​SEC proposes Reg S-P updates on incident response, breach notifications

The proposed amendments would update Regulation S-P to “address the expanded use of technology and corresponding risks” that have come with innovation since the rule was first adopted in 2000, the SEC said in a press release. The agency noted its proposed changes were informed by comments in response to an abandoned 2008 proposal to amend Reg S-P in a similar manner.

The new proposal will be subject to a 60-day comment period following publication in the Federal Register.

Among its changes, the proposal seeks to require covered entities, which would also include transfer agents if approved, to notify individuals whose sensitive information was or might have been accessed or used without authorization within 30 days of becoming aware that unauthorized access occurred.

“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” said SEC Chair Gary Gensler in the agency’s release. “I think we should close this gap. Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk.”

Notifications would not be necessary if a covered entity determines sensitive customer information is not likely to be used in a harmful manner.

Also proposed is a requirement covered entities adopt an incident response program as part of their written policies and procedures in line with the current requirements of the agency’s so-called “Safeguards Rule.” The program would need to “be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information; include procedures to assess the nature and scope of any such incident; and contain and control such incidents,” according to an SEC fact sheet.

The proposal also broadens the definition of “customer information” to include nonpublic personal information a covered institution collects about its customers and nonpublic personal information a covered institution receives about customers of another financial institution.

The proposed compliance date of the rule would be 12 months after the effective date of adoption.

Other actions taken by the SEC on Wednesday included:

• Proposing a new rule to require entities that perform critical services to support the securities market to address their cybersecurity risks. The proposal, subject to a 60-day comment period, would require covered entities to implement policies and procedures reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures.
• Proposing amendments to Regulation Systems Compliance and Integrity (SCI) to expand the scope of entities covered to include registered security-based swap data repositories, all clearing agencies exempt from registration, and certain large broker-dealers and modify requirements that covered entities’ policies and procedures include programs for life cycle management; preventing unauthorized access to SCI systems; and managing and overseeing certain third-party providers, including cloud-service providers. The proposal would be subject to a 60-day comment period.
• Reopening the comment period for 60 days on a February 2022 proposal requiring advisers and funds to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks.

The agency’s March 2022 proposed rule requiring public companies to report material cybersecurity incidents no later than four business days after they occur remains pending.