[35321]
May 23, 2023
TO: ICI MembersChief Compliance Officer Committee
Chief Information Security Officer Committee
Closed-End Investment Company Committee
Compliance Advisory Committee
Investment Advisers Committee
Operations Committee
SEC Rules Committee
Small Funds Committee
Technology Committee SUBJECTS: Compliance
Cybersecurity
Disclosure
Privacy RE: ICI Files Comment Letter with SEC on Amendments Proposed to Regulation S-P
As we previously informed you, in March 2023, the SEC published for comment proposed rules that would revise Regulation S-P to require SEC registrants to provide breach notices to customers and consumers in the event such persons' non-public personal information is breached.[1] The Institute has filed a comment letter with the SEC in response to the proposal. The Institute's letter supports adoption of the proposed amendments but recommends that the Commission:
- Expand the scope of Regulation S-P to include any cybersecurity risk management programs the Commission requires of covered institutions;
- Revise the timing of the breach notices to accommodate law enforcement investigations;
- Delete the timing of a breach incident from the breach notice's contents;
- Revise the definition of "sensitive customer information" to clarify its meaning;
- Provide a 24-month compliance period;
- Provide registrants a notice when the SEC's systems are breached; and
- Avoid including statements in the adopting release that might result in regulation by enforcement when enforcing compliance with the rule's requirements.
The Institute's letter also notes that, in 2008, when the Commission last proposed amendments to Regulation S-P, that release sought comment on whether the SEC should be required to provide notice whenever its systems experience a breach.[2] The Institute's comment letter notes that, while the current release does not seek comment on this issue, we strongly recommend that the SEC impose upon itself a duty to provide notice to any person whose information held by the SEC is subject to unauthorized access. In support of this, the letter discusses the lack of meaningful information provided to registrants in connection with the 2017 breach of EDGAR.
Finally, the Institute's letter discusses our concerns with the SEC engaging in "regulation by enforcement" and recommends that, in any adopting release, the SEC refrain from including any statements that might result in regulation by enforcement when inspecting for compliance with the revised Regulation S-P.
Tamara K. Salmon
Associate General Counsel
Notes
[1] See ICI Memo No. 35188 (March 16, 2023), available here: https://www.ici.org/memo35188, summarizing Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, SEC Release No. 34-97141 (March 15, 2023).
[2] See Part 248 - Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, SEC Release No. 34-57427 (March 4, 2008).