To improve the protection of customer information, the Securities and Exchange Commission (SEC) formally proposed amendments to Regulation S-P with the goal of strengthening incident response and data breach procedures. Broker-dealers, investment firms, registered investment advisers, and transfer agents (collectively, covered institutions) would be obligated to inform affected individuals of any data breaches that could put them at risk of identity theft or other harm.
Currently, customers are not required to be notified of breaches under Regulation S-P, but firms must inform customers how their financial information is used. The proposed changes aim to close this gap by requiring covered institutions to notify clients of security incidents that may jeopardize their personal financial information.
According to the SEC Chair, Gary Gensler, these changes will aid consumers in protecting their privacy and financial or investment accounts. The proposed modifications bring Regulation S-P’s requirements up to speed with the increased use of technology and associated risks since the SEC first adopted the regulation in 2000.
Proposed Changes to Regulation S-P
Under the proposal, covered institutions would be required to implement written incident response procedures and regulations to address unauthorized access to or use of customer information. With certain exceptions, covered institutions would also need to notify clients whose personal information was or is likely to have been accessed or used without permission. Covered institutions would be required to provide notice as soon as possible, but no later than 30 days after learning of an incident in which unauthorized access or use of customer information occurred.
The proposed amendment also includes several other changes to Regulation S-P such as:
- Extending the safeguards rule to transfer agents registered with the SEC or other appropriate regulatory agency.
- Broadening and aligning the scope of the safeguards and disposal rules to cover “customer information,” a newly defined term. These rules would not only apply to non-personal public information (NPPI) that a covered institution collects about its own customers, but also to NPPI collected about customers of other financial institutions.
- Conforming Regulation S-P’s provisions regarding the annual distribution of privacy notices so that it is consistent with the statutory exception created by Congress in 2015 under the Fixing America’s Surface Transaction (FAST) Act.
What Does This Mean for Your Organization?
In anticipation of the enactment of the proposed amendments to Regulation S-P, your organization will need to review its cybersecurity, incident management, and identity theft red flags program to ensure these changes are incorporated. Some areas to consider are:
- Risk Assessments: periodic risk assessments to identify and prioritize cybersecurity risks and vulnerabilities. These assessments should be used to inform the development of the written security program.
- Access Controls: implementation of controls to restrict access to sensitive information to authorized personnel. This would include procedures for granting, modifying, and revoking access privileges, as well as authentication and authorization controls.
- Training and Awareness: annual cybersecurity training and awareness program for employees, contractors, and other relevant personnel to reduce the risk of human error and improve overall cybersecurity hygiene.
- Third-Party Service Providers: assessments of the cybersecurity risks associated with third-party service providers and implementation of controls to manage those risks. This would include due diligence and monitoring, as well as contractual obligations for cybersecurity.
- Ongoing Evaluation and Adjustment: regular evaluations and adjustments to the written information security program to ensure that the program remains effective and relevant in light of changing risks and threats.
- Identity Red Flag Program: maintenance of a written identity theft red flag program that includes policies and procedures to identify and detect identity theft red flags, and periodically update the program in the event of a data breach. These procedures will ensure that the program identifies the organization’s response to the data breach.
How Wolf Can Help Covered Institutions Navigate Regulation S-P Changes
The proposed amendments to Regulation S-P will strengthen the protection of customer information by requiring covered institutions to adopt written policies and procedures for an incident response program and alert clients of data breaches that may expose their personal financial information.
To support your organization’s cybersecurity protocols, Wolf’s IT Advisory and Regulatory Compliance services will review your compliance with the statutory requirements, security best practices, and written identify theft red flag program. After a comprehensive review, our team will offer practical improvements to strengthen your program. Furthermore, our DenSecure cyber services will put your security to the test and help ensure that you never have an incident to report.