Do you work for a brokage house, have a subsidiary that is a brokerage house, or do any type of work with a brokerage house? If so, then you should be aware of the Securities and Exchange Commission (SEC) proposed changes to Regulation S-P in March of this year.
In general, the proposed amendments to Regulation S-P…
- Create more specific requirements for safeguarding client information
- Create more specific requirements for responding to information security breaches
- Align the rule’s privacy guidelines more closely with those of the Federal Trade Commission (FTC) and federal banking agencies
- Broaden the scope of the client information covered by the rule’s safeguarding and disposal provisions
Small and medium sized businesses (SMBs) that are brokerages are up in arms about the changes and have been quoted in multiple news releases that they think the requirements are too much to ask of SMBs.
SMBs shouldn’t be required to effectively safeguard customer information?
Here are just a few excerpts from the comparatively large proposed changes document:
* From page 12:
“II. DISCUSSION: To help prevent and address security breaches in the securities industry and thereby better protect investor information, we propose to amend Regulation S-P in four principal ways. First, we propose to require more specific standards under the safeguards rule, including standards that would apply to data security breach incidents. Second, we propose to amend the scope of the information covered by the safeguards and disposal rules and to broaden the types of institutions and persons covered by the rules. Third, we propose to require institutions subject to the safeguards and disposal rules to maintain written records of their policies and procedures and their compliance with those policies and procedures. Finally, we are taking this opportunity to propose a new exception from Regulation S-P’s notice and opt-out requirements to allow investors more easily to follow a representative who moves from one brokerage or advisory firm to another.”
* From pages 13 – 18:
“1. Revised safeguarding policies and procedures
As noted above, the safeguards rule requires institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments would further develop this requirement by requiring each institution subject to the safeguards rule to develop, implement, and maintain a comprehensive “information security program,” including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.24 This program would have to be appropriate to the institution’s size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue.25 Consistent with current requirements for safeguarding policies and procedures, the information security program also would have to be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or securityholder who is a natural person.
Although the term “substantial harm or inconvenience” is currently used in the safeguards rule, it is not defined. We propose to define the term to mean “personal injury, or more than trivial financial loss, expenditure of effort or loss of time.” This definition is intended to include harms other than identity theft that may result from failure to safeguard sensitive information about an individual. For example, a hacker could use confidential information about an individual for extortion by threatening to make the information public unless the individual agrees to the hacker’s demands. “Substantial harm or inconvenience” would not include “unintentional access to personal information by an unauthorized person that results only in trivial financial loss, expenditure of effort or loss of time,” such as if use of the information results in an institution deciding to change the individual’s account number or password.
The rule would provide an example of what would not constitute harm or inconvenience that rises to the level of “substantial,” which should help clarify the scope of what would constitute “substantial harm or inconvenience.” The proposed amendments also would specify particular elements that a program meeting the requirements of Regulation S-P must include. These elements are intended to provide firms in the securities industry with detailed standards for the policies and procedures that a well-designed information security program should include to address recent identity theft-related incidents such as firms in the securities industry losing data tapes and laptop computers and failing to dispose properly of sensitive personal information, and hackers hijacking online brokerage accounts. These elements also are intended to maintain consistency with information safeguarding guidelines and rules adopted by the Banking Agencies and FTC. In addition, these elements are consistent with policies and procedures we understand many institutions in the securities industry have already adopted. We understand that large and complex organizations generally have written policies that address information safeguarding procedures at several layers, from an organization-wide policy statement to detailed procedures that address particular controls.
Institutions subject to the rule would be required to:
(i) designate in writing an employee or employees to coordinate the information security program;
(ii) identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information or personal information systems;
(iii) design and document in writing and implement information safeguards to control the identified risks;
(iv) regularly test or otherwise monitor and document in writing the effectiveness of the safeguards’ key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision;
(v) train staff to implement the information security program;
(vi) oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing); and
(vii) evaluate and adjust their information security programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact on the program.”
* From pages 21 – 27:
“2. Data security breach response
Because of the potential for harm or inconvenience to individuals when a data security breach occurs, we are proposing that information security programs include procedures for responding to incidents of unauthorized access to or use of personal information. These procedures would include notice to affected individuals if misuse of sensitive personal information has occurred or is reasonably possible. The procedures would also include notice to the Commission (or for certain broker-dealers, their designated examining authority) under circumstances in which an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information. The proposed rules that would require prompt notice of information security breach incidents to individuals, as well as the Commission or designated examining authorities, are intended to facilitate swift and appropriate action to minimize the impact of the security breach.
The data security breach response provisions of the proposed amendments include elements intended to provide firms in the securities industry with detailed standards for responding to a breach so as to protect against unauthorized use of compromised data. The proposed standards would specify procedures a covered institution’s information security program would need to include. These procedures would be required to be written to provide clarity for firm personnel and to facilitate Commission and SRO examination and inspection. The proposed standards are intended to ensure that covered institutions adopt plans for responding to an information security breach incident so as to minimize the risk of identity theft or other significant investor harm or inconvenience from the incident. These proposed procedures also are intended to consistent with security breach notification guidelines adopted by the Banking Agencies.
Under the proposed amendments, institutions subject to the rule would be required to have written procedures to:
(i) assess any incident involving unauthorized access or use, and identify in writing what personal information systems and what types of personal information may have been compromised;
(ii) take steps to contain and control the incident to prevent further unauthorized access or use and document all such steps taken in writing;
(iii) promptly conduct a reasonable investigation and determine in writing the likelihood that the information has been or will be misused after the institution becomes aware of any unauthorized access to sensitive personal information; and
(iv) notify individuals with whom the information is identified as soon as possible (and document the provision of such notification in writing) if the institution determines that misuse of the information has occurred or is reasonably possible.
We propose to define the term, “sensitive personal information,” to mean “any personal information, or any combination of components of personal information, that would allow an unauthorized person to use, log into, or access an individual’s account, or to establish a new account using the individual’s identifying information,” including the individual’s Social Security number, or any one of the individual’s name, telephone number, street address, e-mail address, or online user name, in combination with any one of the individual’s account number, credit or debit card number, driver’s license number, credit card expiration date or security code, mother’s maiden name, password, personal identification number, biometric authentication record, or other authenticating information. This definition is intended to cover the types of information that would be most useful to an identity thief, and to which unauthorized access would create a reasonable possibility of substantial harm or inconvenience to an affected individual.
The amendments also would require an institution to provide notice to the Commission as soon as possible after the institution becomes aware of any incident of unauthorized access to or use of personal information in which there is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or in which an unauthorized person has intentionally obtained access to or used sensitive personal information. This requirement would allow Commission and SRO investigators or examiners to review the notices to determine if an immediate investigative or examination response would be appropriate. In this regard, it is crucial that institutions respond promptly to any follow-up requests for records or information from our staff or the staff of the designated examining authority. Under the proposed amendments, a prompt response in accordance with existing Commission guidance on the timely production of records would be particularly important in circumstances involving ongoing misuse of sensitive personal information.
The regulatory notification requirement in the Banking Agencies’ guidance requires a report to the appropriate regulator as soon as possible after the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. Our proposed notice requirement differs from the Banking Agencies’ approach in that it would require notice to the Commission (or a designated examining authority) when an incident of unauthorized access to or use of personal information poses a significant risk that an individual identified with the information might suffer substantial harm or inconvenience, or in which an unauthorized person has intentionally obtained access to or used sensitive personal information. The proposed notice requirement is intended to avoid notice to the Commission in every case of unauthorized access, and to focus scrutiny on information security breaches that present a greater potential likelihood for harm. We believe that this approach would help conserve institutions’, as well as the Commission’s, administrative resources by allowing minor incidents to be addressed in a way that is commensurate with the risk they present. The information to be included in the notice would allow the Commission or a broker-dealer’s designated examining authority to evaluate whether any legal action against a would-be identity thief or other action is warranted in light of the circumstances. A broker-dealer, other than a notice-registered broker dealer, would be required to notify the appropriate designated examining authority on proposed Form SP-30. An investment company or registered investment adviser or transfer agent would be required to notify the Commission on proposed Form SP-30.
Proposed Form SP-30 would require the institution to disclose information that the Commission (or the designated examining authority) needs to understand the nature of the unauthorized access or misuse of personal information and the institution’s intended response to the incident. Accordingly, in addition to identifying and contact information for the covered institution, the form would request a description of the incident, when it occurred and what offices or parts of the registrant’s business were affected. The form also would require disclosure of any third-party service providers that were involved, the type of services provided and, if the service provider is an affiliate, the nature of the affiliation. This information would help examiners to assess the information security policies and procedures of the service provider. In addition, the form would require a description of any customer account losses.
Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information. The proposed requirements for notices to individuals are intended to give investors information that would help them protect themselves against identity theft. They also are intended to be consistent with similar requirements in the Banking Agencies’ Incident Response Guidance.
The notices to affected individuals that would be required by the proposed amendments would have to:
(i) describe the incident and the type of information that was compromised, and what was done to protect the individual’s information from further unauthorized access or use;
(ii) include a toll-free telephone number or other contact information for further information and assistance from the institution;
(iii) recommend that the individual review account statements and immediately report any suspicious activity to the institution; and
(iv) include information about FTC guidance regarding the steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the FTC, and the FTC’s Web site address and toll-free telephone number for obtaining identity theft guidance and reporting suspected incidents of identity theft.”
There is more…much more. Read the full 105-page PDF to see.
Generally the proposed changes would require brokerages of all sizes to have a comprehensive and effective information security program in place; a program that is based upon the risks identified within each organization.
Requiring effective information security programs to protect customer information seems like a reasonable idea. Too bad it takes a law to force so many businesses to actually safeguard their customer personally identifiable information (PII).
Tags: awareness and training, breach response, brokerage, Information Security, IT compliance, policies and procedures, privacy, Regulation S-P, risk management, SEC, security awareness, security training