[35235]
April 10, 2023
TO: Transfer Agent Advisory Committee RE: Proposed Amendments to Regulation S-P
As we previously informed you, on March 15, 2023, the Securities and Exchange Commission proposed amendments to Regulation S-P, which governs the duty SEC registrants have to provide privacy notices to customers, to protect such persons' non-public personal information (NPPI), and to properly dispose of NPPI.[1] The amendments proposed to Regulation S-P would expand its scope to include transfer agents and to require persons subject to the regulation to provide affected persons a breach notice in the event such person's NPPI was compromised.[2] On March 29th, the Institute held a call with the Institute's Transfer Agency Advisory Committee to discuss the proposal. The following day, we held a call with the Institute's Privacy Issues Working Group to get their views on the proposal. Based on members' input, the Institute has prepared a comment letter on the proposal.
The Institute's comment letter will express our support for the Commission adopting the amendments it has proposed Regulation S-P. Our letter will recommend, however, that the Commission:
- Expand the scope of Regulation S-P to include any cybersecurity risk management programs the Commission requires of covered institutions;[3]
- Revise the timing of the breach notices to accommodate law enforcement investigations;
- Delete the timing of a breach incident from the breach notice's contents;
- Revise the definition of "sensitive customer information" to clarify its meaning;
- Provide a 24-month compliance period;
- Provide registrants a notice whenever the SEC's systems are breached; and
- Avoid including statements in the adopting release that might result in regulation by enforcement of any new requirements.
Each of these recommendations is discussed in detail in the Institute's draft letter.
If you are interested in providing feedback on the Institute's draft comment letter, please email Jennifer Odom (jodom@ici.org) to obtain a copy of the 19-page draft letter. Such feedback is requested by having the reviewer return to the Institute a red-lined version of the draft letter containing the reviewer's edits. Such redlined version must be provided to the Institute no later than Friday, April 28th.
Tamara K. Salmon
Associate General Counsel
Notes
[1] See Institute Memorandum 35189 (March 16, 2023).
[2] See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, SEC Release Nos. 34-97141, IA-6262, and IC-34854 (March 15, 2023) (the "Release"), which is available at: https://www.sec.gov/rules/proposed/2023/34-97141.pdf.
[3] See Cybersecurity Risk Management for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, SEC Release No. 34-97143; File No. S7-06-232 (March 15, 2023)(Release) and Reopening of Comment Period for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, SEC Release Nos. 33-11167, 34-97144, IA-6263, and IC-34855 (March 15, 2023).