On May 16, 2024, the Securities and Exchange Commission ("SEC") adopted amendments (the "Amendments") to Regulation S-P under the Securities Exchange Act of 1934 (also known as the "Safeguards Rule" or "Reg S-P"), which heighten protections for the treatment of nonpublic information about consumers by certain financial institutions.

The Amendments require broker-dealers, investment companies,¹ SEC-registered investment advisers, funding portals, and transfer agents registered with the SEC or another appropriate regulatory agency as defined in Section 3(a)(34)(B) of the Exchange Act (“transfer agents,” and collectively with other types of institutions, “Covered Institutions”) to:

• Adopt written policies and procedures for incident response to address unauthorized access to or use of “customer information” (defined below);
• Require timely notification to consumers impacted by information security incidents involving “sensitive customer information” (defined below);
• Adopt written policies and procedures to increase oversight over service providers;
• Extend the application of Regulation S-P’s requirements to safeguard customer records and information to transfer agents;
• Require Covered Institutions to maintain written records documenting compliance with the Amendments; and
• Conform Regulation S-P’s annual privacy notice delivery provisions to include an exception required by a 2015 statutory amendment to the Gramm-Leach Bailey Act (the “GLBA”).

Collectively, the new rules stand to impose significant new costs and enforcement risks on securities markets. The following update provides an overview of the finalized Amendments, schedules for implementation, and key takeaways for Covered Institutions.

Background

In 2000, the SEC adopted Regulation S-P, a set of privacy rules, that govern the treatment of nonpublic personal information about consumers by certain financial institutions.

Regulation S-P: (1) broadly requires broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures to safeguard consumer records and information (the “Safeguards Rule”); (2) requires proper disposal of consumer report information in a manner that protects against unauthorized access to or use of such information (the “Disposal Rule”); and (3) implemented privacy policy notice and opt out provisions, which Congress subsequently amended in the 2015 Fixing America’s Surface Transportation Act (“FAST Act”).

In March 2023, as we previously reported, the SEC proposed amendments to Regulation S-P, noting that such changes were needed to enhance protections around consumers’ nonpublic personal information. The SEC cited two primary reasons for the amendments: first, technological developments in how firms obtain, share, and maintain consumers’ personal information have increased the risk of harm to individual consumers. Second, the SEC sought to address the variation across states in the protections afforded to consumers of Covered Institutions, particularly after information security incidents that impact consumer personal information. The Amendments establish a federal minimum standard for Covered Institutions to provide data breach notifications to affected consumers.

Amendment Overview

The Amendments impose several new requirements on Covered Institutions:

1. Incident Response Program

The Amendments require Covered Institutions to develop, implement and maintain written policies and procedures for an incident response program. This program must be reasonably designed to detect, respond to, and recover from unauthorized access to, or use of, customer information. Customer information is, for any Covered Institution other than a transfer agent, any record of nonpublic personal information about a customer of a financial institution, whether in paper, electronic or other form, that is in the possession of a Covered Institution or that is handled or maintained by the Covered Institution or on its behalf. Any instance of unauthorized access to or use of customer information triggers a Covered Institution’s incident response plan.

This is notable, as the Amendments effectively expand the reach of the Safeguards Rule by increasing the scope of information covered. Specifically, the Amendments broaden the definition of “customer information” to include information a Covered Institution has or has access to regardless of whether such information pertains to (a) individuals with whom the Covered Institution has a customer relationship or (b) the customers of other financial institutions where such information has been provided to the Covered Institution. This means that “customer information” now covers information a Covered Institution receives from third-party financial institutions, as well as customer information even after the relationship with the Covered Institution has ended.

The response program must also include procedures to assess the nature and scope of the incident, including assessing the types of customer information that may have been accessed or used without authorization. Further, Covered Institutions are required to take steps to contain and control such incidents.



2. Customer Notification Requirement

Covered Institutions are required to provide notice as soon as practicable, but not later than 30 days after becoming aware of unauthorized access to or use of sensitive customer information (defined below) has occurred or is reasonably likely to have occurred. “Sensitive customer information” means any component of customer information alone or in conjunction with any other information, whose compromise could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.

The Amendments provide a non-exhaustive list of what sensitive customer information includes, which generally fall into two categories: first, information that can be uniquely identified with an individual, such as a Social Security Number, and second, information that can be used to gain access to an account, such as a username in conjunction with a password, and security questions and answers.

A notification delay might be permitted in some circumstances, including where the SEC receives notice from the Attorney General that the notice poses a substantial risk to national security or public safety.

There are limited circumstances in which notice is not required, including situations where a Covered Institution determines, after a reasonable investigation of the facts and circumstances of the incident, that sensitive customer information has not been, or is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Notice to customers must be clear and conspicuous. While the Amendments do not prescribe the manner in which notice must be provided, it must be given by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing. The notice must include the nature and date of the incident, the data involved, and multiple means for affected individuals to contact the Covered Institution. The Amendments also require that the notice include ways for individuals to protect themselves, including recommendations that customers review account statements, report suspicious activity, place fraud alerts in their reports, in addition to other measures.



3. Service Provider³ Oversight

The Amendments also require a Covered Institution’s incident response program to include the establishment, maintenance and enforcement of written policies and procedures designed to oversee service providers, including oversight through due diligence and monitoring, to ensure that the Covered Institution meets its customer notification requirements.

The policies and procedures must: (a) protect against unauthorized access to or use of Customer Information; and (b) provide notification to the Covered Institution as soon as possible but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a Customer Information system maintained by the service provider.



4. Other Amendments

The Amendments to Regulation S-P also:

• Require Covered Institutions, including funding portals, to make and maintain written records documenting compliance with the requirements of Regulation S-P;
• Conform Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provides that Covered Institutions are not required to deliver an annual privacy notice if certain conditions are met; and
• Extend Regulation S-P requirements to transfer agents registered with the SEC or another appropriate regulatory agency.

Implementation Timeline

Large entities are required to implement the foregoing Amendments within 18 months of their publication in the Federal Register. Smaller entities have 24 months.

Per the Amendments, large entities include: (a) investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more as of the end of the most recent fiscal year; (b) registered investment advisers with $1.5 billion or more in assets under management; and (c) all broker-dealers that are not small entities under the Exchange Act for the purposes of the Regulatory Flexibility Act; and (d) all transfer agents that are not small entities under the Exchange Act for the purposes of the Regulatory Flexibility Act.

Key Takeaways

The Amendments to S-P stand to impose significant new costs and requirements on Covered Institutions. Further, they signal the SEC’s increasing interest in enhancing protections for customers around harms that result from cybersecurity incidents leading to data breaches.

Covered Institutions should review and update their existing privacy, incident response and information security policies and vendor agreements to ensure compliance with the Amendments. Further, Covered Institutions should ensure that they navigate related requirements under other federal laws, as well as state laws. Finally, Covered Institutions should continue to monitor developments in the SEC’s proposed cybersecurity risk management rules.

---

¹ Regulation S-P applies to investment companies as that term is defined in Section 3 of the Investment Company Act of 1940 (the “ICA”), whether the investment company is registered with the SEC. For example, a business development company, which is an investment company but is not required to register as such with the SEC, is subject to Regulation S-P. Employee securities’ companies are also covered. In contrast, an issuer that is excluded from the ICA’s “investment company” definition (e.g., a private fund that is able to rely on Section 3(c)(1) or 3(c)(7) of the ICA) is not subject to Regulation S-P but would be subject to the Federal Trade Commission’s (“FTC”) GLB Act privacy regulations (12 C.F.R. Part 313) and safeguards regulation (12 C.F.R Part 314).

² Notably, the notice requirement only applies to “sensitive customer information,” while the Amendments explicitly require that Covered Institutions’ incident response programs (i) address any incident involving Customer Information and not merely those involving sensitive Customer Information and (ii) account for the identification of affected Customer Information systems in addition to the types of Customer Information that may have been accessed or used without authorization.

³ A “service provider” is any person or entity that receives, maintains, processes, or otherwise is permitted access to Customer Information through its provision of services directly to a Covered Institution. It can include affiliates of the Covered Institution. Further, the oversight requirement can apply even when the service provider has a direct contractual relationship with the client instead of the advisor.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.