The SEC proposes significant changes to strengthen customer data security: Revolutionizing Regulation S-P
Today, the Securities and Exchange Commission (SEC) proposed amendments to Regulation S-P that would enhance the protection of customer information. These amendments would, among other things, require broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm. The SEC believes that these amendments would enhance the protection of customer information.
“Even though covered firms are required by Regulation S-P to notify customers about how they use their financial information, these firms are not required to notify customers about breaches,” said Gary Gensler, the chair of the SEC. “This is a significant gap in consumer protection.” “I believe that we need to narrow this gap.
As a result, according to our proposal, covered businesses would be required to notify customers of breaches that might put the customers’ personal financial data in jeopardy. If these amendments were to be implemented, I believe they would assist customers in protecting themselves and maintaining their sense of privacy.
Broker-dealers, investment companies, and registered investment advisers are currently required by Regulation S-P to adopt written policies and procedures for the protection of customer records and information (“safeguards rule”).
The “disposal rule” in Regulation S-P mandates that consumer report information must be disposed of in an appropriate manner. Since the Commission first adopted Regulation S-P in 2000, the requirements of the rule need to be updated to account for the increased use of technology and the associated risks. If the proposal presented today is approved, those updates will be made.
The proposal put forth by the Commission would make it obligatory for broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively referred to as “covered institutions”) to adopt written policies and procedures for an incident response program in order to address the issue of unauthorized access to or use of customer information.
The proposed changes would also require covered institutions, with certain limited exceptions, to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The exceptions would only apply to covered institutions that meet certain criteria.
According to the proposal, a covered institution would be required to provide this notice as soon as is practically possible, but no later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. This notice would have to be provided in accordance with the proposal.
The Regulation S-P would also be subject to a number of additional changes as a result of the proposed amendments, including the following:
- The scope of both the safeguards rule and the disposal rule will be expanded to include the newly defined term “customer information,” and they will be brought into alignment with one another. Because of this change, the safeguards and disposal rules would be extended to cover not only the nonpublic personal information that a covered institution collects about its own customers, but also the nonpublic personal information that it receives about the customers of other financial institutions.
- Extending the safeguards rule, including the proposed enhancements, to transfer agents registered with the Commission or with another appropriate regulatory agency, and expanding the existing scope of the disposal rule to include transfer agents registered with another appropriate regulatory agency in addition to only those transfer agents registered with the Commission; and
- In order to ensure that the existing provisions of Regulation S-P relating to the delivery of an annual privacy notice are consistent with a statutory exception that was created by Congress in 2015, conformance is being sought.
The proposed announcement will be included in the next issue of the Federal Register. The public comment period will remain open until the end of the sixty day period following the date of publication of the proposing release in the Federal Register.
To read more posts by Nfonews, click here.
