SEC Proposes Cybersecurity Incident Reporting and Broker-Dealer Cyber Risk Management Requirements

The US Securities and Exchange Commission (SEC) issued a notice of proposed rulemaking (the Proposal) on March 15 that would require SEC-regulated investment advisers, investment companies, and broker dealers to provide notice to individuals affected by certain types of data breaches, along with other related requirements. The Proposal was part of a spate of privacy proposals issued by the SEC and follows other recent proposals.

Currently, the SEC’s Regulation S-P “Safeguards Rule” requires SEC-regulated investment advisers, investment companies, and broker dealers (collectively, Covered Entities) to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information, but it does not include a requirement to notify affected individuals in the event of a data breach. Covered Entities generally respond to data breaches according to applicable state data breach notification laws.

DETAILS

The Proposal would require Covered Entities to notify individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.

It would also require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. Under the Proposal, a response program would include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use.

Notification Trigger

Under the Proposal, notification would be required if “sensitive customer information” was, or is reasonably likely to have been, “accessed or used” without authorization. Sensitive customer information means any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.

The Proposal details some examples describing information identified with an individual that, without any other identifying information, could create a substantial risk of harm or inconvenience to an individual identified with the information.

Form of Notification

A customer notice must be clear and conspicuous and provided by a means designed to ensure that each affected individual can reasonably be expected to receive it. The notice should include key information with details about the incident, the breached data, and how affected individuals could respond to the breach to protect themselves.

It should also include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address, and the name of a specific office to contact for further information and assistance.

Notification Timing

A Covered Entity would be required to provide notice as soon as practicable but no later than 30 days after it becomes aware that the incident occurred or is reasonably likely to have occurred.

ADDITIONAL POINTS

The SEC is also proposing to broaden and align the scope of the Safeguards Rule and Disposal Rule (related to disposal of collected information) to cover “customer information,” a new defined term. This change would expand the Safeguards and Disposal rules to both nonpublic personal information that a Covered Entity collects about its own customers and to nonpublic personal information that a Covered Entity receives about customers of other financial institutions. The new notification requirement only relates to the first subset of information.

The Safeguards Rule does not currently apply to transfer agents. The Proposal would extend the application of the safeguards provisions to transfer agents.

The Proposal would also include requirements to maintain written records documenting compliance.

OTHER RECENT PROPOSALS

• Also on March 15, the SEC proposed a new cybersecurity risk management requirement for broker-dealers and “Market Entities”[1] that mirrors the recently proposed risk management requirement for investment advisers and investment companies, which Morgan Lewis discussed in a previous report.
• The SEC also reopened the comment window for that proposal, under which Covered Entities would need to notify the SEC in the event of a cybersecurity incident within 48 hours.
• The SEC also proposed an amendment to Reg SCI that would (1) expand the scope of the regulation to include registered security-based swap data repositories and certain dually-registered large broker-dealers and (2) require covered entities to have additional policies and procedures that include a program for the inventory, classification, and life cycle management program for SCI systems and indirect SCI systems and a program to manage and oversee third-party providers, including cloud service providers, that provide or support SCI or indirect SCI systems.

The SEC has requested comments on a variety of aspects of the Proposal. Comments on the Proposal must be received on or before 60 days after publication in the Federal Register.

OBSERVATIONS

• Next Steps: The proposal will not be effective until it is issued as a final rule, and changes may be made through the comment process. Many sophisticated investment advisers, investment companies and broker dealers will likely already be in compliance with the requirements of the Proposal. However, a general review of current policies and procedures against the Proposal’s requirements may be helpful to identify whether there are any gaps, and whether those gaps should be addressed either in light of or separately from the Proposal.
• Global Financial Institutions: Covered Entities that operate internationally should keep in mind possible notification requirements under the General Data Protection Regulation (GDPR) in the event of a breach incident and note that the GDPR has a 72-hour notification timing requirement.
• Inconsistencies with State Law: The effect of any inconsistency between the Proposal and state law requirements (such as with regards to the event trigger, scope of information and notification timing) may, however, be mitigated because many states offer safe harbors from their notification laws for entities that are subject to or in compliance with requirements under federal regulations. Covered Entities will still need to do a state-by-state analysis to determine their obligations.
• Differences from Requirements to Notify Regulators: Because the Proposal relates to customer notification, it differs significantly from the required notifications to the federal banking agencies discussed in an All Things FinReg blog post and the notification requirement to the SEC which was recently proposed.
• Emerging Regulatory Trends: There are several emerging regulatory trends regarding notifications highlighted below:
  • Ensuring that the notification is timely: This can be particularly challenging given that companies have to judge whether the materiality of the computer security incident triggers the requirement.
  • Substance of the notification: Companies need to ensure that they are properly characterizing the significance of an incident and their response. (In August of 2021, the SEC charged a public publishing company with misleading investors about the severity of a cyber intrusion.)
  • Ensure that the notifications are accurate: This can be challenging given the lack of information that is generally available when initial notifications are mandated. The issue is further exacerbated because any subsequent notification should be consistent with the initial notification in order to avoid regulatory scrutiny.
  For these reasons, it is highly important to work with counsel to determine timing and details of the notifications and to ensure that discussions remain privileged.