On March 15th, the Securities and Exchange Commission (“SEC”) issued a proposed rule to revise Regulation S-P (“Proposed Regulation S-P”) which implements the privacy and security requirements of the Gramm-Leach-Bliley Act (“GLBA”) and certain other laws. The new proposed rule was issued almost exactly 15 years after the SEC issued proposed, but never finalized, revisions to Regulation S-P. On the same day, the SEC released a proposed cybersecurity risk proposed rule for several types of regulated securities entities (“Cyber Risk Proposal”).
The 2023 Proposed Regulation S-P addresses several topics relating to SEC-regulated financial institutions, including:
- Introducing a new requirement of security breach notification to customers
- Requiring policies and procedures to address cybersecurity risks from employees working remotely
- Harmonizing the scope and requirements of the GLBA Safeguards Rule and the Fair Credit Reporting Act Disposal Rule
- Recordkeeping requirements for compliance with the Safeguards Rule and the Disposal Rule
- Incorporating the statutory exemption to the GLBA annual privacy notice requirements
- Requesting comment on permissible information sharing in the context of advisors changing firms
- Overlap of cybersecurity requirements under Regulation S-P and other SEC cybersecurity regulations
- Review of existing SEC statement and letters regarding Regulation S-P
For some of the above items, the SEC proposes concrete revisions or additions to Regulation S-P and requests comment on several issues. For other areas, the SEC does not propose language, but solicits comments on whether topics would be appropriate for inclusion in the ultimate regulation. The SEC also outlines some items that were considered, but not included in the proposed rule.& 160; Comments to the Proposed Regulation S-P are due by June 5, 2023, 60 days after publication of the proposed rule in the Federal Register.
The SEC proposal is noteworthy both for what is included and for what is not. The new proposal includes a consumer notification requirement for incident response with timing and content requirements consistent with the requirements of many state laws. Notice to the SEC for “Significant Cybersecurity Incidents” would be required under the Cyber Risk Proposal.
The Proposed Regulation S-P expands the existing Regulation S-P language on security controls, but does not follow the more prescriptive approach of the New York Department of Financial Services' Cybersecurity Regulation or the Federal Trade Commission's version of the Safeguards Rule. The Cyber Risk Proposal also considers cybersecurity program requirements separate from those in Regulation S-P.
Where the 2008 proposed Regulation S-P revision included specific provisions for information sharing relating to departing advisors, the new proposed rule only solicits comment about if such a provision is appropriate.
We will continue to monitor the Regulation S-P and Cyber Risk Proposal rulemaking process and report on events leading to the final rules.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years.