New SEC Data Breach Rule Increases Obligations for Financial Services Firms – Publications

The U.S. Securities and Exchange Commission has adopted amendments to Regulation SP that require companies under its jurisdiction to notify individuals affected by certain types of data breaches. This adds another obligation to the rapidly growing number of potential notification requirements for financial services providers and presents unique challenges for these firms.

With multiple, sometimes conflicting standards, it is critical for companies to analyze and understand their obligations. Factors to consider include the geographic location of the affected company, the details of the incident, and the customers and data affected. Below, we discuss the new SEC requirement, present a hypothetical cybersecurity incident scenario with examples, and provide guidance for financial institutions seeking to avoid potential regulatory enforcement actions as a result of an incident.

WHAT THE CHANGES MEAN

On May 15, 2024, the SEC adopted amendments to Regulation SP (Reg. SP) that require SEC-regulated investment advisers, investment companies, and broker-dealers to notify persons whose confidential client information has been, or reasonably likely has been, accessed or used without authorization within 30 days of becoming aware that unauthorized access to or use of such client information has occurred or is reasonably likely to have occurred.

“Sensitive customer information” is now defined as “any component of customer information, alone or in combination with other information, the compromise of which could create a reasonably probable risk of significant harm or inconvenience to an individual identified with that information.”

“Customer information” is now defined more broadly than under Reg. SP and applies regardless of a customer relationship. This also includes customer information from other financial institutions that has been made available to the institution concerned.

The amendments also require affected institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and remediate unauthorized access to or use of customer information.

Reporting requirements are an essential tool for regulatory enforcement actions and pose a significant risk to companies. Therefore, companies must be aware of and comply with the various requirements to avoid regulatory scrutiny and possible enforcement actions. In addition, companies may be subject to multiple regulatory systems with different standards.

HYPOTHETICAL SCENARIO

This section analyzes the hypothetical scenario where a large international banking company falls victim to a ransomware, phishing or business email compromise attack, which is not entirely impossible.

analysis

A threat actor can identify or exploit a system vulnerability. They can deploy tools, move through the system, escalate privileges, exfiltrate data, encrypt files, and demand a ransom. This raises numerous questions for the banking company:

• How was the incident discovered?
• How long has the threat actor been on the network?
• Has data been compromised?
• What impact does this have on operations?
• What is the extent of the incident?
• Has a reporting incident occurred?
• What can be reported in the next 36 or 72 hours?
• Who needs to be notified?
  • Which federal regulators?
  • Which government regulators?
• Do customers and private individuals need to be notified?
• What is the content of the message?

If attackers gain access to or access to account information of customers spread across multiple locations and business units, the bank should consider the following requirements, among others:

• State laws requiring notification of violations to individuals and government regulators
• Notification of the banking and securities supervisory authority
• Customer notification pursuant to federal SEC requirements
• Notification to the European Regulatory Authority
• Notification from the New York Department of Financial Services (NYDFS)
• Notification of the Cybersecurity and Infrastructure Security Agency (CISA)

The requirements to be taken into account depend on the business areas affected and the outcome of several current rulemaking proposals.

As explained in this advisory from the Financial Crimes Enforcement Network (FinCEN), the Bank Secrecy Act also requires reporting of cybercrimes and cyber events through Suspicious Activity Reports (SARs). Financial institutions must include relevant and available cyber-related information (e.g., IP addresses with timestamps, virtual wallet information, device identifiers) in the SAR.

According to FinCEN, financial institutions should also note that filing a SAR does not relieve them of other applicable obligations, namely to promptly notify appropriate regulators of events related to critical systems and information or of disruptions to their operability.

Requirements for the time of notification

Given the different timing and standards of the various regulatory requirements, the scenario illustrates the additional regulatory burden and complexity that arises at what is surely a difficult time for the bank concerned.

For example, CISA requires that an incident be reported within 24 hours. Within 72 hours, the banking entity must determine whether NYDFS needs to be notified and whether it is required to notify under the EU General Data Protection Regulation (GDPR). Federal banking reporting requirements require an entity to report a computer security incident within 36 hours. Some states allow more time.

Each of these timing considerations is based on the individual triggers of each regulation, which may vary. Regardless, these timelines can be challenging given the limited information available to a banking entity in the first hours and days after an incident is discovered. It is often advisable to discuss these issues in conjunction with knowledgeable outside counsel who can advise on the numerous factors under the attorney-client privilege.

FURTHER LITERATURE

For more information, please see our discussion of the following data breach notifications and policies:

HOW WE CAN HELP

The complex potential reporting environment for financial services firms underscores the importance of careful planning. Our team at Morgan Lewis is available to help clients develop their incident response plan and incident response team, run simulations and stay up to date with current developments that may impact their relative risk and potential liabilities.