that Covered Institutions may also require their service providers to directly notify any persons affected by a security incident, but makes clear that the responsibility for ensuring that all affected persons ultimately receive notification rests with the Covered Institution.

The proposed changes would require covered institutions to enter into written agreements with their service providers that would include the terms described above. However, the final changes removed the requirement to conclude such agreements. As noted below, Covered Institutions must continue to maintain accurate records of any agreements they choose to enter into with service providers.

Record keeping

In addition to the incident response plan described above, the adopted rules impose on the obligated institutions the obligation to create and store documentation documenting:

  • Any unauthorized access to customer information, and any response to and recovery from such unauthorized access required by the incident response program
  • Any investigation and determination as to whether notice to customers is required, including the basis for any determination and a copy of any notice given to individuals following such determination
  • Policies and procedures required to provide oversight of the service provider
  • Any contract concluded in accordance with the service provider’s supervisory requirements

Although the records that each covered institution must keep are the same, the retention period varies depending on the type of covered institution and is consistent with existing required retention periods for each type of entity.

Extended scope

The adopted rules expand the definition of “customer information” to now include “information in the possession of a regulated institution or information that is processed or maintained by or on behalf of a regulated institution, whether or not such information relates to (a) natural persons with whom the Covered Institution has customer relationships or (b) clients of other financial institutions, if such information has been provided to the Covered Institution.” This means that the new rules now cover customer information for individuals who no longer have a customer relationship with a Covered Institution, as well as information that a Covered Institution receives from third-party financial institutions.

For example, information that an SEC RIA receives from a custodian of a former client’s assets is covered by the established rules if the former client remains a client of the custodian or other financial institution even if the individual no longer has a client relationship with the investment adviser. This expanded definition affects both new notification requirements and existing requirements under the security principles of Regulation SP.

The adopted rules also expand the scope of Regulation SP to apply to any transfer agent registered with the SEC or other appropriate regulatory agency. The modifications to the definition of “customer information” described above now include transfer agents.

Comparison with previous cybersecurity proposals affecting RIAs, registered funds and BDCs

In February 2022, the SEC separately proposed new requirements covering the cybersecurity practices and response measures of RIAs, registered funds and BDCs (collectively, “covered IM entities”). While the rules adopted under Regulation SP and the February 2022 proposals include some similar requirements (including requiring covered entities to have policies and procedures in place to respond to security incidents), the February 2022 proposals are broader in that they would require disclosing incidents to a broader audience, including current and potential advisory clients and fund shareholders, as well as reporting to the SEC. The disclosures required under the February 2022 proposals focus more on improving the ability of clients and shareholders to assess cybersecurity threats and incidents and their potential impact on the businesses of advisors and funds. However, the adopted changes to the SP Regulation focus more on notifying individuals about unauthorized access to sensitive information about their customers.

The SEC concluded that, given certain similarities in both sets of rules, IM covered entities would be able to avoid duplication of efforts if they established a single set of rules and procedures intended to meet all requirements under both February 2022 filings (if adopted) and adopted changes to the SP Regulations. The SEC also indicated that, where appropriate, a single notice may be used for customers and investors to provide information required under both sets of rules.

Timetable and next steps

Large Covered Institutions will have 18 months and smaller Covered Institutions will have 24 months from the date of publication in the Federal Register to comply with the adopted rules. The introductory announcement sets out the following qualifications for which covered institutions will be considered a large entity and must meet the requirements within 18 months:

  • Investment companies that, together with other investment companies in the same group of affiliated companies, have net assets of at least $1 billion at the end of the most recent fiscal year
  • RIAs with $1.5 billion or more in assets under management
  • All broker-dealers and transfer agents that are not small entities within the meaning of the Securities Exchange Act as defined in the Regulatory Flexibility Act

All covered institutions should begin reviewing and updating their privacy and data security policies and procedures to ensure compliance prior to the effective date for their size and type of institution.

(1)“Covered institutions” does not include investment advisers not required to register with the SEC (e.g., exempt advisers) or private investment funds.

(Show source.)