On March 15, 2023, the SEC proposed three sweeping proposed rulemakings covering privacy and cybersecurity requirements. This alert focuses on the proposed amendments to Regulation S-P, including requiring “covered institutions” to notify customers of certain data and cyber incidents that may put them at risk.
Regulation S-P Amendments
- Require covered institutions to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. The incident response program would need to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, must include procedures to assess the nature and scope of any such incident, and must be reasonably designed to contain and control such incidents. The proposal would also impose certain incident response program requirements related to a covered institution’s relationships with service providers.
- Require covered institutions to have written policies and procedures to provide timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. Notice would be required as soon as practicable, but not later than 30 days after a covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. However, no notice would be required if the covered institution determines that the sensitive customer information was not actually accessed and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.
- Expand the safeguards and disposal rules to cover “customer information,” a newly defined term referring to any record containing “nonpublic personal information,” (NPI, which is already defined in Reg. S-P), about a customer of a covered institution. This would apply both rules to the NPI a covered institution collects about its own customers and the NPI it receives from a third party financial institution.
- Require certain documentation of compliance with the requirements of the safeguards rule and disposal rule.
- Relieve covered institutions from the Reg. S-P annual privacy notice delivery provisions if the covered institution provides NPI to nonaffiliated third parties only in accordance with the existing exceptions to notice and opt out requirements of Reg. S-P and the covered institution has not changed its policies and practices regarding disclosing NPI since its previous disclosure.
- Extend the safeguards rule to registered TAs and extend the disposal rule to all TAs (today, it only covers SEC-registered TAs).
The proposal raises several practical questions, including whether the SEC (and FINRA for BDs) will consider the occurrence of a cybersecurity incident impacting sensitive customer information to be a de facto rule violation. They should not, both from a practical perspective and based on the proposed rule text. For example, the reasonableness standard relates to detecting, responding to, recovering from, containing, and controlling an incident. Importantly, the SEC does not refer to preventing unauthorized access.
However, and for example, FINRA Rule 3310 requires BDs to maintain a supervisory system and procedures “reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.” In most SEC and FINRA cyber enforcement actions against BDs and RIAs, the regulators allege violations of the Safeguards Rule, Rule 201 of Reg. S-ID (regarding the detection, prevention, and mitigation of identity theft), and for BDs, FINRA Rules 3110 (Supervision) and 2010 (observing high standards of commercial honor and just and equitable principles of trade).
In these cases, the SEC and FINRA typically lead with the de facto violation mindset, placing the burden on firms to demonstrate that their policies, procedures, controls, and implementation were robust and “reasonably designed.” Even then, it can be an uphill battle to convince SEC or FINRA staff that the incident was not due to a design flaw in the firm’s cybersecurity policy or procedures. Regulators increasingly seem to understand that cyber incidents are a “when,” not an “if,” for most organizations. Their focus, as the proposed rules reflect, is on organizations’ resiliency and capacity to detect, respond to, and recover from cyber incidents and make the required notifications to impacted individuals.
The SEC does not provide a detailed explanation of what it means by detecting, responding to, recovering from, containing, and controlling an incident, but acknowledges guidance published by the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA). The SEC specifically asks whether it should impose adherence to that guidance under the proposed rules. The SEC proposed rules do require that covered institutions adopt policies that include measures to assess the nature and scope of any incident, identify the information accessed without authorization, take appropriate steps to prevent further unauthorized access of information, and begin the process of investigating the extent of unauthorized use and, as appropriate, notifying affected individuals.
Finally, the new compliance documentation requirement may present challenges for firms that regularly conduct internal or external audits of their systems and controls. The proposal is silent as to documenting potential non-compliance. Firms may be more reluctant to conduct these audits if regulatory exam teams use any identified gaps or weaknesses to build a case for alleging noncompliance.
The SEC makes “sensitive customer information” the focus of the proposal. This would include “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” Non-exclusive examples from the SEC include PII (like a social security number, driver’s license number, or biometric record) and customer account information (like account number, name of account holder, username, password, or security question information), but the definition may draw in other data elements. The scope of coverage extends beyond an organization’s own customers to reach “individuals that are customers of other financial institutions whose information has been provided to the covered institution, and whose sensitive information was, or is reasonably likely to have been, accessed or used without authorization.” Covered institutions will certainly approach the new scope differently and will need to train their personnel based on the nature of customer information gathered, as well as implement technical and administrative measures to protect it.
Access or Use
The proposal bases certain obligations of covered institutions on whether their customers’ sensitive information was subject to unauthorized access or use. The SEC rules use the term “reasonable investigation” in this context; however, not all covered institutions have dedicated or qualified internal or contract resources to conduct what the SEC might view as reasonable. It makes every bit of sense to review existing capabilities and make plans to enlist experts in cyber incident response investigations.
Absent customer data showing up on the dark web or customers being phished or otherwise defrauded, firms may find it difficult to determine whether the unauthorized party actually uses the information. Firms should proactively “bump up logging” on their systems to be able to answer difficult questions around data access. Absent these capabilities, if a database containing customer sensitive information is penetrated by an unauthorized party, firms may need to consider each customer file in that database to have been accessed, even if not definitively the case.
Investigation and Notice
In the event of an incident, under the terms of the proposal, a covered institution will need to conduct a reasonable investigation of whether the accessed information (1) rises to the level of sensitive customer information and (2) is reasonably likely to be used in a manner that would result in substantial harm or inconvenience. If yes to both, notice to affected individuals would be required. However, if the institution can affirmatively determine that the answer to the second prong is no, then it need not provide any notice. A covered institution’s investigation would need to reveal information sufficient for the institution to affirmatively “conclude that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.” A mere lack of knowledge of the same would not suffice.
The proposed rule defines substantial harm or inconvenience as “personal injury, or financial loss, expenditure of effort or loss of time that is more than trivial.” Examples provided within the definition itself include “theft, fraud, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the misuse of information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise misuse the individual’s account.” The SEC notes that the broad definition is intended to “include a broad range of financial and non-financial harms and inconveniences that may result from failure to safeguard sensitive customer information.”
If the SEC adopts the proposal, we foresee most firms taking a cautious approach and providing notice even after affirmatively concluding “no substantial harm or inconvenience.” Many institutions will not want to risk concluding “no substantial harm or inconvenience” and not providing notice, only to have customer information turn up on the dark web later and later be second-guessed by regulators. Such an outcome that would almost certainly result in a finding of violation by the SEC or FINRA, with stiffer sanctions than had the firm notified customers earlier. The notice obligation is also ongoing, such that if the determination that no substantial harm or inconvenience is likely changes over time, notification to affected individuals would be required.
Alphabet Regulatory Soup
The SEC has been quite vocal about its concerns around cyber. But the SEC is just one of many in the alphabet soup of regulators (both federal and state) with jurisdiction over many covered institutions, including DOJ, the FTC, and NYDFS. For example, as we covered in our recent blog post, NYDFS continues to escalate and expand its enforcement efforts related to cyber security and also somewhat recently proposed amendments to Part 500, which, if finalized, will impose even more stringent requirements on firms.
The public comment period will run through June 5, 2023. We will follow up with coverage of the other two proposals:
- Proposed new Rule 10, new Form SCIR, and related cybersecurity requirements for “Market Entities” that perform critical services (including BDs, FINRA, the MSRB, exchanges, TAs, clearing agencies, and transfer agents).
- Proposed expansion of Reg. SCI, including new requirements for, and expanding the scope of, covered “SCI Entities” to include all clearing agencies.
On the same day as the proposal was issued, the SEC re-opened the comment period on the proposed new rules (Rule 206(4)-9 under the Advisers Act and Rule 38a-2 under the 1940 Act) and amendments relating to the cybersecurity practices and response measures of registered investment advisers and registered investment companies that were initially proposed by the SEC on February 9, 2022 (2022 Proposal). The SEC made clear that the comment period for the 2022 Proposal is being reopened to allow those interested additional time to analyze the issues and prepare comments considering recent regulatory developments, including the proposed amendments to Reg. S-P.
In that regard, there is significant overlap between the Reg. S-P amendments and certain aspects of the 2022 Proposal. For example, both would require the adoption of a cybersecurity incident response program. Additionally, the 2022 Proposal creates an obligation to report “significant cybersecurity incidents” to the SEC. Under the proposed Reg. S-P amendments, an information breach that triggers mandatory customer notification (within 30 days) would also amount to a significant cybersecurity incident that triggers an SEC reporting requirement (within 48 hours). The SEC acknowledged this overlap in the proposing release for Reg. S-P and offered assurances that entities required to comply with both rules, if adopted, would be able to avoid duplicative efforts by adopting one set of policies or providing a single notice, where applicable.
Registrants and others can and should use these developments as an opportunity to evaluate their cybersecurity programs, specifically their incident detection and response procedures and controls, and consider whether enhancements are needed, even if simply from a best practices standpoint. These steps could include:
- Attention to “cyber hygiene,” with a focus on cybersecurity awareness training for users, data and asset inventories, privileged access management, authentication controls (like multi-factor authentication), and vulnerability detection through security testing
- Review of Reg. S-P policies and procedures, with a specific focus on the timing and substance of disclosures of cyber events
- Preparation, review, re-tooling, and testing of Incident Response Plans
- Conducting a holistic cyber risk assessment to identify and prioritize investments to address critical gaps in their cybersecurity program
- Evaluation of cyber risk disclosures, including their accuracy, completeness, and timeliness, and
- Assessment of cybersecurity measures of vendors that maintain customer information, including policies and procedures for performing diligence on third parties.
Clearly, cybersecurity is an ongoing priority for the Commission and, in particular, the Division of Enforcement. The proposed rules would provide an additional avenue for Enforcement to pursue. If adopted, enforcement risk will increase, and covered institutions will need to pay particular attention not just to their policies and procedures but also to their notification obligations and the content of those notifications.
 Currently, TAs are not subject to the safeguards rule, and only SEC-registered TAs are subject to the disposal rule.
Nicholas J. LosurdoPartner
L. Judson WellePartner
Jonathan H. HechtPartner
Andrew L. ZutzPartner