News & Insights

SEC Reopens Public Comment on The Cybersecurity and Risk Management Rule and Proposes Changes to Reg S-P to Enhance Protection of Customer Information

SEC Reopens Public Comment on The Cybersecurity and Risk Management Rule and Proposes Changes to Reg S-P to Enhance Protection of Customer Information

What happened?

On Wednesday, March 15, the U.S. Securities and Exchange Commission (SEC) held an opening meeting and announced three proposed rules touching on cybersecurity and also reopened its proposed Cybersecurity Risk Management Rule for more public commentary. The new proposals touch on the technology used by market entities and securities markets themselves along with amendments to Regulation S-P. The SEC’s proposals would go beyond current requirements by addressing the expanded use of technology and its corresponding risks, another demonstration that the SEC is taking a much stronger stance on cybersecurity-related concerns.

The SEC released two cybersecurity-related proposals in 2022, the Cybersecurity Risk Management Rule and the Outsourced Service Provider Rule. Our team of regulatory experts will cover these proposals in more detail, including how RIAs can start to prepare for compliance, in our webinar on Tuesday, March 21 at 12:00 ET. To register, click here.

The Commission said that reopening the public comment period for the Cybersecurity and Risk Management Rule gives advisers the opportunity to analyze the rule and “prepare comments in light of other regulatory developments.” Good advice, since there are overlapping requirements for managing risks and disclosure across all of these proposed rules.  For example, the ADV 2A Item 20 proposed in the Cybersecurity and Risk Management Rule requires the disclosure of cyber incidents and the amendments to Regulation S-P contain requirements to disclose breaches.

The press release announcing these proposed amendments to Regulation S-P indicates they would “enhance the protection of customer information by, among other things, requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.”

Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures to help protect customer records and information.

The proposed amendments to Reg S-P would require “covered institutions” (referring to: broker-dealers, investment companies, registered investment advisers, and transfer agents) to:

  • Adopt a written Incident Response Plan, including policies and procedures to address unauthorized access to or use of customer information; and
  • Provide notice of breach to individuals whose sensitive customer information was or is reasonable likely to have been accessed or used without authorization as soon as practicable, but not later than 30 days after the covered institution becomes aware that the incident occurred or is reasonably likely to have occurred.

The proposal would also make a number of additional changes to Regulation S-P, including:

  • Broadening and aligning the scope of the safeguards rule and disposal rule to cover “customer information,” a new defined term. Under the proposal, “customer information,” a newly defined term, would include (and extend protections of the safeguards and disposal rules) to include nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;
  • Extending the safeguards rule (including the proposed enhancements) and the disposal rule scope to cover transfer agents registered with the Commission or another appropriate regulatory rather than only those registered with the Commission; and
  • Adjusting delivery requirements to conform Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.

The proposal will be published in the Federal Register, and the public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.

To read the full press release, click here.

What does this mean for RIAs?

While the proposed rule codifies many best practices and SEC expectations, it increases the burden on firms to provide notice disclosures above and beyond the current expectations, including various state requirements. Taken along with the 2022 proposals, the SEC is clearing looking to regulate cybersecurity risks by increasing the risk management and disclosure requirements across multiple regulations. There is time for your opinion to be heard during these new and newly reopened comment periods for each regulation. This is also a great time to assess your firm’s risks and begin preparation for compliance with the increasing regulatory burdens these proposals will bring.

Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the proposed rules. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.