Statement on the Proposed Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information
March 15, 2023
Thank you, Chair Gensler, and thank you to the staff for their presentations. Today, the Commission considers three separate, but related proposals. In discussions with the staff, the three proposals have been described as having different objectives and not being limited solely to cybersecurity. Despite that view, each proposal places a significant focus on cybersecurity. In fact, that term is mentioned over 250 times in the Regulation S-P and Regulation SCI proposals, and over 2,000 times in the cybersecurity risk management proposal. However, the Commission has provided little analysis as to how the proposals interact with each other or how, as a group, they mitigate cybersecurity risks in the most efficient manner. The lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance. Thus, my preference would be to create a unified approach to cybersecurity where various components are complementary, rather than duplicative, and that counsels for an incremental approach to hardening the markets and its participants against the harms of cybersecurity breaches.
The first matter being considered is the proposal to amend Regulation S-P, which was adopted in 2000 pursuant to the Gramm-Leach-Bliley Act (“GLBA”). The applicable provisions were later amended by Congress in 2015. Regulation S-P requires that financial institutions provide initial and annual privacy notices and explain to customers how they can opt out of disclosing their personal information to nonaffiliated third parties. As relevant to today’s proposals, Regulation S-P generally requires that SEC-registered investment advisers, brokers, dealers, and investment companies adopt written policies and procedures to safeguard customer records and information. It also requires these financial institutions and SEC-registered transfer agents to properly dispose of consumer report information.
Regulation S-P seeks to protect the financial and personal customer information kept by financial institutions from unauthorized access or use. A bad actor who obtains a customer’s personal information, such as a name, address, or social security number, can do significant damage to an individual’s credit score, bank account, and reputation. Since Regulation S-P’s adoption in 2000, advances in technology and communications have changed how individuals interact with financial institutions. Unfortunately, this also means that bad actors have potentially more opportunities to steal personal information and commit identity theft, among other potential harms.
Today’s proposed amendments are a mixed bag of practical improvements and potentially conflicting requirements. The Commission is finally proposing to implement the statutory exception added by the FAST Act in 2015 and to extend Regulation S-P to cover all transfer agents. These aspects are long overdue. In addition, the proposal requires financial institutions to develop policies and procedures for their incident response programs in a manner tailored to their particular risks and businesses.
The Commission is also proposing that financial institutions generally must notify individuals in writing within 30 days if their sensitive customer information was reasonably likely to have been accessed or used without authorization, subject to certain conditions. While customers should receive timely written notice when a financial institution suspects their sensitive information to have been accessed or used, all 50 states and other regulators have already adopted notification obligations. This requirement will thus impose additional compliance obligations for financial institutions and, to the extent that multiple or slightly different notifications are sent to customers for the same security incident, may result in confusion. State standards for notification vary, including the time for notification and the triggering circumstances. If adopted, some investors may receive a notice about their compromised information when they did not before, which may be to their benefit. However, absent a Congressionally-enacted federal data privacy law, the Commission’s proposal could easily add more burdens and confusion to the mix. I look forward to commenters’ views on this and other aspects of the proposal.
Most importantly, I am deeply concerned about the proposal’s potential for overlap with at least four other Commission proposals: the cybersecurity risk management proposal for investment advisers, funds, and business development companies; the cybersecurity risk management proposal for broker-dealers, transfer agents, self-regulatory organizations, and national exchanges; the Regulation SCI proposed amendments; and the investment adviser outsourcing proposal. This kitchen sink approach to cybersecurity raises a number of concerns, such as potentially duplicative policies and procedures and multiple notifications to the Commission and customers. In addition, some of the estimated costs for financial institutions seem completely unrealistic, such as one hour annually to comply with recordkeeping obligations. Notably, the Commission does not attempt to quantify the costs and benefits of these proposals holistically. Instead, the Commission asks commenters to weigh in on the areas of overlap and duplication. We should not be asking commenters to do our work for us.
Despite my reservations, I will support the effort to obtain public comment on this proposal to amend Regulation S-P. It has been over twenty years since its adoption and a review is appropriate to determine whether our rules are satisfactorily protecting the public. I thank the staff in the Divisions of Trading and Markets, Investment Management, and Economic and Risk Analysis, as well as the Office of the General Counsel for their efforts. I also thank the other offices around the Commission for their work on cybersecurity.
 15 U.S.C. § 6804. Section 504 of GLBA required the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers.
 See Fixing America’s Surface Transportation Act (FAST) Act, Pub. L. 114-94, section 75001, adding section 503(f) to the GLBA, codified at 15 U.S.C. 6803(f). The FAST Act amendments provided an exception to the annual notice delivery requirements for a financial institution that meets certain requirements. The exception, contained in section 503(f)(1), provides that a financial institution must not share nonpublic personal information about customers except as described in certain statutory exceptions. In addition, section 503(f)(2) requires that the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice it sent.
 See U.S. Department of Treasury, A Financial System That Creates Opportunities: Nonbank Financials, FinTech, and Innovation (2018) at p. 41 (recommending that Congress enact a federal data privacy law), available at https://home.treasury.gov/sites/default/files/2018-08/A-Financial-System-that-Creates-Economic-Opportunities---Nonbank-Financials-Fintech-and-Innovation.pdf.
 Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Act Release No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9, 2022)]. In connection with today’s proposals, the Commission is re-opening the comment period for this proposal.
 Cybersecurity Risk Management Proposed Rules for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Exchange Act Release No. 97142 (Mar. 15, 2023).
 Regulation Systems Compliance and Integrity, Exchange Act Release No. 97143 (Mar. 15, 2023).
 Outsourcing by Investment Advisers, Investment Advisers Act Release No. 6176 (Oct. 26, 2022) [87 FR 68816 (Nov. 16, 2022)].