Publications

(Article from Registered Funds Regulatory Update, April 2023)

For more information, please visit the Registered Funds Resource Center.

The SEC voted to propose amendments to Regulation S-P that would require broker-dealers, investment companies (including BDCs), RIAs, and transfer agents (“Covered Institutions”) to provide notice to individuals whose personal information may have been compromised by a data breach. Currently, Regulation S-P requires Covered Institutions to implement certain policies and procedures involving the protection and disposal of customer information. If adopted, the March 15, 2023 proposal would broaden these policies to cover not only personal information of Covered Institutions’ own customers but also personal information received about customers of other institutions. The proposed amendments would also require Covered Institutions to implement written policies and procedures to address a data breach and notify individuals who were or are reasonably likely to have been affected by a data breach. Individuals would have to be notified as soon as practicable but no later than thirty days after a Covered Institution becomes aware of any incident involving unauthorized access to customers’ personal information. Among other things, the proposal:

• creates a federal minimum standard regarding Covered Institutions’ practices for preventing and responding to data breaches. The minimum notification standard proposed by Reg. S-P would require a Covered Institution to provide notice, within 30 days of learning of a breach, to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. If the Reg. S-P amendments do not preempt, or override, state laws, Covered Institutions could face challenges when state and Reg. S-P customer notification requirements do not align, resulting in duplicative notifications that, instead of providing a stronger warning to affected customers, could reduce the impact of receiving notification;
• includes requirements related to service providers. The proposed amendments would mandate that Covered Institutions’ contracts with service providers include measures designed to protect against unauthorized access to or use of Covered Institutions’ customer information; and
• implements an exception to the annual notice delivery requirements in certain circumstances, provided by legislative action in 2015, provided that the Covered Institution only shares non-public information with unaffiliated third parties in certain limited circumstances and has not changed its policies and practices with regard to disclosing non-public personal information in the past year.

Through this proposal, the SEC intends to update Regulation S-P to address the risks associated with technology advancements since its original adoption in 2000. The proposed amendments will heighten Covered Institutions’ requirements to protect and notify customers of any unauthorized use of their personal information, and Covered Institutions may need to prepare for any increased costs associated with incident response and notification.

The proposed amendments are subject to comment for 60 days after publication in the Federal Registrar. The proposed compliance date is 12 months from adoption.

Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, SEC Release Nos. 34-97141; IA-6262; IC-34854 (March 15, 2023), available at https://www.sec.gov/rules/proposed/2023/34-97141.pdf.