The SEC continued its recent onslaught of proposed cybersecurity rules in mid-March with three new proposals covering a litany of entities, including investment advisers, broker-dealers, investment companies, clearing agencies, national securities associations and exchanges, and transfer agents. Among the three proposals is the SEC's proposed revisions to Regulation S-P (Proposed Rule), the primary regulation covering, among other things, obligations for investment advisers, investment companies and broker-dealers (collectively, Covered Entities) to safeguard and dispose of sensitive customer information.
Given that Regulation S-P is the most often-used tool by the SEC's Division of Enforcement to date for enforcement actions based on customer data protection and cybersecurity incidents, the Proposed Rule could have significant ramifications for the agency's compliance and enforcement efforts. The Proposed Rule would arguably strengthen consumer data protections and (for better or worse) create a "Federal minimum standard" for breach notifications by Covered Entities. However, the proposed amendments may also create potentially overlapping incident response obligations, (once again) require Covered Entities to reconsider contractual relationships with third-party service providers and impose additional document retention requirements.
In this post, we provide a summary of the proposed revisions to Regulation S-P and offer some key takeaways concerning the proposed amendments.
Summary of the Proposed Amendments
The Proposed Rule is the agency's first proposed amendment to Regulation S-P since the mid-2000s. Given the significant changes in the types and use of technology over the last two decades, the Proposed Rule encompasses several proposed amendments. We highlight four of the main amendments: 1) the expanded scope of information covered by Section 30(a) of Regulation S-P (Safeguards Rule); 2) the adoption of a "reasonably designed" incident response program as part of Covered Entities' policies and procedures under the "Safeguards Rule" (Section 30(a) of Regulation S-P); 3) required notification to individuals whose sensitive personal information was or is reasonably likely to have been accessed or used without authorization; and 4) the creation and maintenance of certain written records documenting adherence to the Safeguards Rule and "Disposal Rule" (Section 30(b) of Regulation S-P).1
Expanded Scope of Safeguards Rule
Under the current version of the Safeguards Rule, Covered Entities have to adopt written policies and procedures "that address administrative, technical, and physical safeguards for the protection of customer records and information."2 The current definition of "customer" includes "a consumer who has a customer relationship with a [Covered Entity]."3
However, under the Proposed Rule, the SEC would significantly expand the type of information covered by the Safeguards Rule. The Proposed Rule would apply to all "customer information"4 in the possession of a Covered Entity that it "maintains or otherwise possesses for a business purpose."5 Importantly, this requirement applies "regardless of whether such information pertains to individuals with whom the [Covered Entity] has a customer relationship …."6 This expansion would bring the Safeguards Rule in line with the Disposal Rule, which currently requires proper disposal of certain records without regard to whether the individuals are customers.
Incident Response Program
The Proposed Rule notes that "[s]ecurity incidents can occur in different ways, such as through takeovers of online accounts by bad actors, improper disposal of customer information in areas that may be accessed by unauthorized persons, or the loss or theft of data that includes customer information."7 Under the Proposed Rule, Covered Entities would be required to adopt an incident response program to address unauthorized use of or access to "sensitive customer information."8 (See below for more on "sensitive customer information.")
Under the Proposed Rule, the incident response program would need to be "reasonably designed to detect, responds to, and recover from both unauthorized access to and unauthorized use of customer information."9 Although the program must contain "general elements," the Proposed Rule does not impose specific actions that a Covered Entity must take when undertaking incident response activities.10 However, the Proposed Rule would require a Covered Entity's written policies and procedures to:
- assess the nature and scope of the incident that involved the unauthorized access to or use of customer information
- identify the types of customer information that may have been subject to such unauthorized access or use
- take "appropriate steps" to contain and control the incident and to prevent further unauthorized access to or use of customer information
- notify each affected individual of the unauthorized access in a manner that complies with the notification requirement set forth elsewhere in the Proposed Rule11
The Proposed Rule also acknowledges the prevalence and importance of third-party service providers, who routinely have access to a Covered Party's customer information systems, and thus may expose them to risk of a security incident.12 As a result, the Covered Entity's incident response policy must address the risk of harm resulting from security events not only at their business, but also at third-party service providers.13
Notice to Individuals Affected by an Unauthorized Access to or Use of Sensitive Customer Information
Although Covered Entities are subject to certain customer notification requirements under other federal or state laws, the Safeguards Rule does not currently include a requirement for Covered Entities to notify affected individuals in the event of a breach.14 The Proposed Rule would require Covered Entities to provide notice to individuals whose "sensitive customer information" was, or is reasonably likely to have been, accessed or used without authorization.15 The SEC proposes to define "sensitive customer information" as a subset of customer information that "alone or in conjunction with any other information … could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information."16
The notice must be: 1) clear and conspicuous; 2) directed at each affected individual; 3) distributed by a written means designated to ensure the reasonable expectation that actual notice will be received; and 4) provided as soon as practicable, but no later than 30 days after the Covered Entity learns of the unauthorized access to or use of the sensitive customer information.17 Importantly, the notice requirement is triggered only by such access or use of the sensitive customer information, as opposed to "information security incidents," which do not per se impose such a requirement.18
The Proposed Rule requires notice "as soon as practicable but not later than 30 days" after the entity becomes aware of the "that the unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred …."19 As discussed further below, the only exception to the timing requirement would be a written notification to the Covered Entity from the Attorney General of the United States that the notice need not be issued for the maximum of 30 additional days due to a purported "substantial risk to national security."20
Enhanced Document Preparation, Retention and Recordkeeping Obligations
The Proposed Rule would require Covered Entities, for the first time, to prepare and maintain written records documenting compliance with both the Safeguards Rule and the Disposal Rule.21 Specifically, the Proposed Rule "would require the covered institution to maintain written records documenting the [Covered Entity's] compliance" with the proposed rules concerning the Safeguards Rule and the Disposal Rule.22
The written records must document: 1) the assessment of the nature and scope of any incident involving unauthorized access to or use of customer information; 2) steps to control and mitigate any fallout from the incident; and 3) notifications to individuals who have been, or may be affected, by the incident.23 These records must also catalogue the policies and procedures applicable to third-party service providers.24
- Overlapping Cybersecurity Rule Proposals Could Create Multiple Obligations for Covered Entities: Although the SEC claims that the Proposed Rule is "not inconsistent" with other recently proposed cybersecurity rules,25 there is little question that the Proposed Rule creates a Venn Diagram-like overlap of various cybersecurity obligations. For example, for investment advisers, the proposed incident response obligations under the Proposed Rule would seemingly overlap with the broader cybersecurity incident and recovery policies required under the proposed cybersecurity rules issued in 2022 (2022 Cybersecurity Proposal). Although she supported the Proposed Rule (with certain reservations), SEC Commissioner Hester Peirce did not hide her disapproval concerning the various overlapping cybersecurity proposals.26
This overlap appears to be the primary reason the SEC reopened the comment period on the 2022 Cybersecurity Proposal: "The reopened comment period will allow interested persons additional time to analyze the issues and prepare comments in light of other regulatory developments, including whether there would be any effects of other Commission proposals related to cybersecurity risk management and disclosure that the Commission should consider."27
- Potentially Contrary Incident Reporting Notifications: As the SEC acknowledged, all 50 states have enacted laws requiring firms to notify affected individuals of data breaches.28 Given that Covered Entities are currently subject to these state law notification requirements, the proposed "Federal minimum standard" creates, at a minimum, competing reporting requirements – and possibly conflicting ones. The SEC posits that this uniform standard will improve matters, as it imposes broader definitions of "sensitive customer information" and a tighter notification window than several state notification counterparts.29
However, the potential for conflict remains, and the SEC could only offer that the effect of any inconsistency "may" be mitigated because some states (but not all) offer safe harbors from state-level compliance for entities subject to compliance with federal laws.30 The uncertainty about conflicting notification obligations will necessitate Covered Entities retaining competent legal experts to untangle the web of disparate notification requirements.
- Lack of Law Enforcement Exception: As the SEC notes, the vast majority of states across the country permit delayed notification for law enforcement purposes. These exceptions are to enable law enforcement personnel to conduct criminal investigations to identify bad actors without interference, a key component of the broader enforcement purpose to remove bad actors who cause these data breaches and security incidents.31 The Proposed Rule seemingly cuts against broader law enforcement efforts to tackle the root of the problem (the bad actors causing these issues).
The SEC's proposed workaround seems to be an onerous one: a written request from the Attorney General of the United States, and solely for national security issues. Additionally, even if that exception is granted, it spans only for a maximum of 30 additional days.32 The lack of a law enforcement exception – the first item identified by Commissioner Peirce on her list of concerns about the Proposed Rule – shapes up to be one the most hotly debated topics about the proposal during the comment process.
- More Rules, More Records, More Problems? Part and parcel to the SEC's proposed rulemaking for regulated entities has been an increased focused on mandatory documentation to demonstrate compliance with the rules. For example, as part of the SEC's proposed amendments to Rule 206(4)-7 of the Investment Advisers Act of 1940 (Compliance rule), the SEC is seeking to close a perceived gap and require investment advisers to document their annual reviews of the adequacy of their compliance programs.33 As part of its proposed amendment, the SEC noted that this "would allow our staff to determine whether an adviser has complied with the review requirement of the [C]ompliance rule."34 In a similar vein, the Proposed Rule would require Covered Entities to make and maintain written records documenting compliance with the requirements of the Safeguards Rule.35 Again, the SEC was clear that the purpose of this requirement was to "evidence compliance with these requirements."36 Such recordkeeping requirements cannot be overlooked as, if ultimately adopted, they will become a key fixture in SEC examinations going forward.
- Third-Party Service Providers Remain a Focus for Cybersecurity Rulemaking: The SEC is clear that incidents at third-party institutions involving customer information could implicate aspects of the Proposed Rule.37 As we previously covered with the SEC's 2022 Cybersecurity Proposal, the SEC's focus on potential breaches at third-party service providers creates risks for regulated entities subject to these rules (in this case, Covered Entities). If implemented, this would likely necessitate not only revised policies and procedures concerning third-party service providers, but also renegotiated contractual terms with these parties.