On March 15, the U.S. Securities and Exchange Commission (SEC) will provide SEC-regulated investment advisors, investment firms, and broker-dealers with notice to individuals affected by certain types of data breaches. issued a notice of proposed rulemaking (proposed) requiring along with other relevant requirements. This proposal is part of a series of privacy proposals issued by the SEC and follows other recent proposals.
Currently, the SEC’s Regulatory SP “Safeguard Rule” requires SEC-regulated investment advisors, investment firms, and broker-dealers (collectively, covered entities). Adopt written policies and procedures regarding administrative, technical and physical safeguards to protect Customer records and information. However, it does not include a requirement to notify affected individuals in the event of a data breach. Covered Entities will generally respond to data breaches in accordance with applicable state data breach notification laws.
detail
of suggestion Require covered entities to notify any individual whose sensitive customer information has been or is reasonably likely to be accessed or used without authorization.
In addition, covered entities must develop, implement, and maintain incident response program policies and procedures reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information. I have. Under the proposal, the response program would include procedures to assess the nature and scope of the incident and take appropriate steps to contain and control the incident to prevent further unauthorized access or use. .
notification trigger
Under the proposal, notice is required if “Sensitive Customer Information” has been, or is reasonably likely to have been, “accessed or used” without authorization. Sensitive Customer Information means any component of Customer Information, alone or in combination with other information, the compromise of which component would result in substantial harm or harm to the individual identified in that information. A reasonable risk of inconvenience may arise.
This proposal provides several examples to illustrate personally-identifying information that, in the absence of other identifying information, could create a substantial risk of harm or inconvenience to the individual identified by that information. It explains in detail.
Form of notification
Notices to customers must be clear and conspicuous and must be provided by means designed to reasonably be received by each affected individual. Notifications should include key information, including details about the incident, the data compromised, and how affected individuals can respond to and protect themselves from the breach.
It must also include sufficient contact information to enable the affected individual to contact the covered agency to inquire about the incident. Address and name of a specific office to contact for more information and assistance.
notification timing
Covered Entities must notify us as soon as practicable within thirty (30) days of becoming aware that an Incident has occurred or is reasonably likely to occur.
additional points
The SEC also proposed expanding and adjusting the scope of its safeguards and disposal rules (related to the disposal of collected information) to cover the newly defined term “customer information.” I’m here. This change extends the protection and disposal rules to both the non-public personal information that Covered Entities collect about their customers and the non-public Personal Information that Covered Entities receive about customers of other financial institutions. The new notification requirements relate only to the first subset of information.
Safeguards rules do not currently apply to forwarding agents. This proposal would extend the application of the safeguard provisions to transfer agents.
The proposal also includes a requirement to maintain written records documenting compliance.
Other Recent Proposals
- Also, on March 15, the SEC p.Submitted new cybersecurity risk management requirements For broker-dealers and “market entities”[1] This reflects recently proposed risk management requirements for investment advisors and investment firms. previous report.
- SEC too resumed A comment window for the suggestion. A covered entity must notify the SEC within 48 hours if a cybersecurity incident occurs.
- SEC too proposed a fix Reg SCI would (1) expand the scope of its regulation to include registered security-based swap data repositories and certain large dual-registered broker-dealers, and (2) extend the scope of , the inventory, categorization and life cycle management programs for SCI Systems and Indirect SCI Systems, and programs that manage and oversee third party providers, including cloud service providers that provide or support SCI or Indirect SCI Systems.
The SEC is seeking comments on various aspects of the proposal. Comments on the proposal are Federal Gazette.
observation
- Next steps: Proposals are not effective until published as a final rule and are subject to change through the comment process. Many sophisticated investment advisors, investment firms and broker-dealers may already comply with the proposal’s requirements. However, a general review of current policies and procedures against the proposal’s requirements will help identify if there are any gaps and whether those gaps should be addressed in the light of the proposal or on an individual basis. There are cases.
- Global Financial Institutions: Covered Entities that operate internationally should be aware of the possible notification requirements under the General Data Protection Regulation (GDPR) in the event of a breach incident and that the GDPR has a 72-hour notification timing requirement. Be careful.
- Conflict with state law: However, the impact of discrepancies between proposals and state law requirements (such as event triggers, scope of information, and timing of notifications) may be mitigated. To comply with requirements under federal regulations. Covered businesses must conduct a state-by-state analysis to determine their obligations.
- Differences from the requirement to notify regulators: Proposals relate to notices to customers and are therefore significantly different from notices required to federal banking agencies. All about FinReg blog post Recently Proposed SEC Notification Requirements.
- New regulatory developments: There are some new regulatory developments regarding notifications highlighted below.
- Make sure your notifications are timely: This can be especially difficult given that companies must determine whether the severity of a computer security incident triggers a requirement.
- Notification content: Companies should ensure that they properly characterize the severity of the incident and its response. (In August 2021, the SEC indicted a public publisher for misleading investors about the seriousness of a cyber intrusion.)
- Make sure your notifications are accurate. This can be difficult given the lack of information generally available when first notice is mandated. The problem is exacerbated by the fact that subsequent notices must match the initial notice to avoid regulatory scrutiny.
[1] i.e. clearing house. A major security-based swap participant. City Securities Regulation Commission; National Stock Exchange; National Securities Association (ie, FINRA); Security-based swap data repository; Securities-based swap dealers.and transfer agent
[View source.]
