Institute Draft Comment Letter On The SEC's Proposed Amendments To REG. S-P; Comments Requested By April 28th
[22407]
April 9, 2008
TO: CLOSED-END INVESTMENT COMPANY COMMITTEE No. 15-08COMPLIANCE ADVISORY COMMITTEE No. 7-08
INVESTMENT ADVISERS COMMITTEE No. 7-08
OPERATIONS COMMITTEE No. 8-08
PRIVACY ISSUES WORKING GROUP No. 2-08
SEC RULES COMMITTEE No. 28-08
SMALL FUNDS COMMITTEE No. 13-08
TECHNOLOGY COMMITTEE No. 10-08
TRANSFER AGENT ADVISORY COMMITTEE No. 21-08
UNIT INVESTMENT TRUST COMMITTEE No. 7-08 RE: INSTITUTE DRAFT COMMENT LETTER ON THE SEC'S PROPOSED AMENDMENTS TO REG. S-P; COMMENTS REQUESTED BY APRIL 28th
As we previously informed you, last month the Securities and Exchange Commission proposed for comment extensive amendments to Rule 248.30 in Regulation S-P that would require each SEC registrant to have a detailed, rigorous, and robust information security program. [1] Such program must comply with certain conditions set forth in the rule relating to the program’s objectives, safeguards, testing requirements, notice, and recordkeeping among others. Based upon comments received during our March 25th conference call on the proposal, the Institute has prepared the attached draft comment letter, which is briefly summarized below.
Comments on the proposal are due to the SEC by Monday, May 12th. In light of the Institute’s General Membership meeting (May 7-9), we plan to file our letter by Monday, May 5th. Accordingly, please provide any comments you have on the draft letter to Tami Salmon by phone (202-326-5825) or email (tamara@ici.org) no later than Monday, April 28th.
The draft letter expresses the Institute’s support for the Commission’s adoption of a more robust data security rule. It recommends, however, several revisions to the Commission’s proposal to facilitate compliance and better align its requirements with its intent and the provisions in the Gramm-Leach-Bliley Act (the “GLB Act”) that address the protection of customers’ non-public personal information. In particular, the letter recommends that the Commission:
- Require registrants to assign specific responsibility for the program’s implementation rather than designating an information security program coordinator by named individual;
- Clarify the rule’s testing requirements as applied to mutual funds and their compliance programs under Rule 38a-1;
- Provide greater clarity regarding issues involving unauthorized access that would trigger a breach notice;
- Conform the breach notice standards used for individuals to that applicable to Form SP-30, which is to be used to report certain breaches to the Commission;
- Revise the contents and filing requirements for the proposed Form SP-30;
- Clarify the party responsible for providing notice of unauthorized access and filing Form SP-30;
- Conform the data subject to the rule to that subject to the Commission’s rulemaking authority under the GLB Act;
- Provide a sufficient compliance period, which we recommend be not less than 24 months; and
- Adopt a similar rule requiring the Commission and each registered self-regulatory organization to have an information security program.
Each of these recommendations is discussed in detail in the draft letter.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Institute Memorandum No. 22305, dated March 7, 2008 summarizing Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, SEC Release Nos. 34-57427, IC-28178, and IA-2712 (March 4, 2008) (the “Release”), available at http://www.sec.gov/rules/proposed/2008/34-57427.pdf. The proposed requirements are patterned after similar provisions adopted by other federal regulators of financial institutions in 2001 to implement the Gramm-Leach-Bliley Act.