Securities and Exchange Commission to Impose Significant New Privacy and Cybersecurity Rules

• Publication year: 2023

[Page 329]

Nicholas J. Losurdo, Boris Segalis, L. Judson Welle, Jonathan H. Hecht, Gregory Larkin, Andrew L. Zutz, and Christopher Grobbel ^*

In this article, the authors explain that the Securities and Exchange Commission is continuing its overhaul of cybersecurity, cyber incident reporting, and privacy controls and requirements for industry registrants, their services providers, and corporate America generally.

The Securities and Exchange Commission (SEC) recently has proposed three sweeping rulemakings covering privacy and cybersecurity requirements. This article focuses on the proposed amendments to Regulation S-P (Reg. S-P), ¹ including requiring "covered institutions" to notify customers of certain data and cyber incidents that may put them at risk.

Regulation S-P Amendments

Reg. S-P requires "covered institutions" (presently, broker-dealers (BDs), registered investment advisors (RIAs), and registered investment companies (RICs)) ² to safeguard customer records and information (pursuant to the "safeguards rule"—Rule 30(a)), properly dispose of consumer report information in a manner that protects against unauthorized access to or use of such information (pursuant to the "disposal rule"—Rule 30(b)), and implement privacy policy notice and opt-out provisions. The proposal would amend Reg. S-P to:

■ Require covered institutions to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information.

[Page 330]

The incident response program would need to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, must include procedures to assess the nature and scope of any such incident, and must be reasonably designed to contain and control such incidents. The proposal would also impose certain incident response program requirements related to a covered institution's relationships with service providers.
■ Require covered institutions to have written policies and procedures to provide timely notification to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. Notice would be required as soon as practicable, but not later than 30 days after a covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. However, no notice would be required if the covered institution determines that the sensitive customer information was not actually accessed and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience.
■ Expand the safeguards and disposal rules to cover "customer information," a newly defined term referring to any record containing "nonpublic personal information" (NPI, which is already defined in Reg. S-P), about a customer of a covered institution. This would apply both rules to the NPI a covered institution collects about its own customers and the NPI it receives from a third-party financial institution.
■ Require certain documentation of compliance with the requirements of the safeguards rule and disposal rule.
■ Relieve covered institutions from the Reg. S-P annual privacy notice delivery provisions if the covered institution provides NPI to nonaffiliated third parties only in accordance with the existing exceptions to notice and opt-out requirements of Reg. S-P

...