As many readers may know, the SEC has been engaged in rule-making on various cybersecurity issues intended to modernize its existing regulations and keep in line with emerging privacy and data security risks and norms. If adopted, it is likely that recently-covered entities will materially increase the compliance burdens on SEC-regulated entities – entities already struggling to understand the ever-evolving patchwork of federal and state data privacy and securities laws applicable to them.
Following is a brief summary of the SEC’s most recent proposals. Critically important, however, is the fact that even if these provisions are not adopted in whole or in part, emerging legal and best practices standards will make several of these requirements’ standard “duty-of-care.” Compliance failures may prompt claims founded on common law negligence, breach of fiduciary duties and breach of contract.
Proposed Amendments to Regulation S-P: “Reg S-P,” has already been in effect for more than two decades. It requires registered broker-dealers, investment companies, and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” What the rule does not require, and what the revisions are intended to address, is notification of impacted individuals in the event of a cybersecurity breach.
All 50 states and several U.S. territories have statutes requiring notification in the event of data breaches has compromised personal information, but there is not yet a comparable rule at the federal level. The proposed amendments would create such a rule for companies regulated by Reg S-P, and, crucially, the requirements are in some ways broader than many state data breach notification statutes.
- While state data breach statues include a discrete list of data elements that would trigger a duty to notify in the event of a breach – such as social security numbers and financial account numbers – the proposed new SEC rule defines “sensitive customer information” as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”
- The proposed rule includes a 30-day notification deadline, which is shorter than most state data breach statutes, the majority of which do not have a firm deadline at all.
- The proposal would require customer notification unless, after investigation, the covered institution finds no risk of harm. In many states, notification is only required if, after investigation, the company concludes that there is a risk of harm.
The proposed revisions would expand the rule to apply to transfer agents in addition to broker-deaers, investment companies, and investment advisors.
Proposed “Cybersecurity Risk Management Rule”: This proposed rule will apply to a various companies that perform critical services in financial markets, which it defines as “Market Entities.” Market Entities can include broker-dealers, the Municipal Securities Rulemaking Board, clearing agencies, major security-based swap participants, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents. The regulations, among other things:
- require Covered Entities to adopt various policies and procedures to address cybersecurity risks, including conducting periodic assessments;
- require Covered Entities to report certain information about any cybersecurity incidents to the SEC; and
- require Covered entities to publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar year to the SEC and post them on the Covered Entity’s website.
Proposed Amendments to Regulation SCI: Finally, the SEC proposed amendments to Reg SCI, which was created to enhance the Commission’s oversight and enforcement of securities market technology infrastructure. It applies to “SCI entities,” which includes self-regulatory organizations (including stock and options exchanges, registered clearing agencies, FINRA and the MSRB), alternative trading systems (ATSs) that trade NMS and non-NMS stocks exceeding specified volume thresholds, disseminators of consolidated market data (plan processors), and certain exempt clearing agencies. The proposed amendments expand this definition to include additional entities, including broker-dealers that exceed a certain size threshold and strengthen the requirements imposed on SCI entities. The proposal will also expand the scope of events experienced by SCI entities that would trigger immediate notification to the SEC.
The comment period for these three proposals has just passed, so there will be some period of time before the rules are finalized and in full force. Regardless, SEC-regulated firms would be well advised to review the proposals and monitor the rulemaking process and determine how existing compliance frameworks, policies, and procedures measure up to these proposals.
Regardless of whether the proposals are substantially revised, the trend in privacy and data security law is in the direction of enhanced controls, monitoring, and reporting. As noted above, however, even absent regulatory fiat, these requirements will undoubtedly lead many lawyers to maintain that these requirements form part of a standard set of minimum protections and obligations relative to how companies protect consumer data. Companies should therefore begin preparing now to meet the myriad compliance challenges these new rules will require.