SEC Amends Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

Alert
June 18, 2024
27 minutes

On May 16, 2024, the SEC issued a release (the “Release”) adopting amendments to Regulation S-P1 (the “Amendments”) that require broker-dealers, registered investment companies (together, with business development companies, “registered funds”) and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days. The Amendments are substantially identical to the proposals in the 2023 proposing release (described in Ropes & Gray’s March 2023 Alert).

The Amendments also:

  • Require response programs to include written policies and procedures that address the risk of harm posed by security compromises at a covered institution’s service providers, including written policies and procedures reasonably designed to require oversight of service providers;
  • Include transfer agents among the covered institutions that are subject to the safeguards rule (described below) and response program requirements;
  • Require covered institutions to adopt and implement written policies and procedures to address the disposal of customer information;
  • Require covered institutions to maintain written records documenting compliance with the Amendments; and
  • Conform Regulation S-P’s annual privacy notice delivery provisions to include an exception required by a 2015 statutory amendment to the Gramm-Leach-Bliley Act (the “GLBA”).

The Amendments are described in detail below followed by Ropes & Gray’s observations.

I. BACKGROUND

Regulation S-P was adopted by the SEC in 2000. Currently, Regulation S-P’s provisions include, among other requirements, Rule 248.30(a) (the “safeguards rule”), requiring broker-dealers, registered funds and investment advisers to adopt written policies and procedures covering safeguards that protect customer records and information.

  • Currently, there are no SEC rules that require broker-dealers, registered funds, investment advisers or transfer agents to have policies and procedures for responding to data breach incidents or to notify customers of those breaches.
  • The safeguards rule does not currently apply to transfer agents.

Another provision of Regulation S-P, Rule 248.30(b) (the “disposal rule”), which applies to transfer agents registered with the SEC and entities covered by the safeguards rule, requires proper disposal of “consumer report information.”

II. ALIGN DEFINITIONS UNDER THE SAFEGUARDS AND THE DISPOSAL RULES

The Amendments update the safeguards rule by introducing a new defined term, “customer information,” to replace the term “customer records and information” in the current rule.2 This new definition expands the scope of the safeguards rule. Currently, Regulation S-P defines “customer” as “a consumer who has a customer relationship with you” and, therefore, the rule currently protects only the “records and information” of individuals who are customers of the particular institution and not others, such as individuals who are customers of another “financial institution.”3 In contrast, the Amendments will cause the safeguards rule to have a broader reach.

  • As an example, the Release notes that, giving effect to the Amendments, information a registered investment adviser has received from the custodian of a former client’s assets would be covered under both the safeguards rule and the disposal rule if the former client remains a customer of either the custodian or of another financial institution, even though the individual no longer has a customer relationship with the investment adviser. In practice, this means that the investment adviser must comply with the safeguards rule until the adviser disposes of the former client’s customer information in compliance with the disposal rule.
  • We believe that a private fund would be deemed to be a financial institution. Therefore, the new definition of customer information captures customer information of private fund limited partners who are natural persons that an investment adviser possesses, handles or maintains on behalf of a private fund it advises.

The adopted definition of “customer information” defines the scope of information covered by both the safeguards and disposal rules. In addition to updating what constitutes customer information that must be protected under the safeguards rule, the definition expands the scope of the disposal rule, discussed below.

III. SAFEGUARDS RULE POLICIES AND PROCEDURES

Under the amended safeguards rule, the required written policies and procedures must be reasonably designed to:

  • Ensure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of customer information; and
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

The term “customer” is unchanged from the existing definition in Regulation S-P and means a “consumer”4 who has a “customer relationship” with you.5

The Release notes that a covered institution can adopt a single set of written policies and procedures covering Regulation S-P and other rules, provided that the policies and procedures meet the requirements of each rule.

IV. AMENDMENTS TO THE DISPOSAL RULE

As noted above, the Amendments also apply the term customer information to the disposal rule, which requires proper disposal of certain records about individuals.

As amended, the disposal rule requires that every covered institution, other than notice-registered broker-dealers,6 must properly dispose of “customer information” and “consumer information”7 (the latter is a new term to replace “consumer report information”8 within the existing disposal rule) by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Thus, the amended disposal rule applies to both “customer information” and “consumer information” regardless of whether such information pertains to (i) individuals with whom the covered institution has a customer relationship or (ii) the customers of other financial institutions where such information has been provided to the covered institution.

The Release additionally amends the disposal rule to require covered institutions to adopt and implement written policies and procedures under the disposal rule that address the proper disposal of consumer information and customer information according to a standard of taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal (i.e., the same standard under the existing disposal rule).

V. ADDITIONAL AMENDMENTS TO THE SAFEGUARDS RULE

A. Incident Response Program for Unauthorized Access to or Use of Customer Information

The amended safeguards rule introduces a new requirement that the written policies and procedures that are required under the rule must include a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. Specifically, the Amendments require that a covered institution’s response program must include procedures for the covered institution to:

  • Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems9 and types of customer information that may have been accessed or used without authorization;
  • Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and
  • Notify each affected individual whose “sensitive customer information”10 was, or is reasonably likely to have been, accessed or used without authorization, unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident that occurred at the covered institution or one of its service providers that is not itself a covered institution, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

As an example, the Release states that a covered institution’s assessment may include gathering information about the type of access, the extent to which systems or other assets have been affected, the level of privilege attained by any unauthorized persons, the operational or informational impact of the breach and whether any data has been lost or exfiltrated.

Unlike the notification requirement (discussed below), which applies only to “sensitive customer information,” the Amendments explicitly require that covered institutions’ incident response programs (i) address any incident involving customer information and not merely those involving sensitive customer information and (ii) account for the identification of affected customer information systems in addition to the types of customer information that may have been accessed or used without authorization.

Concerning a covered institution taking “appropriate steps,” the Release states that strategies for containing and controlling an incident vary depending upon the type of incident and may include, for example, isolating compromised systems or enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords, among other interventions.

The Release also notes that the Amendments require a covered institution’s incident response program to include policies and procedures containing only certain general elements, thereby permitting covered institutions to tailor their policies and procedures to their individual facts and circumstances and that covered institutions can continue to use a risk-based approach to tailor their assessment and containment policies and procedures if they choose to do so, provided the required elements of the incident response program are met.

The Release additionally notes that covered institutions generally should consider reviewing and updating the assessment and the containment and control procedures periodically to ensure that the procedures remain reasonably designed.

B. Notification to Affected Individuals of Unauthorized Access or Use

In General. The amended safeguards rule requires that a covered institution provide a clear and conspicuous notice, or ensure that such notice is provided, to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident that occurred at the covered institution or one of its service providers that is not itself a covered institution that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

The Release clarifies that, when the Amendments refer to “unauthorized access to or use,” the word “unauthorized” modifies both “access” and “use.”

The notice must be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing. Unlike some state laws, a particular form of notice or method of delivery (e.g., first-class mail) is not required.

The Release further notes that:

  • Customer information that is not disposed of properly could trigger the requirement to notify affected individuals under the Amendments; and
  • For a covered institution’s customer notification procedures to remain reasonably designed, the covered institution’s policies and procedures generally should be designed to include revisiting notification determinations whenever the covered institution becomes aware of new facts that are potentially relevant to the determination. For example, if at the time of the incident, a covered institution determines that risk of use in a manner that would result in substantial harm or inconvenience is not reasonably likely based on the use of encryption in accordance with industry standards but, subsequently, the encryption is compromised, the covered institution generally should revisit its determination.

Sensitive Customer Information. The notification requirements apply only to “sensitive customer information,” which is a subset of customer information and does not encompass all nonpublic customer information.

Examples of sensitive customer information are detailed in the Amendments and include:

  • Customer information uniquely identified with an individual that has a reasonably likely use as a means of authenticating the individual’s identity, including:
  • A Social Security number, official State- or government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
  • A biometric record;
  • A unique electronic identification number, address, or routing code;
  • Telecommunication identifying information or access device; or
  • Customer information identifying an individual or the individual’s account, including the individual’s account number, name or online user name, in combination with authenticating information such as information described under the examples of sensitive customer information described above, or in combination with similar information that could be used to gain access to the customer’s account such as an access code, a credit card expiration date, a partial Social Security number, a security code, a security question and answer identified with the individual or the individual’s account, or the individual’s date of birth, place of birth, or mother’s maiden name.

Reasonable Investigation. The Amendments establish a rebuttable presumption requiring notice.

  • As noted above, a covered institution is not required to provide the notification if the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident that occurred at the covered institution or one of its service providers that is not itself a covered institution that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
  • In a change from the 2023 proposing release, the Amendments provide that, if a covered institution “reasonably determines that a specific individual’s sensitive customer information . . . was not accessed or used without authorization, the covered institution is not required to provide notice to that individual.” (Emphasis added).
  • Conversely, if the covered institution is unable to identify which specific individuals’ sensitive customer information has been accessed or used, the covered institution must provide notice to all individuals whose sensitive customer information resides in the relevant customer information system. (Emphasis added).

The Release states that whether an investigation is reasonable depends on the particular facts and circumstances of the unauthorized access or use. Moreover, information related to the nature and scope of the incident may be relevant to determining the extent of the investigation, such as (i) whether the incident is the result of internal unauthorized access or an external intrusion, (ii) the duration of the incident, (iii) what accounts have been compromised and at what privilege level and (iv) whether and what type of customer information may have been copied, transferred or retrieved without authorization.

For any determination that a covered institution makes that notice is not required, the covered institution will be required to maintain a record of the investigation and the basis for its determination.

Substantial Harm or Inconvenience. In a change from the 2023 proposing release, the SEC declined to define the term “substantial harm or inconvenience” in the Amendments. Instead, whether a given harm or inconvenience rises to the level of a substantial harm or a substantial inconvenience will “depend on the particular facts and circumstances surrounding an incident.” However, drawing on examples detailed in the definition of “substantial harm” in the 2023 proposing release, the Release states that the earlier definition “may be a useful starting point for this determination.” The Release also states that a covered institution “may consider encryption as a factor in determining whether the compromise of customer information could create a reasonably likely harm risk to an individual identified with the information.”

Timing of the Notification. A covered institution must provide the required notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The Release states that the amount of time that would constitute “as soon as practicable” may vary based on several factors, such as the time required to assess, contain and control the incident.

As an example, the Release states that an incident of unauthorized access by a single employee to a limited set of sensitive customer information may take only a few days to assess, remediate and investigate. “In those circumstances,” the Release states, “a covered institution generally should provide notices to affected individuals at the conclusion of those tasks and as soon as the notices have been prepared.”

  • The Amendments permit covered institutions to delay providing notice if the United States Attorney General determines that the notice required under the Amendments poses a substantial risk to national security or public safety, in which case the covered institution may delay such notice for a period specified by the Attorney General, up to 30 days following the date when such notice was otherwise required to be provided.11
  • A covered institution’s mere request to the Attorney General – to determine that the required notification would pose a substantial risk to national security or public safety – does not change the covered institution’s obligation to provide notice to affected individuals within the timing required under the Amendments.

Written Notice Contents. As noted above, the Amendments require covered institutions to provide notice in a clear and conspicuous manner and by means designed to ensure that the customer can reasonably be expected to receive actual notice in writing. The Amendments require that the written notification:

  • Describe in general terms the incident and the type of sensitive customer information that was or is reasonably believed to have been accessed or used without authorization;
  • Include, if the information is reasonably possible to determine at the time the notice is provided, any of the following: the date of the incident, the estimated date of the incident, or the date range within which the incident occurred;
  • Include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including the following: a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address and the name of a specific office to contact for further information and assistance;
  • If the individual has an account with the covered institution, recommend that the customer review account statements and immediately report any suspicious activity to the covered institution;
  • Explain what a fraud alert is and how an individual may place a fraud alert in the individual’s credit reports to put the individual’s creditors on notice that the individual may be a victim of fraud, including identity theft;
  • Recommend that the individual periodically obtain credit reports from each nationwide credit reporting company and that the individual have information relating to fraudulent transactions deleted;
  • Explain how the individual may obtain a credit report free of charge; and
  • Include information about the availability of online guidance from the Federal Trade Commission (the “FTC”) and usa.gov regarding steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the FTC and include the FTC’s website address where individuals may obtain government information about identity theft and report suspected incidents of identity theft.

The Amendments permit covered institutions to include additional information but do not permit omission of the prescribed information.

C. Response Program Requirements Related to Service Providers

In General. The Amendments require that a covered institution’s response program must include the establishment, maintenance and enforcement of written policies and procedures reasonably designed to require oversight of service providers, including oversight through due diligence and monitoring, to ensure that the covered institution notifies affected individuals in accordance with the Amendments’ notification requirements.

“Service provider” is defined to mean any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.

  • The Release clarifies that the definition of service provider can include affiliates of a covered institution.
  • In addition, the Release indicates that the requirements related to service providers that are covered institutions apply even where the service provider has a direct contractual relationship with the client instead of with the adviser.12

The policies and procedures required by the Amendments must be reasonably designed to ensure service providers take appropriate measures to:

  • Protect against unauthorized access to or use of customer information; and
  • Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider. Upon receipt of such notification, the covered institution must initiate its incident response program.

The Amendments require notification to a covered institution if there is a breach that results in “unauthorized access to a customer information system maintained by the service provider.” This is a broader set of customer information than “sensitive customer information” that can trigger a covered institution’s obligation to notify affected individuals. The Release notes that this broader scope is consistent with the fact that a covered institution’s incident response program must be reasonably designed to “address any incident involving customer information – not merely those involving sensitive customer information – and also account for the identification of affected customer information systems in addition to the types of customer information that may have been accessed or used without authorization.” (Emphasis in original).

Diligence and Monitoring of Service Providers. The Release notes that, while it may be helpful to a covered institution in complying with the Amendments to receive “reasonable assurances” from its service providers that they have taken appropriate measures to both protect customer information and provide timely notification to the covered institution in the event of a breach of the service provider’s customer information systems, “reliance solely on such assurances may be insufficient depending on the facts and circumstances, for example, when a covered institution knows, or has reason to know, that such assurance is inaccurate.”

The Release states that covered institutions should consider reviewing and updating these policies and procedures periodically throughout their relationship with a service provider, including updates designed to address any information learned during the course of their monitoring, and that covered institutions may wish to consider employing such tools as independent certifications and attestations obtained from the service provider as part of their policies and procedures to require oversight, including through due diligence and monitoring, of the service provider.

More on Incident Response Programs and Service Providers. The Amendments provide that, where a service provider (that is not itself a covered institution) provides notice to a covered institution that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider, that covered institution will be required to initiate its incident response program and thereafter, if applicable, provide notice to affected individuals.

A covered institution also must initiate its incident response program where the covered institution has otherwise independently detected an incident of unauthorized access to or use of customer information at the service provider.

As noted above, the Amendments require service providers to take appropriate measures to provide covered institutions with notice “as soon as possible, but no later than 72 hours after becoming aware of a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.” The Release notes that the “becoming aware” standard was adopted to enable a covered institution “to implement its incident response program expeditiously.”

As part of its incident response program, a covered institution may enter into a written agreement with its service provider to notify affected individuals on the covered institution’s behalf in accordance with the notification requirement detailed above. Nonetheless, the Amendments provide that, notwithstanding a covered institution’s use of a service provider, the obligation to ensure that affected individuals are notified in accordance with the notification requirements rests with the covered institution.

  • The Release notes that a covered institution’s policies and procedures should consider including steps for conducting reasonable due diligence to confirm that a contractually obligated service provider, in fact, has provided notice to affected individuals.
  • Separately, the Release notes that effective oversight might also include (i) obtaining confirmation of delivery of such notification in the form of attestations or certifications by the service provider and (ii) confirming with a sample of affected customers that they received service provider notifications.

Service Providers that are Covered Institutions. As described above, the Amendments apply to customer information in a covered institution’s possession or that is handled or maintained on the covered institution’s behalf, regardless of whether such information pertains to (i) individuals with whom the covered institution has a customer relationship or (ii) the customers of other financial institutions where such information has been provided to the covered institution.

However, the Amendments only require a covered institution to provide notice to affected individuals where unauthorized access to or use of sensitive customer information has occurred at the covered institution or one of its service providers, that is not itself a covered institution.

  • The Release notes that, if a covered institution is acting as a service provider to another covered institution, in addition to its own obligations under Regulation S-P, it must provide notification to the other covered institution as required by the policies and procedures required under the safeguards rule.
  • The Release also states that, while a covered institution may not have access to the contact information for some customers, it can coordinate with the covered institution that has a customer relationship to receive contact information as needed for the notices.

VI. EXCEPTION TO THE ANNUAL PRIVACY NOTICE REQUIREMENT

In the 2015 Fixing America’s Surface Transportation Act, Congress amended the GLBA by adding a new section containing an exception to the annual privacy notice delivery requirements for a financial institution that meets certain requirements. Consistent with the 2023 proposing release, the Release amends Regulation S-P’s annual notice provision to include the new exception.

In general, Regulation S-P requires broker-dealers, registered funds and investment advisers (“financial institutions”) to provide their customers (i) an annual notice of their privacy policies and practices and (ii) subject to certain exceptions,13 an opportunity to opt out before these entities share nonpublic personal information with unaffiliated third parties.

Section 248.5 of Regulation S-P prescribes the requirements for an annual privacy notice, including delivery. The Release adds a new paragraph (e) to this section to provide an exception to the annual notice requirement. To qualify for the new exception, financial institutions are required to satisfy two conditions:

  1. The financial institution must share nonpublic personal information only in accordance with the pre-existing Regulation S-P exceptions to the general requirement of providing customers an opportunity to opt out of the financial institution’s information sharing with unaffiliated third parties;14 and
  2. The financial institution relying on the new exception cannot have changed its policies and practices regarding disclosing nonpublic personal information from those that were disclosed in the most recent annual privacy notice sent to customers.

New paragraph 248.5(e) also specifies when a financial institution would be required to resume delivering annual privacy notices if the financial institution no longer satisfies the two conditions above.

VII. RECORDKEEPING AMENDMENTS

The Amendments require covered institutions to make and maintain written records documenting compliance with the requirements of the amended safeguards rule and disposal rule. Thus, the Release amends Rules 31a-1(b) and 31a-2(a) under the 1940 Act, Rule 204-2 under the Advisers Act, Rule 17a-4 under the Exchange Act for broker-dealers and Rule 17Ad-7 under the Exchange Act for transfer agents. In each case, the Amendments require the covered institution to maintain written records documenting the covered institution’s compliance with the requirements set forth in the safeguards rule and the disposal rule, as amended. The records that will be required under the Amendments are:

  • Written policies and procedures required to be adopted and implemented pursuant to the amended safeguards rule, generally (i.e., policies and procedures to address the administrative, technical and physical safeguards to protect customer information);
  • Written documentation of any detected unauthorized access to or use of customer information, as well as any response to, and recovery from such unauthorized access;
  • Written documentation of any investigation and determination made regarding whether notification to affected individuals is required by the amended safeguards rule, including the basis for any determination made, as well as a copy of any notice transmitted following such determination;
  • Written policies and procedures required to be adopted and implemented to oversee, monitor and conduct due diligence on service providers, including to ensure that the covered institution is notified when a breach in security has occurred at the service provider;
  • Written documentation of any contract or agreement between a covered institution and a service provider in which the service provider promises to notify affected individuals on the covered institution’s behalf; and
  • Written policies and procedures required to be adopted and implemented pursuant to the amended disposal rule addressing the proper disposal of consumer information and customer information.

VIII. COMPLIANCE DATES

Covered institutions that are “larger entities” will be required to comply with the Amendments no later than December 3, 2025 (i.e., 18 months after the Release’s June 3, 2024 publication in the Federal Register). Larger entities include (i) investment companies that, together with other investment companies in the same group of related investment companies, collectively have net assets of $1 billion or more as of the end of the most recent fiscal year, (ii) any registered investment adviser with $1.5 billion or more in assets under management and (iii) all broker-dealers and transfer agents that are not “small entities” under the Securities Exchange Act for purposes of the Regulatory Flexibility Act. Covered institutions that are not larger entities will be required to comply with the Amendments six months after the compliance date applicable to larger entities (i.e., June 3, 2026).

IX. OBSERVATIONS

Registered Funds. Registered funds and their advisers should be able to rely on the funds’ transfer agents to safeguard shareholder customer information, including (if necessary) providing notice to affected individuals. More specifically, the Amendments (i) include transfer agents among the covered institutions that are subject to the safeguards rule and (ii) only require a covered institution to provide notice to affected individuals where unauthorized access to or use of sensitive customer information has occurred at the covered institution or one of its service providers, that is not itself a covered institution. Nonetheless, registered funds’ response program must include the establishment, maintenance and enforcement of written policies and procedures reasonably designed to require oversight of service providers, including transfer agents.

Private Fund Advisers. The new definition of “customer information” in the Amendments captures information about natural person limited partners that a private fund “provides” to its investment adviser, thereby subjecting private fund managers to the safeguards and disposal rules, including the customer notification requirements.

  • We note that, because private funds themselves are subject to substantially similar requirements under the FTC’s rules, the technical extension of certain aspects of Regulation S-P to private fund managers should not be a significant change in practice for most managers. The key difference is that, following the compliance date of the Amendments, the SEC will clearly have jurisdiction over private fund managers with respect to compliance with the safeguards and disposal rules.

Policies and Procedures. All registered investment advisers should review and update their compliance policies and procedures in advance of the compliance date of the Amendments.

  • Adopting procedures regarding customer notification is also a new requirement. Under existing state law, when firms had a data breach, they needed to check state law notification requirements. The Amendments add another set of rules to check and comply with in the case of a data breach. That said, the new requirements would apply only to natural person investors, although notifying only some investors and not others may raise concerns.

Service Providers. The service provider requirements could be burdensome. The Amendments require covered institutions, including advisers, to perform diligence and oversight to ensure that service providers comply with the Amendments’ requirements. In practice, the Amendments may require reviews and amendments of existing service provider contracts where commercially feasible.

Multiple Applicable Notice Requirements. Although the Release states that commenters had concerns about harmonizing Regulation S-P with state law requirements, the SEC noted that it believes state law notification standards vary widely such that broad harmonization would be impracticable. Moreover, the Release states, a benefit of the Amendments is that they provide a consistent minimum federal notification standard to protect affected individuals in an environment of enhanced risk, and that the federal standard will protect all customers, regardless of their state of residence (thereby reducing the potential confusion that could result from customers in one state receiving notice of an incident while customers in another state do not).

  • The Amendments’ notification requirements will thus coexist with contractual requirements, as well as the data breach notification laws of the various states (some of which do not include a risk-of-harm threshold), the 72-hour General Data Protection Regulation (“GDPR”) requirement and other notification requirements potentially applicable to persons outside of the United States. Providers of critical financial infrastructure may also have 72-hour reporting requirements to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”), although those requirements are not yet in effect and may be harmonized with SEC requirements.

Additional SEC Rulemaking. The SEC has not finalized rulemaking following two 2022 SEC proposing releases titled (i) “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies” (described in a Ropes & Gray Alert) and (ii) “Outsourcing by Investment Advisers” (described in another Ropes & Gray Alert). While some overlap is probable, we hope that the SEC will harmonize the rules resulting from these two proposals with the Amendments to avoid duplicative procedures. That said, even if the SEC does harmonize the requirements of the rulemakings, it will remain necessary to harmonize cyber procedures with other applicable requirements, including state and (if applicable) international data protection rules.

* * *

If you would like to learn more about the issues in this Alert, please contact your usual Ropes & Gray attorney contacts.

  1. 17 C.F.R. § 248.1 et seq.
  2. Customer information is defined to mean for any covered institution, other than a transfer agent, any record containing nonpublic personal information as defined in Section 248.3(t) of Regulation S-P about a customer of a financial institution (as defined below), whether in paper, electronic or other form, that is in the possession of a covered institution or that is handled or maintained by the covered institution, or on its behalf, regardless of whether such information pertains to (i) individuals with whom the covered institution has a customer relationship or (ii) the customers of other financial institutions where such information has been provided to the covered institution. With respect to a transfer agent, customer information means any record containing nonpublic personal information as defined in § 248.3(t) identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is in the possession of a transfer agent or that is handled or maintained by the transfer agent or on its behalf, regardless of whether such information pertains to individuals with whom the transfer agent has a customer relationship, or pertains to the customers of other financial institutions and has been provided to the transfer agent.
  3. A financial institution is defined as any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act.
  4. A consumer means an individual (i.e., natural person) who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.
  5. A customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
  6. The Amendments do not affect the Regulation S-P treatment of so-called “notice-registered broker-dealers,” which are futures commission merchants and introducing brokers registered with the CFTC that are permitted, pursuant to Section 15(b)(11) of the Exchange Act, to register as broker-dealers by filing a notice with the SEC for the limited purpose of effecting transactions in security futures products.
  7. Consumer information means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report, or a compilation of such records, that a covered institution maintains or otherwise possesses for a business purpose regardless of whether such information pertains to (i) individuals with whom the covered institution has a customer relationship, or (ii) the customers of other financial institutions where such information has been provided to the covered institution. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.
  8. Consumer report has the same meaning as in the Fair Credit Reporting Act.
  9. “Customer information systems” is defined to include the information resources owned or used by a covered institution, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of customer information to maintain or support the covered institution’s operations.
  10. The Release defines “sensitive customer information” as any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.
  11. This exception is contingent on a written notification by the Attorney General to the SEC and is similar to the exception under the SEC’s public company cybersecurity rules.
  12. In practice, it may be useful to coordinate notice where possible so that customers receive one notice from several entities as opposed to several overlapping notices.
  13. See Regulation S-P §§ 248.13, 248.14 and 248.15. In general, these sections provide that a financial institution is not required to provide customers the opportunity to opt out if it shares nonpublic personal information with unaffiliated third parties (i) pursuant to a joint marketing arrangement with third-party service providers, (ii) in connection with maintaining and servicing customer accounts and effecting certain transactions and (iii) in situations related to protecting against fraud, complying with certain legal and regulatory requirements and required consumer reporting.
  14. See id.