The US Securities and Exchange Commission has adopted amendments to Regulation S-P requiring entities under its remit to provide notice to individuals affected by certain types of data breaches. This adds yet another obligation to the rapidly expanding set of potential notification requirements for financial service providers and presents unique challenges for such entities.
When faced with multiple, at times conflicting, standards, it is crucial for companies to analyze and understand their obligations. Factors to be considered include the geographic location of the affected entity, the details of the incident, and the affected customers and data. Below we discuss the new SEC requirement, provide a hypothetical cybersecurity incident scenario with examples, and offer considerations for financial institutions seeking to avoid potential regulatory enforcement actions as a result of an incident.
The SEC adopted amendments to Regulation S-P (Reg. S-P) on May 15, 2024, requiring SEC-regulated investment advisers, investment companies, and broker dealers to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization within 30 days of becoming aware that unauthorized access to or use of such customer information has or is reasonably likely to have occurred.
“Sensitive customer information” is now defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”
“Customer information” is now more broadly defined than under Reg. S-P and applies regardless of a client relationship. This includes customer information from other financial institutions that has been provided to the covered institution.
The amendments also mandate that covered institutions develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
Notification requirements are paramount vehicles for regulatory enforcement actions and pose significant exposure and risk for companies. As such, companies must be aware of and attentive to the various requirements to avoid regulatory scrutiny and possible enforcement actions. Additionally, companies may be subject to multiple regulatory schemes with disparate standards.
This section analyzes the hypothetical scenario of a large international banking company experiencing a ransomware, phishing, or business email compromise attack, which is not out of the realm of possibility.
Analysis
A threat actor may identify or exploit a system vulnerability. It can deploy tools, move through the system, escalate privileges, exfiltrate data, encrypt files, and make a ransom demand. This leads to numerous questions for the banking company:
Should the intruders gain access to or acquire the account information of customers that are spread out over multiple locations and lines of business, the bank should consider the following requirements, among others:
The requirements to consider depend on the particular affected lines of business as well as the outcome of several recent rulemaking proposals.
Further, as discussed in this Financial Crimes Enforcement Network (FinCEN) advisory, the Bank Secrecy Act also requires reporting of cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs). The financial institutions must include relevant and available cyber-related information (e.g., IP addresses with timestamps, virtual wallet information, device identifiers) in the SAR.
Per FinCEN, financial institutions should also note that filing a SAR does not relieve them from any other applicable requirements to promptly notify appropriate regulatory agencies of events concerning critical systems and information or of disruptions in their ability to operate.
Notification Timing Requirements
Given the disparate timing and standards of the various regulatory requirements, the scenario illustrates the additional regulatory burden and complexity that presents itself during what is surely a challenging time for the bank in question.
For example, CISA requires notice of an incident within 24 hours. Within 72 hours, the banking company must determine whether NYDFS must be notified and whether it is required to notify under the EU General Data Protection Regulation (GDPR). The federal banking agencies’ notification requirements mandate that a company provide notice of a computer-security incident within 36 hours. Some states allow more time.
Each of these timing aspects are built upon the individual triggers of each regulation, which may vary. Regardless, these deadlines can be challenging given the limited information available to a banking company in the initial hours and days after learning of an incident. It is often advisable to consider these issues in connection with knowledgeable outside counsel, who can advise on the numerous factors within the scope of attorney-client privilege.
For more information, see our thought leadership on the following data breach notifications and regulations:
The complex potential reporting environment for financial services companies underscored the importance of careful planning. Our team at Morgan Lewis stands ready to assist clients in developing their incident response plan and incident response team, conducting tabletop exercises, and keeping up to date on current developments that may impact their comparative risk and potential obligations.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: