SEC Proposes Amendments to Regulation S-P

Who may be interested: Registered Investment Companies, Investment Advisers, Broker-Dealers, Transfer Agents. 

Quick Take: The SEC proposed amendments to Regulation S-P which would establish minimum standards under Federal law requiring registered investment advisers, investment companies, broker-dealers and transfer agents (covered institutions) to adopt an incident response program for data security incidents involving customer information, including procedures for notifying persons affected by the incident within 30 days.

The SEC’s proposed amendments to Regulation S-P seek to enhance protection of customer information from breaches that might put personal financial data at risk. Currently, under Regulation S-P, registered investment advisers, investment companies and broker-dealers must adopt written policies and procedures designed to safeguard customer records and information (Safeguards Rule). SEC registered transfer agents, registered investment advisers, investment companies, and broker-dealers are also required by Regulation S-P to properly dispose of consumer report information in a manner that protects against unauthorized access to, or use of, such information (Disposal Rule).

The proposal would expand the scope of both the Safeguards Rule and Disposal Rule by making them applicable to customer information, a new term which encompasses records that contain nonpublic personal information that a covered institution collects about its own customers as well as nonpublic personal information that it receives about customers of other financial institutions.

The proposal would amend the Safeguards Rule by adding transfer agents¹ to the scope of the rule and require that a covered institution’s written policies and procedures include an incident response program designed to detect, respond to and recover from unauthorized access to, or use of, customer information. A covered institution’s incident response program would be required to include procedures to assess the nature and scope of any such incident and contain and control such incidents. 

Notably, the incident response program would be required to include procedures for notifying customers whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Sensitive customer information would include types of information that could likely be used in a way which would result in substantial harm, such as fraud, including identity theft. A covered institution would need to provide the notice as soon as practicable, but no later than 30 days after the covered institution becomes aware of the incident.

Under the proposal, covered institutions would be required to maintain records documenting their compliance with the amended Safeguards Rule and Disposal Rule.

The proposal will next be published in the Federal Register and be opened to public comment for 60 days from the date of its publication.

The SEC’s proposal is available here.

¹ Currently, the Safeguards Rule does not cover transfer agents. The proposal would expand the scope of the Safeguards Rule to include transfer agents registered with the SEC or another appropriate regulatory agency. The Disposal Rule currently only covers transfer agents registered with the SEC. The proposal would expand the Disposal Rule to also cover transfer agents registered with other appropriate regulatory agencies.