Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

AGENCY:

Securities and Exchange Commission.

ACTION:

Proposed rule.

SUMMARY:

The Securities and Exchange Commission (“Commission” or “SEC”) is proposing rule amendments that would require brokers and dealers (or “broker-dealers”), investment companies, and investment advisers registered with the Commission (“registered investment advisers”) to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The Commission also is proposing to broaden the scope of information covered by amending requirements for safeguarding customer records and information, and for properly disposing of consumer report information. In addition, the proposed amendments would extend the application of the safeguards provisions to transfer agents. The proposed amendments would also include requirements to maintain written records documenting compliance with the proposed amended rules. Finally, the proposed amendments would conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act (“GLBA”).

DATES:

Comments should be received on or before June 5, 2023.

ADDRESSES:

Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( http://www.sec.gov/rules/submitcomments.htm ); or

• Send an email to rule-comments@sec.gov. Please include File Number S7–05–23 on the subject line.

Paper Comments

• Send paper comments to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090.

All submissions should refer to File Number S7–05–23. The file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method of submission. The Commission will post all comments on the Commission's website ( http://www.sec.gov/rules/proposed.shtml ). Comments are also available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Operating conditions may limit access to the Commission's public reference room. All comments received will be posted without change; the Commission does not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.

Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on the Commission's website. To ensure direct electronic receipt of such notifications, sign up through the “Stay Connected” option at www.sec.gov to receive notifications by email.

FOR FURTHER INFORMATION CONTACT:

Susan Poklemba, Brice Prince, or James Wintering, Special Counsels; Edward Schellhorn, Branch Chief; Devin Ryan, Assistant Director; John Fahey, Deputy Chief Counsel; Emily Westerberg Russell, Chief Counsel; Office of Chief Counsel, Division of Trading and Markets, (202) 551–5550; Jessica Leonardo or Taylor Evenson, Senior Counsels; Aaron Ellias, Acting Branch Chief; Marc Mehrespand, Branch Chief; Thoreau Bartmann, Co-Chief Counsel, Chief Counsel's Office, Division of Investment Management, (202) 551–6792, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

SUPPLEMENTARY INFORMATION:

The Commission is proposing for public comment amendments to 17 CFR 248 (“Regulation S–P”) under Title V of the GLBA [15 U.S.C. 6801–6827], the Fair Credit Reporting Act (“FCRA”) [15 U.S.C. 1681–1681x], the Securities Exchange Act of 1934 (“Exchange Act”) [15 U.S.C. 78a et seq.], the Investment Company Act of 1940 (“Investment Company Act”) [15 U.S.C. 80a–1 et seq.], and the Investment Advisers Act of 1940 (“Investment Advisers Act”) [15 U.S.C. 80b–1 et seq.].

Table of Contents

I. Introduction

A. Background

B. 2008 Proposal

C. Overview of the Proposal

II. Discussion

A. Incident Response Program Including Customer Notification

1. Assessment

2. Containment and Control

3. Service Providers

4. Notice to Affected Individuals

B. Remote Work Arrangement Considerations

C. Scope of Information Protected Under the Safeguards Rule and Disposal Rule

1. Definition of Customer Information

2. Safeguards Rule and Disposal Rule Coverage of Customer Information

3. Extending the Scope of the Safeguards Rule and the Disposal Rule To Cover All Transfer Agents

4. Maintaining the Current Regulatory Framework for Notice-Registered Broker-Dealers

D. Recordkeeping

E. Exception From the Annual Notice Delivery Requirement

1. Current Regulation S–P Requirements for Privacy Notices

2. Proposed Amendment

F. Request for Comment on Limited Information Disclosure When Personnel Leave Their Firms

G. Other Current Commission Rule Proposals

1. Covered Institutions Subject to the Regulation SCI Proposal and the Exchange Act Cybersecurity Proposal

2. Investment Management Cybersecurity

H. Existing Staff No-Action Letters and Other Staff Statements

I. Proposed Compliance Date

III. Economic Analysis

A. Introduction

B. Broad Economic Considerations

C. Baseline

1. Safeguarding Customer Information—Risks and Practices

2. Regulation

3. Market Structure

D. Benefits and Costs of the Proposed Rule Amendments

1. Response Program

2. Extend Scope of Customer Safeguards to Transfer Agents

3. Recordkeeping

4. Exception From Annual Notice Delivery Requirement

E. Effects on Efficiency, Competition, and Capital Formation

F. Reasonable Alternatives Considered

1. Reasonable Assurances From Service Providers

2. Lower Threshold for Customer Notice

3. Encryption Safe Harbor

4. Longer Customer Notification Deadlines

5. Broader Law Enforcement Exception From Notification Requirements

G. Request for Comment on Economic Analysis

IV. Paperwork Reduction Act

A. Introduction

B. Amendments to the Safeguards Rule and Disposal Rule

C. Request for Comment

V. Initial Regulatory Flexibility Act Analysis

A. Reason for and Objectives of the Proposed Action

B. Legal Basis

C. Small Entities Subject to Proposed Rule Amendments

D. Projected Reporting, Recordkeeping, and Other Compliance Requirements

E. Duplicative, Overlapping, or Conflicting Federal Rules

F. Significant Alternatives

G. Request for Comment

VI. Consideration of Impact on the Economy Statutory Authority

I. Introduction

The Commission adopted Regulation S–P in 2000. Regulation S–P's provisions include, among other requirements, rule 248.30(a) (“safeguards rule”), which requires brokers, dealers, investment companies, and registered investment advisers to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information. Another provision of Regulation S–P, rule 248.30(b) (“disposal rule”), which applies to transfer agents registered with the Commission in addition to the institutions covered by the safeguards rule, requires proper disposal of consumer report information. Since Regulation S–P was adopted, evolving digital communications and information storage tools and other technologies have made it easier for firms to obtain, share, and maintain individuals' personal information. This evolution also has changed or exacerbated the risks of unauthorized access to or use of personal information, thus increasing the risk of potential harm to individuals whose information is not protected against unauthorized access or use.

This environment of expanded risks supports our proposing updates to the requirements of Regulation S–P. Currently, the safeguards rule addresses protecting customer information against unauthorized access or use, but it does not include a requirement to notify affected individuals in the event of a data breach. In assessing firm and industry compliance with these requirements, Commission staff typically focus on information security controls, including whether firms have taken appropriate measures to safeguard customer accounts and to respond to data breaches. Commission staff have observed a number of practices with respect to the information safeguards requirements of Regulation S–P and have provided observations on several occasions to assist firms in improving their practices. Although many firms have improved their programs for safeguarding customer records and information in light of these observations, nonetheless we are concerned that some firms may not maintain plans for addressing incidents of unauthorized access to or use of data. We also are concerned the incident response programs that firms have implemented may be insufficient to respond to evolving threats or may not include well-designed plans for customer notification.

We therefore preliminarily believe specifically requiring a reasonably designed incident response program, including policies and procedures for assessment, control and containment, and customer notification, could help reduce or mitigate the potential for harm to individuals whose sensitive information is exposed or compromised in a data breach. Requiring firms to adopt incident response programs to address unauthorized access to or use of customer information, including customer notification and recordkeeping requirements, would enhance protections for customer information. The advance planning required under an incident response program should improve an institution's preparedness and the effectiveness of its response to data breaches while still being consistent with the requirements for safeguarding standards articulated in the GLBA.

In certain instances, some types of customer notification plans may already be required by existing state laws mandating customer notifications. While all 50 states have enacted laws in recent years requiring firms to notify individuals of data breaches, standards differ by state, with some states imposing heightened notification requirements relative to other states. Currently, broker-dealers, investment companies, and registered investment advisers respond to data breaches according to applicable state laws. For example, states differ in the types of information that, if accessed or used without authorization, may trigger a notification requirement. States also differ regarding a firm's duty to investigate a data breach when determining whether notice is required, deadlines to deliver notice, and the information required to be included in a notice, among other matters. As a result, a firm's notification obligations arising from a single data breach may vary such that customers in one state may receive notice while customers of the same institution in another state may not receive notice or may receive less information. In reviewing these state laws, we determined that certain aspects of these provisions would be appropriately adopted as components of a Federal minimum standard for customer notification, which would help affected customers understand how to respond to a data breach to protect themselves from potential harm that could result.

Our proposal would afford certain individuals greater protections by, for example, defining “sensitive customer information” more broadly than the current definitions used by at least 12 states, thereby requiring customers in those states to receive notice for a broader range of personal information included in a breach. Additionally, the 30-day notification deadline proposed in this release is shorter than the timing currently mandated by 15 states, and would also offer enhanced protections to individuals in 32 states with laws that do not include a notification deadline as well as those in states that mandate or permit delayed notifications for law enforcement purposes. A standardized notification deadline ensures timely notice to affected customers and would enhance their ability to take action quickly to protect themselves against the consequences of a breach. Further, consistent with 22 state laws, this proposal would require customer notification unless, after investigation, the covered institution finds no risk of harm. Twenty-one states currently have a presumption against notifying customers of a breach, and only require notice if, after investigation, the covered institution finds risk of harm. In addition, in the 11 states where state customer notification laws do not apply to entities subject to or in compliance with the GLBA, the proposal would help ensure customers of such institutions receive notice of a breach. As discussed more fully below, establishing a federal minimum standard would protect individuals in an environment of enhanced risk.

There are compelling reasons to revisit other aspects of the current safeguards regime as well. As noted above, the safeguards rule currently applies to broker-dealers, investment companies, and registered investment advisers. The safeguards rule does not currently apply to transfer agents, even though they also obtain, share, and maintain personal information on behalf of securityholders who hold securities in registered form ( i.e., in their own name rather than indirectly through a broker). Securityholders whose personal information is maintained by transfer agents could be harmed by the unauthorized access or use of such information in the same manner as customers of broker-dealers, investment companies, and registered investment advisers, yet such securityholders are not currently protected by the safeguards rule. The Commission preliminarily believes that extending the safeguards rule to cover transfer agents is necessary to ensure that there is a Federal minimum standard for the notification of securityholders who are affected by a data breach that leads to the unauthorized access or use of their information, regardless of whether that data breach occurs at a broker-dealer, investment company, registered investment adviser, or transfer agent.

In addition, the safeguards rule currently requires only that institutions protect their own customers' information. This potentially overlooks information a broker-dealer, investment company, or registered investment adviser may have received from another financial institution about that financial institution's customers, such as nonpublic personal information from an introducing broker or dealer that clears transactions for its customers through a clearing broker on a fully disclosed basis. Applying the safeguards rule and the disposal rule to customer information that a covered institution receives from other financial institutions would better protect individuals by ensuring customer information safeguards are not lost when a third-party financial institution shares that information with a covered institution. Finally, applying the safeguards rule and the disposal rule to a broader set of information should enhance the security and confidentiality of customers' personal information.

Therefore, the Commission is proposing amendments to Regulation S–P to enhance the protection of this information by: (1) requiring covered institutions to include incident response programs in their safeguards policies and procedures to address unauthorized access to or use of customer information, including procedures for providing timely notification to affected individuals; (2) extending the safeguards rule to all transfer agents registered with the Commission or another appropriate regulatory agency as defined in section 3(a)(34)(B) of the Exchange Act (unless otherwise noted, we refer to them collectively as “transfer agents” for purposes of this release); (3) more closely aligning the information protected by the safeguards rule and the disposal rule; and (4) broadening the set of customers covered by those rules.

A. Background

Title V of the GLBA, among other things, directed the Commission and other Federal financial regulators to establish and implement standards requiring financial institutions subject to their jurisdiction to adopt administrative, technical, and physical safeguards for the protection of customer records and information. The GLBA specified that these standards were “(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”

As noted above, the safeguards rule sets forth standards for safeguarding customer records and information and currently requires covered institutions to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information. While the term “customer records and information” is not defined in the GLBA or in Regulation S–P, the safeguards must be reasonably designed to meet the GLBA's standards. This approach is designed to provide flexibility for covered institutions to safeguard customer records and information in accordance with their own privacy policies and practices and business models.

Pursuant to the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), the Commission amended Regulation S–P in 2004 by adopting the disposal rule to protect against the improper disposal of “consumer report information.” “Consumer report information” is defined as “any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report” and also means “a compilation of such records,” but does not include “information that does not identify individuals, such as aggregate information or blind data.” The disposal rule currently applies to the financial institutions subject to the safeguards rule, except that it excludes “notice-registered broker-dealers,” and it applies to transfer agents registered with the Commission. The disposal rule requires these entities that maintain or possess “consumer report information” for a business purpose, to take “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”

The GLBA and FACT Act oblige us to adopt regulations, to the extent possible, that are consistent and comparable with those adopted by the Banking Agencies and the FTC. Accordingly, in determining the scope of the proposed amendments contemplated in this proposal, including for example, the definitions of “customer information” and “sensitive customer information” described below, we are mindful of the need to set standards for safeguarding customer records and information that are consistent and comparable with the corresponding standards set by the Banking Agencies and the FTC.

B. 2008 Proposal

In 2008, the Commission proposed amendments to Regulation S–P primarily to help prevent information security breaches in the securities industry and to improve responsiveness when such breaches occur, with the goal of better protecting investors from identity theft and other misuse of what the proposal would have defined as “personal information.” The 2008 Proposal would have set out specific standards for safeguarding customer records and information, including requirements for procedures to respond to incidents of unauthorized access to or use of personal information. Those requirements would have included procedures for notifying the Commission (or a broker-dealer's designated examining authority ) of data breach incidents, and procedures for notifying individuals of incidents of unauthorized access to or misuse of sensitive personal information, if the misuse had occurred or was reasonably possible. The 2008 Proposal also would have amended the safeguards rule and the disposal rule so that both would have protected “personal information,” which would have included any record containing either “nonpublic personal information” or “consumer report information.” In addition, the 2008 Proposal would have extended the safeguards rule to apply to transfer agents registered with the Commission, and would have extended the disposal rule to apply to natural persons who are associated persons of a broker or dealer, supervised persons of a registered investment adviser, and associated persons of any transfer agent registered with the Commission. The 2008 Proposal would have further required brokers, dealers, investment companies, registered investment advisers, and transfer agents registered with the Commission to maintain and preserve written records of their policies and procedures required under the disposal and safeguards rules and compliance with those policies and procedures.

The Commission received over 400 comment letters in response to the 2008 Proposal. The current proposal to amend Regulation S–P has been informed by comments received on the 2008 Proposal. Most commenters supported requirements for comprehensive information security programs that are consistent and comparable to the rules and guidance of other Federal financial regulators. Many commenters, however, objected to changes in the scope of information and entities covered by the proposed amendments. Many commenters opposed or suggested modifying the proposed amendments' information security breach response provisions. Comments were mixed on the proposed exception for disclosures relating to transfers of representatives from one broker-dealer or registered investment adviser to another.

C. Overview of the Proposal

There are no Commission rules at this time expressly requiring broker-dealers, investment companies, or registered investment advisers to have policies and procedures for responding to data breach incidents or to notify customers of those breaches. As noted above, advance planning would be part of creating a reasonably designed incident response program, and its prompt implementation following a breach (including notification to affected individuals), is important in limiting potential harmful impacts to individuals. While we recognize that state laws require covered institutions to notify state residents of data breaches, those laws are not consistent and exclude some entities from certain requirements. Accordingly, a Federal minimum standard would provide notification to all customers of a covered institution affected by a data breach (regardless of state residency) and provide consistent disclosure of important information to help affected customers respond to a data breach. Other Federal regulators' GLBA safeguarding standards also include a requirement for a data breach response plan or program.

The Commission is proposing amendments to Regulation S–P's safeguards rule. The proposed amendments would require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The amendments would require that a response program include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use.

The proposed response program procedures also would have to include notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notice would not be required if a covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Under the proposed amendments, a customer notice must be clear and conspicuous and provided by a means designed to ensure that each affected individual can reasonably be expected to receive it. A covered institution would be required to provide notice as soon as practicable, but not later than 30 days, that the incident occurred or is reasonably likely to have occurred. To the extent a covered institution would have a notification obligation under both the proposed rules and a similar state law, a covered institution should be able to provide one notice to satisfy notification obligations under both the proposed rules and the state law, provided it included all information required under both the proposed rules and the state law.

The Commission also is proposing amendments to Regulation S–P to enhance the protection of customers' nonpublic personal information. These proposed amendments would more closely align the information protected under the safeguards rule and the disposal rule by applying the protections of both rules to “customer information,” a newly defined term. We also propose to broaden the group of customers whose information is protected under both rules. Additionally, we propose to bring all transfer agents within the scope of the safeguards rule.

The proposal is not inconsistent with other recent cybersecurity-related rulemaking proposals. Additionally, as described in greater detail below, the Commission is also proposing rules and rule amendments related to cybersecurity risk and related disclosures as well as Regulation SCI. We encourage commenters to review those other cybersecurity-related rulemaking proposals to determine whether those proposals might affect comments on this proposing release.

II. Discussion

A. Incident Response Program Including Customer Notification

Security incidents can occur in different ways, such as through takeovers of online accounts by bad actors, improper disposal of customer information in areas that may be accessed by unauthorized persons, or the loss or theft of data that includes customer information. Whatever the means, unauthorized access to, or use of, customer information may result in misuse, exposure or theft of a customer's nonpublic personal information, which could result in substantial harm or inconvenience to individuals affected by a security incident. Exposure of customer information in a security incident, whether it results from unauthorized access to or use of customer information by an employee or external actor, could leave affected individuals vulnerable to having their information further compromised. Bad actors can use customer information to cause harm in a number of ways, such as by stealing customer identities to sell to other bad actors on the dark web, publishing customer information on the dark web, using customer identities to carry out fraud themselves, or taking over a customer's account for malevolent purposes. For example, a bad actor could use compromised customer information such as login credentials ( e.g., a username and password), as part of an account takeover scheme to obtain unauthorized entry to a customer's online brokerage account, putting customer assets at risk for unauthorized fund transfers or trades. Similarly, a bad actor could engage in new account fraud by using compromised customer information to establish a brokerage account without the customer's knowledge through identity theft. Once the bad actor has taken over the customer's account, or has opened a fraudulent new account, it could potentially use a separate account at another broker-dealer to trade against these accounts for profit, which could result in harm to the affected customer.

To help protect against harms that may result from a security incident involving customer information, the Commission is proposing to amend the safeguards rule to require that covered institutions' safeguards policies and procedures include a response program for unauthorized access to or use of customer information, which would include customer notification procedures. The proposed amendments would require the response program to be reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information (for the purposes of this release, an “incident”). As noted above, any instance of unauthorized access to or use of customer information would trigger a covered institution's incident response protocol. The amendments would also require that the response program include procedures for notifying affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.

In this regard, requiring covered institutions to have this type of incident response program could help mitigate the risk of harm to affected individuals stemming from such incidents. For example, having a response program should help covered institutions to be better prepared to respond to incidents, and providing notice to affected individuals should aid those individuals in taking protective measures that could mitigate harm that might otherwise result from unauthorized access to or use of their information. Further, a reasonably designed response program will help facilitate more consistent and systematic responses to customer information security incidents, and help avoid inadequate responses based on a covered institution's initial impressions of the scope of the information involved in the compromise. In addition, requiring the response program to address any incident involving customer information can help a covered institution better contain and control these incidents and facilitate a prompt recovery.

The amendments would require that a covered institution's response program include policies and procedures containing certain general elements, but would not prescribe specific steps a covered institution must take when carrying out incident response activities. Instead, covered institutions may tailor their policies and procedures to their individual facts and circumstances. We recognize that given the number and varying characteristics ( e.g., size, business, and complexity) of covered institutions, each such institution needs to be able to tailor its incident response program procedures based on its individual facts and circumstances. The proposed amendments therefore are intended to give covered institutions the flexibility to address the general elements in the response program based on the size and complexity of the institution and the nature and scope of its activities.

Specifically, a covered institution's incident response program would be required to have written policies and procedures to:

(i) assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization;

(ii) take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and

(iii) notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in accordance with the notification obligations discussed below, unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

The proposed response program is designed to further the objectives of the safeguards rule, particularly protecting against unauthorized access to or use of customer information. We have also proposed rules that would more broadly address general cybersecurity risks, with which the response program proposed in Regulation S–P is not inconsistent, as discussed in more detail below. Our recent proposals would require investment advisers, investment companies, and certain market entities to adopt and implement written policies and procedures that require measures to detect, respond to, and recover from a cybersecurity incident. The Investment Management Cybersecurity Proposal, including the cybersecurity response measures, is more broadly focused on investment advisers and investment companies and their operations. Among other objectives, the proposed measures would include policies and procedures reasonably designed to ensure the protection of adviser (or fund) information systems and adviser (or fund) information residing therein. Similarly, the Exchange Act Cybersecurity Proposal, which includes cybersecurity response measures, is more broadly focused on Market Entities and their operations, and would include policies and procedures reasonably designed to ensure the protection of the Market Entities' information systems and the information residing on those systems.

The response program proposed in Regulation S–P, however, is narrowly focused and the required incident response policies and procedures should be specifically tailored to address unauthorized access to or use of customer information, including procedures for assessing the nature and scope of such incidents and identifying the customer information and customer information systems that may have been accessed or used without authorization, as well as taking steps to contain and control the incident to prevent further unauthorized access to or use of customer information. Given the risk of harm posed to customers and other affected individuals by incidents involving customer information, it is important that covered institutions' policies and procedures be reasonably designed to implement an incident response under these circumstances.

We request comment on the proposed rule's requirement that covered institutions' policies and procedures include an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including the following:

1. What best practices have commenters developed or become aware of with respect to the types of measures that can be implemented as part of an incident response program? Are there any measures commenters have found to be ineffective or relatively less effective? To the contrary, are there any measures that commenters have found to be effective, or relatively more effective?

2. Should we require the response program procedures to set forth a specific timeframe for implementing incident response activities under Regulation S–P? For example, should the procedures state that incident response activities, such as assessment and containment, should commence promptly, or immediately, once an incident has been discovered?

3. Are the proposed elements for the incident response program appropriate? Should we modify the proposed elements? For instance, should the rule prescribe more specific steps for incident response within the framework of the procedures, such as detailing the steps that an institution should take to assess the nature and scope of an incident, or to contain and control an incident? If so, please describe the steps and explain why they should be included. Alternatively, should the requirements for the incident response program be less prescriptive and more principles-based? If so, please describe how and why the requirements should be modified.

4. Are there additional or different elements that should be included in an incident response program? For example, should the rule require procedures for taking corrective measures in response to an incident, such as securing accounts associated with the customer information at issue? Should the rule require procedures for monitoring customer information and customer information systems for unauthorized access to or use of those systems, and data loss as it relates to those systems? Should the rule require procedures for identifying the titles and roles of individuals or departments ( e.g., managers, directors, and officers) who should be responsible for overseeing, implementing, and executing the incident response program, as well as procedures to determine compliance? If additional or different elements should be added, please describe the element, and explain why it should be included in the response program.

5. Is the scope of the incident response program appropriate? For example, is the scope of the incident response program reasonably aligned with the vulnerability of the customer information at issue?

• Should the incident response program be more limited in scope, so that it would only address incidents that involve unauthorized access to or use of a subset of customer information ( e.g., sensitive customer information)? If so, please explain the subset of customer information that should require an incident response program.

• Alternatively, should the incident response program be more expansive in scope, so that it would cover additional activity beyond unauthorized access to or use of customer information? For example, should the incident response program address cybersecurity incident response and recovery at large ( i.e., should the rule require covered institutions to have a response program reasonably designed to detect, respond to, and recover from a cybersecurity incident)?

1. Assessment

The Commission is proposing to require that the incident response program include procedures for: (1) assessing the nature and scope of any incident involving unauthorized access to or use of customer information, and (2) identifying the customer information systems and types of customer information that may have been accessed or used without authorization. For example, a covered institution's assessment may include gathering information about the type of access, the extent to which systems or other assets have been affected, the level of privilege attained by any unauthorized persons, the operational or informational impact of the breach, and whether any data has been lost or exfiltrated. Examining a range of data sources could shed light on the incident timeline, and assessing affected systems and networks could help to identify additional anomalous activity that might be adversarial behavior.

The assessment requirement is designed to require a covered institution to identify both the customer information systems and types of customer information that may have been accessed or used without authorization during the incident, as well as the specific customers affected, which would be necessary to fulfill the obligation to notify affected individuals. Covered institutions generally should evaluate and adjust their assessment procedures periodically, regardless of any specific regulatory requirement, to ensure they remain reasonably designed to accomplish their goals. In addition, assessment should help facilitate the evaluation of whether sensitive customer information has been accessed or used without authorization, which informs whether notice would have to be provided, as discussed below. A covered institution's assessment may also be useful for collecting other information that is required to populate the notice, such as identifying the date or estimated date of the incident, among other details. Information developed during the assessment process may also help covered institutions develop a contextual understanding of the circumstances surrounding an incident, as well as enhance their technical understanding of the incident, which should be helpful in guiding incident response activities such as containment and control measures. The assessment process may also be helpful for identifying and evaluating existing vulnerabilities that could benefit from remediation in order to prevent such vulnerabilities from being exploited in the future.

We request comment on the proposed rule's requirements related to assessing the nature and scope of any incident involving unauthorized access to or use of customer information, including the following:

6. Should we provide additional examples for consideration in assessing the nature and scope of an incident, beyond the examples provided above ( e.g., type of access, the extent to which systems or other assets have been affected, the level of privilege attained by any unauthorized persons, the operational or informational impact of the breach, and whether any data has been lost or exfiltrated)?

7. Should we require that the assessment include the specific components referenced in the above question?

8. Should we require any specific training for personnel performing assessments of security incidents? Should the training have to encompass security updates and training sufficient to address relevant security risks?

9. Various rules applicable to certain entities require, among other things, the review, testing, verification, and/or amendment of policies and procedures at regular intervals. Should we specifically require covered institutions to evaluate and adjust, as appropriate, the assessment procedures periodically in this rule? If so, how frequently should the evaluation occur? Should we require any testing (such as a practice exercise) of a covered institution's assessment process?

10. Would covered institutions expect to use third parties to conduct these assessments? If so, to what extent and in what manner? Should there be any additional or specific requirements for third parties that conduct assessments? Why or why not?

2. Containment and Control

The Commission is proposing to require that the response program have procedures for taking appropriate steps to contain and control a security incident, to prevent further unauthorized access to or use of customer information. The objective of containment and control is to prevent additional damage from unauthorized activity and to reduce the immediate impact of an incident by removing the source of the unauthorized activity. Covered institutions generally should evaluate and revise their containment and control procedures periodically, regardless of any specific regulatory requirement, to ensure they remain reasonably designed to accomplish their goals. Strategies for containing and controlling an incident vary depending upon the type of incident and may include, for example, isolating compromised systems or enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords, among other interventions. Some standards advise that after ensuring that all means of persistent access into the network have been accounted for, and any intrusive activity has been sufficiently contained, the artifacts of the incident should also be eliminated ( e.g., by removing malicious code or re-imaging infected systems) and vulnerabilities or other conditions that were exploited to gain unauthorized access should be mitigated.

Additional eradication activities may include, for example, remediating all infected IT environments ( e.g., cloud, operational technology, hybrid, host, and network systems), resetting passwords on compromised accounts, and monitoring for any signs of adversary response to containment activities. Because incident response may involve making complex judgment calls, such as deciding when to shut down or disconnect a system, developing and implementing written containment and control policies and procedures will provide a framework to help facilitate improved decision making at covered institutions during potentially high-pressure incident response situations.

We request comment on the proposed rule's requirement that the incident response program have procedures for taking appropriate steps to contain and control a security incident, including the following:

11. Should there be additional or more specific requirements for containing and controlling a breach of a customer information system? Should the rule prescribe specific minimum steps that need to be taken to remediate any identified weaknesses in customer information systems and associated controls? For example, should we require that a covered institution's containment or control activities be consistent with any current governmental or industry standards or guidance, such as standards disseminated by NIST, guidance disseminated by CISA, or others?

12. Are the examples of steps that may be taken to contain and control an incident ( e.g., isolating compromised systems or enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords) appropriate? Are there any additional examples of steps that could be taken to contain and control an incident that should be provided?

13. Are the examples of remediation and eradication activities provided ( e.g., remediating all infected IT environments (such as cloud, operational technology, hybrid, host, and network systems, resetting passwords on compromised accounts, and monitoring for any signs of adversary response to containment activities) appropriate? Are there any additional examples of remediation or eradication activities that should be provided?

14. Should the rule require that a covered institution evaluate and revise its incident response plan following a customer information incident?

15. Various rules applicable to certain entities require, among other things, the review, testing, verification, and/or amendment of policies and procedures at regular intervals. Should we specifically require covered institutions to evaluate and revise containment and control procedures related to preventing unauthorized access to or use of customer information periodically? If so, how frequently should the evaluation occur? For example, should a covered institution be required to evaluate and revise these containment and control procedures at least annually?

16. Who should be responsible for making decisions related to containment and control? Should the rule require covered institutions to designate specific personnel to be responsible for making decisions related to containment and control? For example, should a covered institution have to identify specific personnel with sufficient cybersecurity qualifications and experience to either determine if an incident has been contained or controlled themselves, or hire a third party who has the requisite cybersecurity and recovery expertise to perform containment and control functions? If so, what type of qualifications or experience are useful for informing decisions related to containment and control? Or should it be the same individuals who are designated to perform incident response and recovery related functions for cybersecurity incidents under the Investment Management Cybersecurity Proposal and the Exchange Act Cybersecurity Proposal?

3. Service Providers

We understand that a covered institution may contract with third-party service providers to perform certain business activities and functions, for example, trading and order management, information technology functions, and cloud computing services, among others, in a practice commonly referred to as outsourcing. As a result of this outsourcing, service providers may receive, maintain, or process customer information, or be permitted to access a covered institution's customer information systems. These outsourcing relationships or activities may expose covered institutions and their customers to risk through the covered institutions' service providers, including risks related to system resiliency and the ability of a service provider to protect customer information and systems (including service provider incident response programs). Moreover, a security incident at a service provider could lead to the unauthorized access to or use of customer information or customer information systems, which could potentially result in harm to customers. For example, a bad actor could use a service provider's access to a covered institution's systems to infiltrate the covered institution's network through a cybersecurity compromise in the supply chain, which is a vector that can be used to conduct a data breach, and thereby gain unauthorized access to the covered institution's customer information and customer information systems through an initial compromise at the service provider.

Under the proposed amendments, we propose to define the term “service provider” to mean any person or entity that is a third party and receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution. This definition would include affiliates of covered institutions if they are permitted access to this information through their provision of services. The proposed scope is intended to help protect against the risk of harm that may arise from third-party access to a covered institution's customer information and customer information systems. For example, in 2015, Division of Examinations staff released observations following the examinations of some institutions' cybersecurity policies and procedures relating to vendors and other business partners, which revealed mixed results with respect to whether the firms incorporated requirements related to cybersecurity risk into their contracts with vendors and business partners.

Given the potential for bad actors to target third parties with access to a covered institution's systems, it is important to help mitigate the risk of harm posed by security compromises that may occur at service providers. For example, a covered institution could retain a cloud service provider to maintain its books and records. A security incident at this cloud service provider that resulted in unauthorized access to or use of these books and records could create a risk of substantial harm to the covered institution's customers and trigger a need for notification to allow the affected customers to address this risk. Because service providers would be obligated to notify a covered institution in the event of security breaches involving customer information systems, as discussed below, this could potentially help covered institutions implement their own incident response protocol more quickly and efficiently after such breaches, which would include notifying affected individuals as needed.

The proposed amendments would require that a covered institution's incident response program include written policies and procedures that address the risk of harm posed by security compromises at service providers. Specifically, these policies and procedures would require covered institutions, pursuant to a written contract between the covered institution and its service providers, to require service providers to take appropriate measures that are designed to protect against unauthorized access to or use of customer information. Appropriate measures would include the obligation for a service provider to notify a covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security that results in unauthorized access to a customer information system maintained by the service provider, in order to enable the covered institution to implement its incident response program expeditiously. In addition, we are not limiting entities that can provide customer notification for or on behalf of covered institutions. A covered institution may, as part of its incident response program, enter into a written agreement with its service provider to have the service provider notify affected individuals on its behalf in accordance with the notification obligations discussed below. In that circumstance, the covered institution could delegate performance of its notice obligation to a service provider through written agreement, but the covered institution would remain responsible for any failure to provide a notice as required by the proposed rules, if adopted.

We request comment on the proposed requirements related to service providers, including the following:

17. Should we modify the proposed definition of “service provider”? For example, should we exclude a covered institution's affiliates from the definition? Alternatively, should we define “service provider” in this rule in a manner similar to proposed rule 206(4)–11 under the Investment Advisers Act? Are there any other alternative definitions of “service provider” that should be used?

18. Should there be additional or more specific requirements for entities that are included in the definition of “service providers?”

19. The proposed definition of service providers applies to entities that receive, maintain or process customer information, or are permitted access to a covered institution's customer information. Is this scope of activities appropriate? Should we exclude any of these activities? Should we include any other activities?

20. To what extent do covered institutions already have written policies and procedures that include contractually requiring service providers to take appropriate measures designed to protect against unauthorized access to or use of customer information? For example, to what extent have contractual requirements been incorporated pursuant to an exception from Regulation S–P's opt-out requirements for service providers and joint marketing provided by 17 CFR 248.13, which is conditioned on having a contractual agreement prohibiting the service provider from disclosing or using customer information other than to carry out the purposes for which it is disclosed, or pursuant to Regulation S–ID's requirements at 17 CFR 248.201(d)(2)(iii) to respond appropriately to any detected identity theft red flags to prevent and mitigate identity theft, and under 17 CFR 248.201(e)(4) to exercise appropriate and effective oversight of service provider arrangements?

21. The proposed rule would require policies and procedures requiring a covered institution, by contract, to require that its service providers take appropriate measures designed to protect against unauthorized access to or use of customer information, including notification to a covered institution in the event of certain types of breaches in security. Are there any contexts in which a written contract may be more feasible than others? Rather than using a contractual approach to implement this requirement that a covered institution take the required appropriate measures, should the rule require policies and procedures that require due diligence of or some type of reasonable assurances from its service providers? What should reasonable assurances include? For example, should they cover notification to the covered institution as soon as possible in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider to enable the covered institution to implement its response program? Are there other reasonable assurances we should require? Alternatively, should we only require disclosure of whether a covered institution has or does not have a written contract with service providers?

22. Should there be a written contract requirement for certain service providers and not others? For example, should the rule identify a sub-set of service providers as critical service providers and require a written agreement in those circumstances only, and if so, what service providers should be included?

23. Are there other methods that we should permit or require covered institutions to use to help ensure that service providers take appropriate measures that are designed to protect against unauthorized access to or use of customer information (for example, a security certification or representation)? Should we have different requirements for smaller covered institutions?

24. The proposed rule would require policies and procedures requiring a covered institution, by contract, to require its service providers to provide notification to a covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider. Is “as soon as possible, but no later than 48 hours after becoming aware of a breach” an appropriate timeframe for service providers to provide notification to a covered institution after such a breach occurs? Why or why not? Should we use a different timeframe such as “as soon as practicable”?

25. Is it appropriate to permit covered institutions to delegate providing notice to service providers? If service providers are permitted to provide notice on behalf of covered institutions, should there be additional or specific requirements for a service provider that provides notification on behalf of a covered institution? If so, please describe those requirements and why they should be included.

26. The proposed rule would set forth that as part of its incident response program, a covered institution may enter into a written agreement with its service provider for the service provider to notify affected individuals on its behalf ( i.e., to delegate the notice functions required under the rule to service providers while remaining responsible for the notice obligation). Should we set forth that a covered institution may enter into a written agreement with its service provider for other potentially delegated functions as discussed in this proposal? For example, should we set forth that a covered institution may enter into a written agreement for delegating the performance of a reasonable investigation ( e.g., to determine whether sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience) to a service provider? Should we set forth that a covered institution may enter into a written agreement for delegating the performance of assessment activities, or containment and control activities, to a service provider? Additionally, is it appropriate for a service provider to assist with these functions, with the responsibility remaining with the covered institution? Why or why not?

27. To what extent do service providers sub-delegate functions provided in this proposal to third parties? If so, how should the rule address sub-delegations between service providers and third parties?

4. Notice to Affected Individuals

Under the proposed amendments, a covered institution must notify each affected individual whose sensitive customer information was, or was reasonably likely to have been, accessed or used without authorization, unless the covered institution has determined, after a reasonable investigation of the incident, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. The covered institution must provide a clear and conspicuous notice to each affected individual by a means designed to ensure that the individual can reasonably be expected to receive actual notice in writing. The notice must be provided as soon as practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

a. Standard for Providing Notice

The proposed amendments would create an affirmative requirement for a covered institution to provide notice to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. These notices would be designed to give affected individuals an opportunity to respond to and remediate issues arising from an information security incident, such as monitoring credit reports for unauthorized activity, placing fraud alerts on relevant accounts, or changing passwords used to access accounts. Such measures, when taken in a timely fashion, may help affected individuals avoid or mitigate the risk of substantial harm or inconvenience (“harm risk”), and in an environment of expanded risk of cyber incidents, taking such actions may be particularly important to protect individuals. Conversely, giving covered institutions greater discretion to determine whether and when to provide notices could jeopardize affected individuals' ability to evaluate the risk of harm posed by an incident and choose how to respond to and remediate it.

A covered institution would not have to provide notice if, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, it determines that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To be clear, although the incident response program would be required to address information security incidents involving any form of customer information, the notice requirement would only be triggered by unauthorized access to or use of sensitive customer information. Unauthorized access to or use of sensitive customer information presents an increased risk of harm to the affected individual and accordingly is the appropriate trigger for customer notification.

The proposed amendment is designed to permit covered institutions to rebut the affirmative presumption of notification based on a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information. Such an investigation would have to provide a sufficient basis for the determination that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. In these limited circumstances, the proposed amendments would not require the covered institution to provide a notice.

In contrast, if a malicious actor has gained access to a customer information system and the covered institution simply lacked information indicating that any particular individual's data stored in that customer information system was or was not used in a manner that would result in substantial harm or inconvenience, a covered institution would not have a sufficient basis to make this determination. In order to have a sufficient basis to determine that notice is not required, a covered institution's investigation would need to have revealed information sufficient for the institution to conclude that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

For any determination that a covered institution makes that notice is not required, the covered institution generally should maintain a record of the investigation and basis for its determination. Whether an investigation qualifies as reasonable would depend on the particular facts and circumstances of the unauthorized access or use. For example, unauthorized access that is the result of intentional intrusion by a bad actor may warrant more extensive investigation than inadvertent unauthorized access by an employee. The investigation may occur in parallel with an initial assessment and scoping of the incident and may build upon information generated from those activities, and the scope of the investigation may be refined by using available data and the results of ongoing incident response activities. Information related to the nature and scope of the incident may be relevant to determining the extent of the investigation, such as whether the incident is the result of internal unauthorized access or an external intrusion, the duration of the incident, what accounts have been compromised and at what privilege level, and whether and what type of customer information may have been copied, transferred, or retrieved without authorization.

As discussed above, while some state laws currently include similar standards for providing notifications, the proposed rules would impose a minimum standard to help ensure all individuals would presumptively receive notifications. Twenty-one states only require notice if, after an investigation, the institution finds that a risk of harm exists, and in eleven states, customer notification laws do not apply to entities subject to or in compliance with the GLBA. We preliminarily believe that setting a minimum standard based on an affirmative presumption of notification appropriately balances the need for transparency ( i.e., the need for affected individuals to be informed so that they can take steps to protect themselves, including for example, by placing fraud alerts in credit reports) with concerns that the volume of notices that individuals would receive could erode their efficacy or lead to complacency by affected individuals. Notice of every incident could diminish the impact and effectiveness of the notice in a situation where enhanced vigilance is necessary. Covered institutions likely would be able to send a single notice that complies with multiple regulatory requirements, which may reduce the number of notices an individual receives. In addition, the proposed standard would help to improve security outcomes in general by incentivizing covered institutions to conduct more thorough investigations after an incident occurs, because a reasonable investigation provides the only means to rebut the presumption of notification. Reasonably designed policies and procedures generally should include that a covered institution would revisit a determination whether a notification is required based on its investigation if new facts come to light. For example, if a covered institution determines that risk of use in a manner that would result in substantial harm or inconvenience is not reasonably likely based on the use of encryption in accordance with industry standards at the time of the incident, but subsequently the encryption is compromised or it is discovered that the decryption key was also obtained by the threat actor, the covered institution generally should consider revisiting its determination.

We request comment on the proposed standard for notification to affected individuals, including the following:

28. The proposed standard requires providing notice to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Is the proposed standard for providing notification sufficiently clear? Is a standard of “reasonably likely” appropriate? Should the trigger for notification be a determination by a covered institution that the risk of unauthorized access or use of sensitive customer information has occurred or is “reasonably possible” which would suggest a more expansive standard than “likely”?

29. A covered institution can rebut the presumption of notification if it determines that, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Is this standard “not reasonably likely to be” for rebutting the presumption to notify the appropriate standard? Should the standard be “not reasonably possible”?

30. Should customer notification be required for any incident of unauthorized access to or use of sensitive customer information regardless of the risk of use in a manner that would result in substantial harm or inconvenience? Is there a risk that the volume of notices received under such a standard would inure affected individuals to notices of potentially harmful incidents and result in their not taking protective actions?

31. Do covered institutions expect to be able to perform reasonable investigations in order to rebut the notification presumption? Why or why not? Would it be helpful to include specific requirements for a reasonable investigation? Are there other factors that would influence whether a covered institution decides to conduct a reasonable investigation or notify individuals? If additional clarity would assist covered institutions in making these determinations, please explain.

32. Should we require a covered institution to revisit a determination that notification is not required based on its investigation if new facts come to light? If yes, should the rule provide specific requirements for a covered institution to revisit its determination?

33. Should we incorporate any additional aspects of the protections offered to individuals under state laws into the proposed rules? Alternatively, should any components of the proposal that offer additional protections to individuals beyond some states' laws be omitted? Please explain.

34. Under what scenarios would a covered institution be unable to comply with both the proposed rules and applicable state laws? Please explain.

35. Should the proposed rules be modified in order to help ensure covered institutions would not need to provide multiple notices in order to satisfy obligations under the proposed rules and similar state laws?

b. Definition of “Sensitive Customer Information”

We propose to define the term “sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” This definition is intended to cover the types of information that could most likely be used in a manner that would result in substantial harm or inconvenience, such as to commit fraud, including identify theft. We do not believe that notification would be appropriate if unauthorized access to customer information is not reasonably likely to cause a harm risk because a customer is unlikely to need to take protective measures. Moreover, the large volume of notices that individuals might receive in the event of unauthorized access to such customer information could erode their efficacy. Accordingly, the proposed definition is limited to information that, if compromised, could create a “reasonably likely risk of substantial harm or inconvenience.”

The definition also provides examples of the types of information included within the definition of “sensitive customer information.” These examples include certain customer information identified with an individual that, without any other identifying information, could create a substantial risk of harm or inconvenience to an individual identified with the information. For example, Social Security numbers alone, without any other information linked to the individual, would be sensitive because they have been used in “Social Security number-only” or “synthetic” identity theft. In this type of identity theft, a Social Security number, combined with identifying information of another real or fictional person, is used to create a new (or “synthetic”) identity, which then may allow the malicious actor to, among other things, open new financial accounts. A similar sensitivity exists with other types of identifying information that can be used alone to authenticate an individual's identity. A biometric record of a fingerprint or iris image would present a significant threat of account fraud, identity theft, or other substantial harm or inconvenience if the image is used to authenticate a customer of a financial institution.

The proposed definition also provides examples of combinations of identifying information and authenticating information that could create a harm risk to an individual identified with the information. These examples include information identifying a customer, such as a name or online user name, in combination with authenticating information such as a partial Social Security number, access code, or mother's maiden name. A mother's maiden name, for example, in combination with other identifying information, would present a harm risk because it may be so widely used for authentication purposes, even if the maiden name is not used as a password or security question at the covered institution. For these reasons, we are proposing that covered institutions should notify customers if this sensitive information is compromised.

In determining whether the compromise of customer information could create a reasonably likely harm risk to an individual identified with the information, a covered institution could consider encryption as a factor. Most states except encrypted information in certain circumstances, including, for example, where the covered institution can determine that the encryption offers certain levels of protection or the decryption key has not also been compromised.

Specifically, encryption of information using current industry standard best practices is a reasonable factor for a covered institution to consider in making this determination. To the extent encryption in accordance with current industry standards minimizes the likelihood that the cipher text could be decrypted, it would also reduce the likelihood that the cipher text's compromise could create a risk of harm, as long as the associated decryption key is secure. Covered institutions may also reference commonly used cryptographic standards to determine whether encryption does, in fact, substantially impede the likelihood that the cipher text's compromise could create such risks. As industry standards continue to develop in the future, covered institutions generally should review and update, as appropriate, their encryption practices.

We request comment on the proposed rule's definition of sensitive customer information, including the following:

36. Should we broaden the proposed definition of “sensitive customer information” to cover additional information? Alternatively, should we remove some information covered under the proposed definition or conform the definition to the Banking Agencies' Incident Response Guidance? Are there operational or compliance challenges to the proposed definition?

37. Should the rule limit the definition to information or data elements that alone or when linked would permit access to an individual's accounts? Should the rule specify the identifying information or data elements ( e.g., name, address, Social Security number, driver's license or other government identification number, account number, credit or debit card number)?

38. Is the proposed standard in the definition, which covers any component of customer information the compromise of which could create a “reasonably likely” risk of substantial harm or inconvenience, the appropriate standard? Do commenters believe that a different standard would be more appropriate for the proposed rule? For example, would a “reasonably foreseeable” standard be more appropriate, even if harm is not likely to occur? Instead of covering any component of customer information the compromise of which “could” create a reasonably likely risk of substantial harm or inconvenience, should the standard cover components of customer information that “would” create such risk?

39. Should we provide additional or alternative examples of what constitutes “sensitive customer information” in the rule text? Do covered persons or individuals widely use other pieces of information for authentication purposes, such that our examples should explicitly reference other authenticating or identifying information that, in combination, could create a harm risk?

40. Is encryption a relevant factor to a covered institution's determination of the harm risk? Could encrypted information not present such risks because of the current strength of the relevant encryption algorithm, even if this could change in the future because, for example, of future developments in quantum computing? If a covered institution determines that encrypted information is not sensitive customer information, should the covered institution be required to monitor decryption risk based on, for example, advances in technology or a future compromise of a decryption key? If such risks do arise, should a covered institution be required to deliver a notice for a past incident?

41. Do covered institutions' encryption practices commonly adhere to particular cryptographic standards, such as those included in FIPS 140–3? Should we recognize adherence to particular standards as a requirement when determining that encryption is relevant to a covered institution's determination that cipher text's compromise would not create a reasonably likely harm risk to an individual identified with the information?

42. Should we except from the definition of “sensitive customer information” encrypted information, as certain states do? Should any such exception only apply in limited circumstances, including, for example, for certain types of information or where the covered institution can determine that the encryption offers certain levels of protection (including where the decryption key has not been compromised)? Would such an exception prevent individuals from receiving beneficial notifications, including where, for example, information could be easily decrypted? Should any other type of information be excepted?

c. Definition of “Substantial Harm or Inconvenience”

We propose to define “substantial harm or inconvenience” to mean “personal injury, or financial loss, expenditure of effort or loss of time that is more than trivial,” and provide examples of included harms. As noted above, Regulation S–P requires a covered institution's policies and procedures to be reasonably designed to, among other things, protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Although GLBA and the safeguards rule use the term “substantial harm or inconvenience,” neither defines the term. The proposed definition is intended to include a broad range of financial and non-financial harms and inconveniences that may result from failure to safeguard sensitive customer information. For example, a malicious actor could use sensitive customer information about an individual to engage in identity theft or as a means of extortion by threatening to make the information public unless the individual agrees to the malicious actor's demands. This could cause a customer to incur financial loss, or experience personal injury, such as physical harm or damaged reputation, or cause the customer to expend effort to remediate the breach or avoid losses. All of these effects would be included under our proposed definition.

The proposed definition would include all personal injuries due to the significance of their impact on customers. However, the proposed definition includes other harms or inconveniences only when they are, in each case, more than trivial. More than trivial financial loss, expenditure of effort, or loss of time would generally include harms that are likely to be of concern to customers and are of the nature such that customers are likely to take further action to protect themselves. By contrast, where a covered institution, its affiliate, or the individual simply changes the individual's account number as the result of an incident, this likely would be a trivial effect since it is not likely to be of concern to the individual or of the nature that the individual would be likely to take further action. Similarly, in the absence of additional effects, accidental access of information by an employee or other agent of the covered institution, its affiliate, or its service provider would also likely be trivial harms. We do not intend for covered institutions to design programs and incur costs to protect customers from harms of such trivial significance that the customer would be unconcerned with remediating. In this regard, our proposal to adopt standards that protect customers against substantial harm or inconvenience from failures to safeguard information is intended to be consistent with the purposes of the GLBA and Congress's goals.

We request comment on the proposed rule's definition of substantial harm or inconvenience, including the following:

43. Should we expand the proposed definition of “substantial harm or inconvenience”? Alternatively, should we exclude some harms covered under the proposed definition? Should we exclude some smaller (but more than trivial) effects? If so, please explain why the rule should not address these potential harms.

44. Do commenters believe that the proposed rule should reference a term or terms other than “substantial” and “more than trivial” in describing the types of harms that meet our definition? Are additional or alternative clarifications needed? Is “more than trivial” the appropriate standard? Should we instead use a term such as “immaterial” or “insignificant”?

45. Would a numerical or other objective standard for “substantial” harm or inconvenience be appropriate, given the definition includes harms that would present substantial difficulty in quantifying, including damaged reputation? If so, please describe how such an objective standard could be designed and provide examples.

46. Should a harm that is a “personal injury,” such as physical, emotional, or reputational harm, only be included in the proposed definition if it is more than “trivial,” similar to our proposed treatment of financial loss, expenditure of effort or loss of time? Should the standard for a harm that is a “personal injury” be something other than “trivial?”

47. What kinds of financial loss, expenditure of effort or loss of time would individuals likely be unconcerned with and/or likely not to try to mitigate? Please provide data, such as customer surveys, to support your response.

48. Are the rule's proposed examples of certain effects that would be unlikely to meet the definition of substantial harm or inconvenience appropriate? If so, please provide examples and explain why.

d. Identification of Affected Individuals

Under the proposed rules, covered institutions would be required to provide a clear and conspicuous notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. We believe notices should be provided to these affected individuals because they would likely need the information contained in the notices to respond to and remediate the incident.

We understand, however, that notwithstanding a covered institution's determination to provide notices, the identification of affected individuals may be difficult in circumstances where a malicious actor has accessed or used information without authorization in a customer information system. It may, for example, be clear that a malicious actor gained access to the entire customer information system, but the covered institution may not be able to determine which specific individuals' data has been accessed or used. In such cases, we preliminarily believe that all individuals whose sensitive customer information is stored in that system should be notified so that they may have an opportunity to review the information in the required notification, and take remedial action as they deem appropriate. For example, individuals may be more vigilant in reviewing account statements or place fraud alerts in a credit report. They may also be able to place a hold on opening new credit in their name, or take other protective actions. Accordingly, the proposed rule would require a covered institution that is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization to provide notice to all individuals whose sensitive customer information resides in the affected system that was, or was reasonably likely to have been, accessed or used without authorization.

We request comment on the proposed rule's requirements for the identification of affected individuals, including the following:

49. Does the standard “all individuals whose sensitive customer information resides in the customer information system” adequately cover all of the individuals who are potentially at risk as a result of unauthorized access to or use of a customer information system? Should the rule require notice to additional or different individuals?

50. To the extent covered institutions are not able to determine which individuals are affected with certainty, should the rule require notice only to those individuals whose sensitive customer information was “reasonably likely” to have been accessed or used without authorization? Alternatively, should the rule require notice unless it is “unlikely” that the information was not accessed, or would some other standard be appropriate? Please address how any such standard would help ensure that all individuals potentially at risk because of unauthorized access to or use of the customer information system receive notice.

51. The proposed rule would require covered institutions to provide notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, including customers of other financial institutions where information has been provided to the covered institution. Do covered institutions have the contact information for customers of other financial institutions necessary to send the notices as required? Alternatively, should the rule require only that a covered institution provide notices to their own customers or to the institution that provided the covered institution the sensitive customer information? Are there other operational or compliance challenges to identifying affected individuals? Would this requirement result in the practical effect of requiring covered institutions to send notices to all individuals potentially subject to a breach of their systems (regardless of whether they are a customer or not) due to the difficulty of determining an affected individual's status?

e. Timing Requirements

As proposed, the rule would require covered institutions to provide notices as soon as practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred except under limited circumstances, discussed below. We propose that covered institutions provide notices “as soon as practicable” to expeditiously notify individuals whose information is compromised, so that these individuals may take timely action to protect themselves from identity theft or other harm. The amount of time that would constitute “as soon as practicable” may vary based on several factors, such as the time required to assess, contain, and control the incident, and if the institution conducts one, the time required to investigate the likelihood the information could be used in a manner that would result in substantial harm or inconvenience. For example, “as soon as practicable” may be longer with an incident involving a significant number of customers.

Consistent with the approach taken by many states, we have included an outside date to ensure that all covered institutions meet a minimum standard of timeliness. We preliminarily believe that a 30-day period after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred would permit customers to take actions in response to an incident, including by placing fraud alerts on relevant accounts or changing passwords used to access accounts. The proposal's 30-day period would establish a shorter notification deadline than those currently used in 15 states, and would also offer enhanced protections to individuals in 32 states with laws that do not include an outside date. At the same time, this 30-day period would generally allow sufficient time for covered institutions to perform their assessments, take remedial measures, conclude any investigation, and prepare notices. Accordingly, we preliminarily believe that establishing a minimum requirement to provide notifications as soon as practicable, together with a 30-day outside date, strikes the appropriate balance between promoting timely notice to affected individuals and allowing institutions sufficient time to implement their incident response programs.

Further, the proposed requirement that a covered institution have written policies and procedures that provide for a systematic response to each incident also may facilitate the institution's preparation and ability to perform an assessment, remediation, and investigation in a timely manner and within the 30-day period required for providing customer notices. At the same time, a covered institution would be required to provide notice within 30 days after becoming aware that an incident occurred even if the institution had not completed its assessment or control and containment measures.

Similarly, the proposal would effectively impose a uniform 30-day notification time-period and would not generally provide for a notification delay. For example, when there is an ongoing internal or external investigation related to an incident involving sensitive customer information. On-going internal or external investigations—which often can be lengthy—on their own would not provide a basis for delaying notice to customers that their sensitive customer information has been compromised. Additionally, any such delay provision could undermine timely and uniform customer notification that customers' sensitive customer information has been compromised, as investigations and resolutions of incidents may occur over an extended period of time and may vary widely in timing and scope.

At the same time, we recognize that a delay in customer notification may facilitate law enforcement investigations aimed at apprehending the perpetrators of the incident and preventing future incidents. Many states have laws that either mandate or allow entities to delay providing customer notifications regarding an incident if law enforcement determines that notification may impede its investigation. The principal function of such a delay would be to allow a law enforcement or national security agency to keep a cybercriminal unaware of their detection.

The proposed rule would allow a covered institution to delay providing notice after receiving a written request from the Attorney General of the United States that the notice required under this rule poses a substantial risk to national security. The covered institution may delay such a notice for an initial period specified by the Attorney General of the United States, but not for longer than 15 days. The notice may be delayed an additional 15 days if the Attorney General of the United States determines that the notice continues to pose a substantial risk to national security. This would allow a combined delay period of up to 30 days, upon the expiration of which the covered institution must provide notice immediately.

A covered institution, in certain instances, may be required to notify customers under the proposal even though that covered institution could have separate delay reporting requirements under a particular state law. On balance, it is our current view that timely customer notification would allow the customer to take remedial actions and, thereby, would justify providing only for a limited delay.

We request comment on the proposed rule's notification timing requirements, including the following:

52. Does this proposed requirement provide covered institutions with sufficient time to perform assessments, collect the information necessary to include in customer notices, perform an investigation if appropriate, and provide notices? Alternatively, does the proposed “as soon as practicable” or 30 day outside date provide too much time? Should the rule require institutions to provide notice “as soon as possible,” for example? Should the rule provide parameters to define “as soon as practicable,” “as soon as possible,” “as soon as reasonably practicable” or an alternate standard? If so, please describe the parameters or other standard. Should the rule require less time for an outside date, such as 10, 15, or 20 days? Should the rule provide more time for an outside date, such as 45, 60, or 90 days? Please be specific on the appropriate outside date and the basis for the shorter or longer time period. Also, please specify the potential costs and benefits to a different outside date.

53. Should the proposed timing requirement begin to run upon an event other than “becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred”? Should the timing requirement begin to run, for example, after the covered institution “reasonably should have been aware” of the incident or, alternatively, after completing its assessment of the incident or containment? If the timing requirement should begin upon “becoming aware that that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred,” should we provide covered institutions with examples of what would constitute becoming aware?

54. Should the proposed rules incorporate any exceptions from the timing requirement that would allow for delays under limited circumstances? If so, what restrictions or conditions should apply to any such delay and why?

55. Are there other challenges to meeting the proposed timing requirements, including the requirement to provide notices within 30 days of becoming aware of the incident? If yes, please describe.

56. What operational or compliance challenges arise from the proposed limited delay for notice or its expiration? Should the proposed rule have a different delay for notice, for example, by providing that the Commission shall allow covered institutions to delay notification to customers where any law enforcement agency requests such a delay from the covered institution? If so, what restrictions or conditions should apply to any such law enforcement delay, for example, a certification, or a different outside time limit on the delay?

f. Notice Contents and Format

We are proposing to require that notices include key information with details about the incident, the breached data, and how affected individuals could respond to the breach to protect themselves. This requirement is designed to help ensure that covered institutions provide basic information to affected individuals that would help them avoid or mitigate substantial harm or inconvenience.

More specifically, some of the information required, including information regarding a description of the incident, type of sensitive customer information accessed or used without authorization, and what has been done to protect the sensitive customer information from further unauthorized access or use, would provide customers with basic information to help them understand the scope of the incident and its potential ramifications. We also propose to require covered institutions to include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address, and the name of a specific office to contact for further information and assistance, so that individuals can more easily seek additional information from the covered institution. All of this information may help an individual assess the risk posed and whether to take additional measures to protect against harm from unauthorized access or use of their information.

Similarly, if the information is reasonably possible to determine at the time the notice is provided, information regarding the date of the incident, the estimated date of the incident, or the date range within which the incident occurred would help customers understand the circumstances related to the breach. We understand that a covered institution may have difficulty determining a precise date range for certain incidents because it may only discover an incident well after an initial time of access. As a result, similar to the approach taken by California, the covered institution would only be required to include a date, or date range, if it is possible to determine at the time the notice is provided.

Finally, we propose that covered institutions include certain information to assist individuals in evaluating how they should respond to the incident. Specifically, if the individual has an account with the covered institution, the proposed rule would require inclusion of a recommendation that the customer review account statements and immediately report any suspicious activity to the covered institution. The proposed rule would also require covered institutions to explain what a fraud alert is and how an individual may place a fraud alert in credit reports. Further, the proposed rule would require inclusion of a recommendation that the individual periodically obtain credit reports from each nationwide credit reporting company and have information relating to fraudulent transactions deleted, as well as explain how a credit report can be obtained free of charge. In particular, information addressing potential protective measures could help individuals evaluate how they should respond to the incident. We also propose for notices to include information regarding FTC and usa.gov guidance on steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the FTC, and include the FTC's website address. This would give individuals resources for additional information regarding how they can respond to an incident.

We propose that covered institutions should be required to provide the information specified in proposed rule 248.30(b)(4)(iv) in each required notice. While we recognize that relevant information may vary based on the facts and circumstances of the incident, we believe that customers would benefit from the same minimum set of basic information in all notices. We propose, therefore, to permit covered institutions to include additional information, but the rule would not permit omission of the prescribed information in the notices provided to affected individuals.

The proposed rule would require covered institutions to provide the notice in a clear and conspicuous manner and by means designed to ensure that the customer can reasonably be expected to receive actual notice in writing. Notices, therefore, would be required to be reasonably understandable and designed to call attention to the nature and significance of the information required to be provided in the notice. Accordingly, to the extent that a covered institution includes information in the notice that is not required to be provided to customers under the proposed rules or provides notice contemporaneously with other disclosures, the covered institution would still be required to ensure that the notice is designed to call attention to the important information required to be provided under the proposed rule; additional information generally should not prevent covered institutions from presenting required information in a clear and conspicuous manner. The requirement to provide notices in writing, further, would ensure that customers receive the information in a format appropriate for receiving important information, with accommodation for those customers who agree to receive the information electronically. This proposed requirement to provide notice “in writing” could be satisfied either through paper or electronic means, consistent with existing Commission guidance on electronic delivery of documents. Notification in other formats, including, for example, by a recorded telephone message, may not be retained and referenced as easily as a notification in writing. These requirements would help ensure that customers are provided notifications and alerted to their importance.

We request comment on the notification content, format, and delivery requirements, including the following:

57. Should we require that notices include additional information? If so, what specific information should we include? Please explain why any recommended additional information would be important to include.

58. Is there prescribed notice information that we should eliminate or revise? Please explain. For example, should we add information about security freezes on credit reports, and should that replace fraud alert information? Should the required information on the notice to assist individuals in evaluating how they should respond to the incident be replaced? Please explain. For example, should the notice instead be required to include an appropriate website that describes then-current best practices in how to respond to an incident? Are there other websites, for example, IdentityTheft.gov, that should be included in the notice?

59. Should some of the information we propose to include in the notices only be required in limited circumstances? For example, should we only require including information relating to credit reports if the underlying incident relates to access or use of a subset of sensitive customer information (perhaps only information of a particular financial nature)? Should covered institutions be able to determine whether to provide certain information “as appropriate” on a case-by-case basis? If so, please explain which information and why.

60. In what other formats, if any, should we permit covered institutions to provide notices? What formats do covered institutions customarily use to communicate with individuals ( e.g., text messages or some other abbreviated format that might require the use of hyperlinks) and for which types of communications are those formats generally used? To the extent we allow such additional formats, would such notices adequately signal the significance of the information to the individual—or otherwise present disadvantages to covered institutions or individuals?

61. The proposed rule amendments would require that covered institutions provide certain contact information sufficient to permit an individual to contact the covered institution to inquire about the incident. Should we require additional or different contact information? Is the required contact information appropriate or would a general customer service number suffice? Should the amendments also require that covered institutions ensure that they have reasonable policies and procedures in place, including trained personnel, to respond appropriately to customer inquiries and requests for assistance?

62. Should we require that covered institutions include specific and standardized information about steps to protect against identity theft, instead of requiring inclusion of information about online guidance from the FTC and usa.gov ?

63. Should we require that covered institutions reference “consumer reports” instead of “credit reports” in notifications under the proposed rules? Would individuals be more familiar with the term “credit report”?

64. To the extent that a covered institution determines it is not reasonably possible to provide in the notice information regarding the date of the incident, the estimated date of the incident, or the date range within which the incident occurred, should that financial institution be required to state this to customers? In addition, should the institution be required to state why it is not possible to make such a determination?

65. Should the notice require that covered institutions describe what has been done to protect the sensitive customer information from further unauthorized access or use? Would this description provide a roadmap for further incidents? If yes, is there other information rather than this description that may help an individual understand what has been done to protect their information?

66. Should we incorporate other prescriptive formatting requirements ( e.g., length of notice, size of font, etc.) for the notice requirement under the proposed rules?

67. Should we require covered institutions to follow plain English or plain writing principles?

B. Remote Work Arrangement Considerations

Following the onset of the COVID–19 pandemic in the United States in 2020, the use of remote work arrangements has expanded significantly throughout the labor force. The U.S. Census Bureau recently announced that the number of people primarily working from home tripled between 2019 and 2021, from 5.7% to 17.9% of all workers. In the financial services industry specifically, the Bureau of Labor Statistics found in its 2021 Business Response Survey that firms reported 27.5% of jobs in the industry currently involve full-time telework, with a total of 45% of jobs involving teleworking “at least some of the time.”

Although recent reports indicate that a growing number of workers are returning to the office, as certain members of the securities industry have previously noted, when covered institutions permit their own employees to work from remote locations, rather than one of the firm's offices, it raises particular compliance questions under Regulation S–P. In the case of the proposed rule, a covered institution's policies and procedures under the safeguards rule would need to be reasonably designed to ensure the security and confidentiality of customer information, protect against any threats or hazards to the security or integrity of customer information, and protect against the unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Similarly, under the proposed amendments to the disposal rule, covered institutions, other than notice-registered broker-dealers, would need to adopt and implement written policies and procedures under the disposal rule that address the proper disposal of consumer information and customer information according to a standard of taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. In satisfying each of these proposed obligations, covered institutions will need to consider any additional challenges raised by the use of remote work locations within their policies and procedures.

In light of these considerations, we request comment on whether the remote work arrangements of the personnel of covered institutions should be addressed under both the safeguards rule and the disposal rule, including as to the following:

68. Should the proposed safeguards rule and/or the proposed disposal rule be amended in any way to account for the use of remote work arrangements by covered institutions? If so, how? How would such amendments impact the costs and benefits of the proposed rule?

69. Are there any additional costs and/or benefits of the proposed rule related to remote work arrangements that the Commission should be aware of? If so, in particular, how would those be impacted by whether or not remote work arrangements by covered institutions have increased, decreased, or remained the same? If so, please explain, and please provide any data available.

70. Are there any specific aspects of the proposed safeguards rule or the disposal rule, relating to compliance with either rule where the covered institution permits employees to work remotely, on which the Commission should provide guidance to covered institutions? If so, please explain.

C. Scope of Information Protected Under the Safeguards Rule and Disposal Rule

The Commission adopted the safeguards rule and the disposal rule at different times under different statutes—respectively, the GLBA and the FACT Act—that differ in the scope of information they cover. We are proposing to broaden and more closely align the information covered by the safeguards rule and the disposal rule by applying the protections of both rules to “customer information,” a newly defined term. We also propose to add a new section that describes the extent of information covered under both rules, which includes nonpublic personal information that a covered institution collects about its own customers and that it receives from a third party financial institution about a financial institution's customers.

We preliminarily believe the scope of information protected by the safeguards rule and the disposal rule should be broader and more closely aligned to provide better protection against unauthorized disclosure of personal financial information, consistent with the purposes of the GLBA and the FACT Act. Applying both the safeguards rule and the disposal rule to a more consistent set of defined “customer information” also could reduce any burden that may have been created by the application of the safeguards rule and the disposal rule to different scopes of information. Further, protecting nonpublic personal information of customers that a financial institution shares with a covered institution furthers congressional policy to protect personal financial information on an ongoing basis. Applying the safeguards rule and the disposal rule to customer information that a covered institution receives from other financial institutions should ensure customer information safeguards are not lost because a third party financial institution shares that information with a covered institution.

1. Definition of Customer Information

Currently, Regulation S–P's protections under the safeguards rule and disposal rule apply to different, and at times overlapping, sets of information. Specifically, as required under the GLBA, the safeguards rule requires broker-dealers, investment companies, and registered investment advisers (but not transfer agents) to maintain written policies and procedures to protect “customer records and information,” which is not defined in the GLBA or in Regulation S–P. The disposal rule requires every covered institution properly to dispose of “consumer report information,” a different term, which Regulation S–P defines consistently with the FACT Act provisions.

To align more closely the information protected by both rules, we propose to amend rule 248.30 by replacing the term “customer records and information” in the safeguards rule with a newly defined term “customer information” and by adding customer information to the coverage of the disposal rule.

For covered institutions other than transfer agents, the proposed rule would define “customer information” to encompass any record containing “nonpublic personal information” (as defined in Regulation S–P) about “a customer of a financial institution,” whether in paper, electronic or other form that is handled or maintained by the covered institution or on its behalf. This definition in the coverage of the safeguards rule is intended to be consistent with the objectives of the GLBA, which focuses on protecting “nonpublic personal information” of those who are “customers” of financial institutions. The proposed definition would also conform more closely to the definition of “customer information” in the safeguards rule adopted by the FTC.

Additionally, adding customer information to the coverage of the disposal rule is also intended to be consistent with the objectives of the GLBA. Under the GLBA, an institution has a “continuing obligation” to protect the security and confidentiality of customers' nonpublic personal information. The proposed rule clarifies that this obligation continues through disposal of customer information. The proposed rule is also intended to be consistent with the objectives of the FACT Act. The FACT Act focuses on protecting “consumer information,” a category of information that will remain within the scope of the disposal rule. Adding customer information to the disposal provisions will simplify compliance with the FACT Act by eliminating an institution's need to determine whether its customer information is also consumer information subject to the disposal rule. Institutions should also be less likely to fail to dispose of consumer information properly by misidentifying it as customer information only. In addition, including customer information in the coverage of the disposal rule would conform the rule more closely to the Banking Agencies' Safeguards Guidance. These proposed amendments are intended to be consistent with the Commission's statutory mandates under the GLBA and the FACT Act to adopt final financial privacy regulations and disposal regulations, respectively, that are consistent with and comparable to those adopted by other Federal financial regulators.

We request comment on the proposed definition of “customer information,” including the following:

71. Is the proposed definition of “customer information,” which includes any records containing nonpublic personal information about a customer of a financial institution that is handled or maintained by the covered institution or on its behalf, too narrow? If so, how should we expand the definition? Should the definition also include customer information maintained on behalf of a covered institutions' affiliates?

72. Do covered institutions share customer information with affiliates that are neither financial institutions subject to the safeguards rules of other Federal financial regulators nor service providers? If so, please explain. If so, should customer information be subject to the same protections when a covered institution shares it with such an affiliate?

73. Are there any aspects of the proposed definition that may be too broad? If so, how is it broad? For example, should the definition limit customer information to nonpublic personal information about an institution's own customers that is maintained by or on behalf of the covered institution?

74. Is the safeguards rule too narrow? Should it extend to consumer information that is not customer information ( e.g., information from a consumer report about an employee or prospective employee)?

75. Under the proposed amendments, the disposal rule would apply to both customer information and consumer information. Is the proposed amended disposal rule too broad? If so, how should we narrow the coverage? For example, should the disposal rule protect customer information that is not consumer information, i.e., nonpublic personal information, such as transaction information, that does not appear in a consumer report? Are there benefits to having the safeguards rule and the disposal rule apply to a more consistent set of information?

76. For covered institutions that are owned or controlled by affiliates based in another jurisdiction, what is the risk that customer information, including sensitive customer information, may be shared and used by such other affiliates? Would such practices raise concerns about potential harm related to the use or possession of customer information by such foreign affiliates? Should the rule include additional requirements that would restrict the transmission of such customer information to foreign affiliates and others? If so, what should these be?

2. Safeguards Rule and Disposal Rule Coverage of Customer Information

We also propose to amend rule 248.30 to add a new section that would provide that the safeguards rule and disposal rule apply to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information it receives from a third party financial institution about that institution's customers. Currently, Regulation S–P defines “customer” as “a consumer who has a customer relationship with you.” The safeguards rule, therefore, only protects the “records and information” of individuals who are customers of the particular institution and not others, such as individuals who are customers of another financial institution. The disposal rule, on the other hand, requires proper disposal of certain records about individuals without regard to whether the individuals are customers of the particular institution.

Proposed new paragraph (a) would provide that the safeguards rule and the disposal rule apply to all customer information in the possession of a covered institution, and all consumer information that a covered institution maintains or otherwise possesses for a business purpose, as applicable, regardless of whether such information pertains to the covered institution's own customers or to customers of other financial institutions and has been provided to the covered institution. For example, information that a registered investment adviser has received from the custodian of a former client's assets would be covered under both rules if the former client remains a customer of either the custodian or of another financial institution, even though the individual no longer has a customer relationship with the investment adviser. Similarly, any individual's customer information or consumer information that a transfer agent has received from a broker-dealer holding an omnibus account with the transfer agent would be covered under both rules, even where the individual has no account in her own name at the transfer agent, as long as the individual is a customer of the broker-dealer or another financial institution. This approach is consistent with the FTC's safeguards rule.

We request comment on the proposed scope of customer information covered under the safeguards rule and the disposal rule, including the following:

77. Is the proposed scope too broad or too narrow? If so, how should we broaden or narrow the scope? For example, should the rules' protections for “customer information” only extend to nonpublic personal information of the customers of another financial institution if the covered institution received the information from that financial institution ( e.g., an employee's or former customer's bank account information that the covered institution received directly from the individual, or prospective customers' information that the covered institution purchased or otherwise acquired from a third party would not be covered)?

78. Should employees' nonpublic personal information be protected under the safeguards rule? Why or why not? Would such coverage reduce the risk that unauthorized access to employee nonpublic personal information, such as a user name or password, could facilitate unauthorized access to customer information?

79. Do covered institutions receive nonpublic personal information about individuals who are not their customers from other financial institutions, such as custodians? If so, please provide examples. Do covered institutions take the same or different measures in safeguarding and disposing of information of individuals who are not their customers, such as employees or former customers? Please explain.

80. If covered institutions receive nonpublic personal information about individuals who are not their customers, are covered institutions able to determine whether such individuals are customers of other financial institutions? Would that be known as a result of any existing legal obligations?

81. Would the proposed rule result in covered institutions treating all nonpublic personal information about individuals as subject to the safeguards and disposal rules?

82. Should the proposed rule include a section describing scope? Does the scope section help clarify the information that a covered institution would have to protect under the safeguards rule and the disposal rule? Would the rule be clearer if it defined the scope of information protected within the definition of customer information?

3. Extending the Scope of the Safeguards Rule and the Disposal Rule To Cover All Transfer Agents

The proposed amendments would extend both the safeguards rule and the disposal rule to apply to any transfer agent registered with the Commission or another appropriate regulatory agency. As discussed above, the safeguards rule currently applies to brokers, dealers, registered investment advisers, and investment companies, while the disposal rule currently applies to those entities as well as to transfer agents registered with the Commission.

The Safeguards Rule

Among other functions, transfer agents: (i) track, record, and maintain on behalf of issuers the official record of ownership of such issuer's securities; (ii) cancel old certificates, issue new ones, and perform other processing and recordkeeping functions that facilitate the issuance, cancellation, and transfer of both certificated securities and book-entry only securities; (iii) facilitate communications between issuers and securityholders; and (iv) make dividend, principal, interest, and other distributions to securityholders. To perform these functions, transfer agents maintain records and information related to securityholders that may include names, addresses, phone numbers, email addresses, employers, employment history, bank and specific account information, credit card information, transaction histories, securities holdings, and other detailed and individualized information related to the transfer agents' recordkeeping and transaction processing on behalf of issuers. With advances in technology and the expansion of book-entry ownership of securities, transfer agents today increasingly rely on technology and automation to perform the core recordkeeping, processing, and transfer services described above, including the use of computer systems to store, access, and process the customer information related to securityholders they maintain on behalf of issuers.

Like other market participants, systems maintained by transfer agents are subject to threats and hazards to the security or integrity of customer information, which could create a reasonably likely risk of harm to an individual identified with the information. Specifically, the systems maintained by transfer agents are subject to similar types of risks of breach as other covered institutions, and as a consequence, the individuals whose customer information is maintained by transfer agents are subject to similar risks of substantial harm and inconvenience as individuals whose customer information is maintained by other covered institutions. To account for this, the proposed definition of “customer information” with respect to a transfer agent would include “any record containing nonpublic personal information . . . identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is handled or maintained by the transfer agent or on its behalf.”

In light of these risks, the proposed amendments would require transfer agents to protect the customer information they maintain by adopting and implementing appropriate safeguards in addition to taking measures to dispose of the information properly. Transfer agents would be required to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information. They would also be required to develop, implement, and maintain an incident response program, including customer notifications, for unauthorized access to or use of customer information.

The Disposal Rule

Currently, the disposal rule only applies to those transfer agents “registered with the Commission.” However, the proposed amendments would also extend the application of the disposal rule to all transfer agents, including those transfer agents that are registered with another appropriate regulatory agency other than the Commission, by defining transfer agent in the proposed definition of a “covered institution” as “a transfer agent registered with the Commission or another appropriate regulatory agency.”

When the Commission initially proposed the disposal rule, it noted that the purpose of section 216 of the FACT Act was to “prevent unauthorized disclosure of information contained in a consumer report and to reduce the risk of fraud or related crimes, including identity theft.” Through the disposal rule, the Commission asserted that covered entities' consumers would benefit by reducing the incidence of identity theft losses. At the same time, the Commission indicated that the disposal rule as proposed would impose “minimal costs” on firms in the form of providing employee training, or establishing clear procedures for consumer report information disposal. Further, the Commission proposed that covered entities satisfy their obligations under the disposal rule through the taking of “reasonable measures” to protect against unauthorized access or use of the related customer information, the rule was designed to “minimize the burden of compliance for smaller entities.” At adoption, a majority of commenters supported the flexible standard for disposal that the Commission proposed, and no commenter opposed the standard.

The Commission believes that extending the disposal rule now to cover those transfer agents registered with another appropriate regulatory agency would provide the same investor protection benefits and impose the same minimal costs on such firms as in the case of transfer agents registered with the Commission. When coupled with the additional benefit of providing a minimum industry standard for the proper disposal of all customer information or consumer information that any transfer agent maintains or possesses for a business purpose, the Commission preliminarily believes that extending the disposal rule to now cover all transfer agents would be appropriate for the protection of investors, and in the public interest.

Statutory Authority Over Transfer Agents

When the Commission initially proposed and adopted the disposal rule, it did so to implement the congressional directive in section 216 of the FACT Act to adopt regulations to require any person who maintains or possesses a consumer report or consumer information derived from a consumer report for a business purpose to properly dispose of the information. The Commission determined at that time that, through the FACT Act, Congress intended to instruct the Commission to adopt a disposal rule to apply to transfer agents registered with the Commission. The Commission also stated at that time that the GLBA did not include transfer agents within the list of covered entities for which the Commission was required to adopt privacy rules. Accordingly, the Commission extended the disposal rule only to those transfer agents registered with the Commission to carry out its directive under the FACT Act, while deferring to the FTC to utilize its “residual jurisdiction” under the same congressional mandate, to enact both a disposal rule and broader privacy rules that might apply to transfer agents registered with another appropriate regulatory agency.

Separate from these conclusions, however, under section 17A of the Exchange Act, the Commission has broad authority, independent of either the FACT Act or the GLBA, to prescribe rules and regulations for transfer agents as necessary or appropriate in the public interest, for the protection of investors, for the safeguarding of securities and funds, or otherwise in furtherance of funds, or otherwise in furtherance of the purposes of Title I of the Exchange Act. Specifically, regardless of whether transfer agents initially register with the Commission or another appropriate regulatory agency, section 17A(d)(1) of the Exchange Act authorizes the Commission to prescribe such rules and regulations as may be necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Exchange Act with respect to any transfer agents, so registered. Once a transfer agent is registered, the Commission “is empowered with broad rulemaking authority over all aspects of a transfer agent's activities as a transfer agent.”

Accordingly, as the FTC has not adopted similar disposal and privacy rules to govern transfer agents registered with another appropriate regulatory agency, the Commission is proposing to extend the safeguards rule to apply to any transfer agent registered with either the Commission or another appropriate regulatory agency and extend the disposal rule to apply to transfer agents registered with another appropriate regulatory agency ( i.e., not the Commission). Here, the Commission has an interest in addressing the risks of market disruptions and investor harm posed by cybersecurity and other operational risks faced by transfer agents, and extending the safeguards rule and disposal rule to address those risks is in the public interest and necessary for the protection of investors and safeguarding of funds and securities.

Transfer agents are subject to many of the same risks of data system breach or failure that other market participants face. For example, transfer agents are vulnerable to a variety of software, hardware, and information security risks that could threaten the ownership interest of securityholders or disrupt trading within the securities markets. Yet, based on the Commission's experience administering the transfer agent examination program, we are aware that practices among transfer agents related to information security and other operational risks vary widely. A transfer agent's failure to account for such risks and take appropriate steps to mitigate them can directly lead to the loss of funds or securities, including through theft or misappropriation.

At the same time, the scope and volume of funds and securities that are processed or held by transfer agents have increased dramatically. The risk of loss of such funds and securities presents significant risks to issuers, securityholders, other industry participants, and the U.S. financial system as a whole. Transfer agents that provide paying agent services on behalf of issuers play a significant role within that system. According to Form TA–2 filings in 2021, transfer agents distributed approximately $3.8 trillion in securityholder dividends and bond principal and interest payments. Critically, because Form TA–2 does not include information relating to the value of purchase, redemption, and exchange orders by mutual fund transfer agents, the $3.8 trillion amount noted above does not include these amounts. If the value of such transactions by mutual fund transfer agents was captured by Form TA–2 it is possible that the $3.8 trillion number would be significantly higher.

By extending the safeguards rule and disposal rule to cover all transfer agents, the Commission anticipates the rules would be in the public interest and would help protect investors and safeguard their securities and funds. Specifically, extending the safeguards rule to cover any transfer agent in order to address the risks to the security or integrity of customer information found on the systems they maintain will help prevent securityholders' customer information from being compromised, which, as noted above, could threaten the ownership interest of securityholders or disrupt trading within the securities markets. It also would help establish minimum nationwide standards for the notification of securityholders who are affected by a transfer agent data breach that leads to the unauthorized access or use of their information so that affected securityholders could take additional mitigating actions to protect their customer information, ownership interest in securities, and trading activity. Similarly, extending the disposal rule to cover those transfer agents registered with another appropriate regulatory agency would help protect investors and safeguard their securities and funds by reducing the risk of fraud or related crimes, including identity theft, which can lead to the loss of securities and funds.

The Commission acknowledges that if the proposal is adopted it would also impose costs on transfer agents that would be subject to both the safeguards rule and the disposal rule for the first time. For all transfer agents, such costs would include the development and implementation of the policies and procedures required under the safeguards rule, the ongoing costs of complying with required recordkeeping and maintenance requirements, and, in the event of the unauthorized access or use of their customer information, the costs necessary to comply with the customer notification requirements of the proposal. With respect to transfer agents registered with another appropriate regulatory agency that are not currently subject to the disposal rule, such costs would also include the same costs incurred by the transfer agents registered with the Commission that are currently subject to the disposal rule to establish written policies and procedures for consumer and customer information disposal, as well as the minimal employee training costs necessary to address adherence to those policies and procedures.

However, because many of the transfer agents registered with another appropriate regulatory agency that are not currently subject to the disposal rule are banking entities subject to Federal and state banking laws and other requirements, it is likely that a large percentage of them already train their employees and have procedures for consumer report information disposal that likely would comply with the disposal rule. Further, although transfer agents would face higher costs of compliance from this proposal than those covered institutions already subject to the safeguards rule and the disposal rule, the Commission believes the additional cost to such transfer agents will be comparable to the costs of compliance that was incurred by covered institutions (such as registered investment advisers and broker dealers) when they first became subject to these rules. When considered in the context of protecting investors and safeguarding securities and funds, as discussed above, the Commission preliminarily believes that such costs are appropriate.

We seek comment on the proposal to extend the application of the safeguards rule and the disposal rule to both cover all transfer agents.

83. What would be the comparative advantages and disadvantages and costs and benefits of expanding the definition of customer information with respect to transfer agents? Is the proposed definition of “customer information” appropriate with respect to transfer agents?

84. Are some transfer agents, for example those that are registered with another appropriate regulatory agency, subject to duplicative or conflicting requirements as those that would be imposed under the safeguards rule? If so, please explain.

85. Should the definition of “customer information” be expanded to cover other stakeholders or individuals whose information may be handled or maintained by a transfer agent, such as employees, investors or contractors? If so, please explain why.

86. Are there particular concerns that transfer agents might have in implementing or meeting the requirements of the safeguards rule? Should we modify any of the requirements of the safeguards rule to take into account other regulatory requirements to which some transfer agents might be subject, or the differences between the operations of transfer agents and other covered institutions?

87. Are there other registrants or market participants to whom we should extend the safeguards rule and the disposal rule? If so, which ones?

88. Would transfer agents be subject to any compliance costs under this proposed rule that differ materially from those costs that covered institutions that are already subject to the safeguards rule and the disposal rule will have incurred through both past compliance, as well as the additional costs associated with this proposed rule? If so, please explain why and quantify these costs.

4. Maintaining the Current Regulatory Framework for Notice-Registered Broker-Dealers

The proposed amendments would also continue to maintain the same regulatory treatment for notice-registered broker-dealers as they do under the current safeguards rule and the disposal rule. Notice-registered broker-dealers are futures commission merchants and introducing brokers registered with the CFTC that are permitted to register as broker-dealers by filing a notice with the Commission for the limited purpose of effecting transactions in security futures products. These notice-registered broker-dealers are currently explicitly excluded from the scope of the disposal rule, but subject to the safeguards rule. However, under substituted compliance provisions, notice-registered broker-dealers are deemed to comply with the safeguards rule where they are subject to, and comply with, the financial privacy rules of the CFTC, including similar obligations to safeguard customer information. The Commission adopted substituted compliance provisions with regard to the safeguards rule in acknowledgment that notice-registered broker-dealers are subject to primary oversight by the CFTC, and to mirror similar substituted compliance provisions afforded by the CFTC to broker-dealers registered with the Commission. When the Commission thereafter adopted the disposal rule, it excluded notice-registered broker-dealers from the rule's scope noting its belief that Congress did not intend for the Commission's FACT Act rules to apply to entities subject to primary oversight by the CFTC.

For these reasons, the Commission has tailored the proposed amendments to ensure there will be no change in the treatment of notice-registered broker-dealers under the safeguards rule and the disposal rule. First, the proposed rule would define a “covered institution” to include “any broker or dealer,” without excluding notice-registered broker-dealers, thus ensuring that Regulation S–P's substituted compliance provisions would still apply to notice-registered broker-dealers with respect to the safeguards rule. Second, although the proposed disposal rule would also employ this proposed definition of a “covered institution,” it would retain the disposal rule's current exclusion for notice-registered broker-dealers.

This approach will provide notice-registered broker-dealers with the benefit of consistent regulatory treatment under Regulation S–P, without imposing any additional costs, while also maintaining the same investor protections that the customers of notice-registered broker-dealers currently receive. To the extent notice-registered broker-dealers opt to comply with Regulation S–P and the proposed safeguards rule rather than avail themselves of substituted compliance by complying with the CFTC's financial privacy rules, the Commission believes the benefits and costs of complying with the proposed rule would be the same as those for other broker-dealers. Notice-registered broker-dealers should not face additional costs under the proposed amendments to the disposal rule, as they would remain excluded from its scope.

We seek comment on the proposal to maintain the same regulatory framework for notice-registered broker-dealers under the safeguards rule and the disposal rule:

89. Does the current regulatory framework for notice-registered broker-dealers under the safeguards rule and the disposal rule adequately protect investors who are clients of such institutions? If not, how is the current regulatory framework for notice-registered broker-dealers inadequate in this regard?

90. Should the rule alter the scope of either rule's application to notice-registered broker-dealers? If so, what alterations should be considered, and why? What would the costs and benefits be of such alterations in approach?

D. Recordkeeping

The proposed amendments would require covered institutions to make and maintain written records documenting compliance with the requirements of the safeguards rule and of the disposal rule. Specifically, the proposal would amend (i) Investment Company Act rules 31a–1(b) and 31a–2(a) for investment companies that are registered under the Investment Company Act, (ii) Investment Advisers Act rule 204–2 for registered investment advisers, (iii) Exchange Act rule 17a–4 for broker-dealers, and (iv) Exchange Act rule 17Ad–7 for transfer agents. The proposal would also include a recordkeeping provision in proposed rule 248.30(d) under Regulation S–P for investment companies that are not registered under the Investment Company Act (“unregistered investment companies”). In each case, the proposed amendments would require the covered institution to maintain written records documenting the covered institution's compliance with the requirements set forth in proposed rule 248.30(b) (procedures to safeguard customer information) and (c)(2) (disposal of consumer information and customer information).

The records required pursuant to Investment Company Act proposed rules 31a–1(b) and 31a–2(a), proposed rule 248.30(d) under Regulation S–P, Investment Advisers Act proposed rule 204–2, Exchange Act proposed rule 17a–4, and Exchange Act proposed rule 17ad–7 would include, for example, records of policies and procedures under the safeguards rule that address administrative, technical, and physical safeguards for the protection of customer information as well as the proposed incident response program for unauthorized access to or use of customer information, including customer notice. Covered institutions would also be required to make and maintain written records documenting, among other things: (i) its assessments of the nature and scope of any incidents involving unauthorized access to or use of customer information; (ii) steps taken to contain and control such incidents; and (iii) its notifications to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, including, where applicable, any determinations, after a reasonable investigation of the facts and circumstances of an incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience, and the basis for that determination.

The rule proposals would also require covered institutions to keep records of those written policies and procedures requiring any service providers to take appropriate measures that are designed to protect against unauthorized access to or use of customer information, including notification to the covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider to enable the covered institution to implement its response program, as well as related records of written contracts and agreements between the covered institution and the service provider. These records would help covered institutions periodically reassess the effectiveness of their policies and procedures, and determine whether they are reasonably designed, and would help our examiners and enforcement program to monitor compliance with the requirements of the amended rules.

With respect to the disposal rule, the proposed rules require that every covered institution adopt and implement written policies and procedures that address the proper disposal of consumer information and customer information. The proposed recordkeeping requirements are not intended to require covered institutions to document every act of disposing of an item of information. For example, a covered institution's periodic review and written documentation of its disposal practices generally should be sufficient to satisfy the proposed recordkeeping requirements as they relate to the disposal rule.

Under the proposed rules, the time periods for preserving records would vary by covered institution to be consistent with existing recordkeeping rules. Broker-dealers would have to preserve the records for a period of not less than three years, in an easily accessible place. Transfer agents would have to preserve the records for a period of not less than three years, in an easily accessible place. Investment companies registered under the Investment Company Act and unregistered investment companies would have to preserve the records, apart from any policies and procedures, for a period of not less than six years, the first two years in an easily accessible place; and in the case of any policies and procedures, preserve a copy of such policies and procedures in effect, or that at any time within the past six years were in effect, in an easily accessible place. Registered investment advisers would have to preserve the records for five years, the first two years in an appropriate office of the investment adviser. These proposed recordkeeping provisions, while varying among covered institutions, should result in the maintenance of the proposed records for sufficiently long periods of time and in locations in which they would be useful to staff examiners and the enforcement program. The proposal to conform the retention periods to existing requirements is intended to allow covered institutions to minimize their compliance costs by integrating the proposed requirements into their existing recordkeeping systems and record retention timelines.

We request comment on the proposed requirements for making and maintaining records, including the following:

91. Are the records that we propose to require appropriate? Should covered institutions be required to keep any additional or fewer records? If so, what records and why?

92. Should the rule limit the list of required records to assessments, containment or control measures or investigations only for certain information security incidents? Are some information security incidents not sufficiently consequential as compared to the amount of time required to record the institution's response? If so, please explain. How should the rule distinguish between information security incidents that require a record to be made and maintained and those that do not? If a record is not required for certain investigations, should a covered institution nevertheless be required to record a determination that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience?

93. Are the proposed periods of time for preserving records appropriate, or should certain records be preserved for different periods of time? Should the recordkeeping time periods be the same across covered institutions? Would the costs associated with preserving records for periods of time consistent with covered institutions' existing recordkeeping requirements be less than if all covered institutions were required to keep these records for the same period of time?

94. Are the rule proposals sufficiently explicit about the specific records that covered institutions must maintain? The proposed amendments for investment companies and registered investment advisers require these covered institutions to make and maintain written records documenting compliance with paragraphs (b)(1) and (c)(2) of Regulation S–P. In contrast, the proposed amendments for broker-dealers and transfer agents, specifically identify the records that should be maintained and preserved. Would investment companies and registered investment advisers benefit from additional specificity, such as requiring that investment companies and registered advisers keep the same records as those proposed to be required for broker-dealers and transfer agents? On the other hand, are the proposed rules for broker-dealers and transfer agents too granular? Please explain why or why not. Should the rule specifically require that a covered institution keep records of requests to delay notice from the Attorney General of the United States or any other specific records? In what respect should the rule proposals be made more or less explicit?

E. Exception From the Annual Notice Delivery Requirement

The GLBA requires financial institutions to provide customers with annual notices informing them about the institution's privacy policies. In certain circumstances, institutions must also provide their customers with an opportunity to opt out before the institution shares their information. Regulation S–P includes provisions implementing these notice and opt out requirements for broker-dealers, investment companies and registered investment advisers.

In the 2015 Fixing America's Surface Transportation Act (“FAST Act”), Congress added new section 503(f) to GLBA (“statutory exception”). This provision provides an exception to the annual notice delivery requirements for a financial institution that meets certain requirements, and became effective when it was enacted on December 4, 2015.

We are proposing amendments to the annual notice provision requirement in Regulation S–P to include the exception to the annual notice delivery added by the statutory exception. In addition, we propose to provide timing requirements for delivery of annual privacy notices if a broker-dealer, investment company, or registered investment adviser that qualifies for the annual notice exception later changes its policies and practices in such a way that it no longer qualifies for the exception.

1. Current Regulation S–P Requirements for Privacy Notices

Currently, Regulation S–P generally requires a broker-dealer, investment company or registered investment adviser to provide an initial privacy notice to its customers not later than when the institution establishes the customer relationship and annually after that for as long as the customer relationship continues. If an institution chooses to share nonpublic personal information with a nonaffiliated third party other than as disclosed in an initial privacy notice, the institution must send a revised privacy notice to its customers.

Regulation S–P also requires that before an institution shares nonpublic personal information with nonaffiliated third parties, the institution must provide the customer with an opportunity to opt out of sharing, except in certain circumstances. A broker-dealer, investment company, or registered investment adviser is not required to provide customers the opportunity to opt out if the institution shares nonpublic personal information with nonaffiliated third parties (i) pursuant to a joint marketing arrangement with third party service providers, subject to certain conditions, (ii) related to maintaining and servicing customer accounts, securitization, effecting certain transactions, and certain other exceptions and (iii) related to protecting against fraud and other liabilities, compliance with certain legal and regulatory requirements, consumer reporting, and certain other exceptions.

The types of information required to be included in the initial, annual, and revised privacy notices are identical. Each privacy notice must describe the categories of information the institution shares and the categories of affiliates and nonaffiliates with which it shares nonpublic personal information. The privacy notices also must describe the type of information the institution collects, how it protects the confidentiality and security of nonpublic personal information, a description of any opt out right, and certain disclosures the institution makes under the FCRA.

2. Proposed Amendment

Section 248.5 of Regulation S–P sets forth the requirements for an annual privacy notice, including delivery. We are proposing to add a new paragraph (e) to the section, which would include the statutory exception from the annual privacy notice requirement.

a. Conditions for the Exception

To qualify for the statutory exception, a financial institution must satisfy two conditions. First, an institution must share nonpublic personal information only in accordance with the exceptions in GLBA sections 502(b)(2) and (e). These sections set forth exceptions to the requirement to provide customers an opportunity to opt out of the institution's information sharing with nonaffiliated third parties. Second, an institution relying on the exception cannot have changed its policies and practices with regard to disclosing nonpublic personal information from those that were disclosed in the most recent disclosure sent to consumers.

Our proposed amendment to Regulation S–P would implement the statutory exception. In particular, our proposed amendment would provide that a broker-dealer, investment company, or registered investment adviser is not required to deliver an annual privacy notice if it satisfies two conditions that reflect those the FAST Act added to the GLBA. First, an institution relying on the exception could only provide nonpublic personal information to nonaffiliated third parties in accordance with the exceptions set forth in Regulation S–P sections 248.13, 248.14 and 248.15, which implement the exceptions to the opt out requirement in GLBA sections 502(b) and (e).

Second, an institution cannot have changed its policies and practices with regard to disclosing nonpublic personal information from those it most recently disclosed to the customer. Specifically, an institution would satisfy this condition if the institution's policies and practices regarding the information described under paragraphs 248.6(a)(2) through (5) and (9), each of which relates to the disclosure of nonpublic personal information, are unchanged from those included in the institution's most recent privacy notice sent to customers. We are not including in the exception the other information that an institution is required to include in its privacy notices pursuant to paragraph 248.6(a) because such other information either does not relate to the disclosure of nonpublic personal information or is not relevant to the exception. Our proposed approach to the condition is designed to be consistent with and comparable to that of the CFTC, CFPB, and FTC, which reference the same disclosures of nonpublic personal information in the conditions to the exceptions to their annual privacy notice delivery requirements.

b. Resumption of Annual Privacy Notice Delivery

The statutory exception states that a financial institution that meets the requirements for the annual privacy notice exception will not be required to provide annual privacy notices “until such time” as that financial institution fails to comply with the conditions to the exception, but does not specify a date by which the annual privacy notice delivery must resume. Under our proposed amendment, when an institution would need to resume delivering annual privacy notices depends on whether or not it must issue a revised privacy notice.

First, if a financial institution changes its policies so that it triggers the existing requirement to issue a revised privacy notice under rule 248.8, that institution would be required to provide an annual privacy notice in accordance with the timing requirement in paragraph 248.5(a). As noted above, Regulation S–P generally requires an institution to provide an initial privacy notice to an individual who becomes the institution's customer no later than when it establishes a customer relationship. Paragraph 248.5(a) requires a financial institution to provide a privacy notice to its customers “not less than annually” during the continuation of any customer relationship. Thus, the rule provides institutions with the flexibility to select a specific date during the year to provide annual privacy notices to all customers, regardless of when a particular customer relationship began.

We propose to use the same approach to the resumption of delivery of annual privacy notices when a change in practice requires an institution to send a revised notice to customers. The revised privacy notice would be treated as analogous to an initial notice for purposes of determining the timing of the subsequent delivery of annual privacy notices. This would allow institutions to preserve their existing approach to selecting a delivery date for annual privacy notices, thereby avoiding the potential burdens of determining delivery dates based on a new approach.

In the second circumstance, if the institution's change in policies or practices does not require a revised privacy notice, the institution would be required to provide an annual privacy notice to customers within 100 days of the change. This 100-day period is intended to provide timely delivery of the updated privacy notice to customers who were not informed prior to the institution's change in policies or practices. Moreover, we preliminarily believe that a 100-day period also generally avoids imposing significant additional costs on the institution. Any 100-day period will accommodate the institution delivering the privacy notice alongside any quarterly reporting to customers. Proposed paragraph 248.5(e)(2)(iii) provides an example for each scenario described above in which an institution must resume delivering annual privacy notices.

The proposed timing requirements for when an institution no longer meets requirements for the exception and must resume delivering annual privacy notices are designed to be consistent with the existing timing requirements for privacy notice delivery in Regulation S–P, where applicable. The proposed timing requirements also are intended to be consistent with parallel CFTC, CFPB, and FTC rules. They also are intended to provide clarity to institutions when a change in policies and practices prevent an institution from relying on the annual privacy notice delivery exception. In addition, providing timing provisions consistent with those of the CFTC, CFPB, and FTC would facilitate privacy notice delivery for affiliated financial institutions subject to GLBA that are not broker-dealers, investment companies, or registered investment advisers.

We request comment on the proposed exception to the annual privacy notice delivery requirement provisions, including the following:

95. The proposed annual privacy notice exception is conditioned on a broker-dealer, investment company, or registered investment adviser not changing policies and practices related to the disclosure of nonpublic personal information ( i.e., information on policies and practices required to be in a privacy notice under paragraphs 248.6(a)(2) through (5) and (9)). Should the exception remain available when the institution makes minor or non-substantive changes to its policies and practices? If so, how should we define the scope of changes that would allow use of the exception?

96. Should the proposed amendment include a provision for timing in these circumstances? Should the rule require an institution to provide notice by the time it has changed its disclosure policies and practices so that it no longer meets the proposed conditions of the rule in all circumstances? Should the proposed 100-day time period for resumption of delivery of annual privacy notices be shorter or longer? For example, should the period be shorter, such as 30, 60, or 90 days? Should the period be longer, such as 120 or 150 days? Should it be a qualitative standard? Or a qualitative standard with an upper ceiling? Please explain.

F. Request for Comment on Limited Information Disclosure When Personnel Leave Their Firms

The Commission requests comment on adding an exception from the notice and opt out requirements that would permit limited information disclosure when personnel move from one brokerage or advisory firm to another. The 2008 Proposal included an exception from the notice and opt out requirements to permit limited disclosures of investor information when a registered representative of a broker-dealer or a supervised person of a registered investment adviser (collectively, “departing personnel”) moved from one brokerage or advisory firm to another. The exception that was previously proposed would have permitted firms with departing personnel to share certain limited customer contact information and supervise the information transfer, and required them to retain the related records. To limit the risk of identity theft or other abuses, the shared information could not include any customer's account number, Social Security number, or securities positions. In the 2008 Proposal, the Commission noted that most firms seeking to rely on this proposed exception would not have needed to revise their GLBA privacy notices, because they already state in the notices that their disclosures of information not specifically described include disclosures permitted by law, which would include disclosures made pursuant to the proposed exception and the other exceptions provided in section 15 of Regulation S–P. Although a few commenters supported the exception as proposed, many expressed concerns about at least certain aspects of the exception.

As noted above, the Commission is not adding an exception from the notice and opt out requirements in connection with this proposal. However, the Commission requests comment on whether to permit the limited disclosure of certain investor information when departing personnel move from one brokerage or advisory firm to another, including whether an exception from this proposal's notice and opt out requirements would be appropriate:

97. Would adopting such an exception from the notice and opt out provisions of Regulation S–P be appropriate in light of the GLBA's goals? If so, is there a need for an exception to permit a limited disclosure of investor information when departing personnel moves from one brokerage or advisory firm to another? If so, what are other limitations, benefits, risks, or other considerations related to such an exception?

G. Other Current Commission Rule Proposals

1. Covered Institutions Subject to the Regulation SCI Proposal and the Exchange Act Cybersecurity Proposal

a. Discussion

i. Introduction

In addition to the Regulation S–P proposal, the Commission is proposing the Exchange Act Cybersecurity Proposal and is proposing to amend Regulation SCI. As discussed in more detail below, certain types of entities that would be subject to the proposed amendments to Regulation S–P would also be subject to those proposed rules, if adopted. As a result, such entities could be subject to multiple requirements to maintain policies and procedures that address certain types of cybersecurity risk, as well as obligations to provide multiple forms of disclosure or notification related to a cybersecurity event under the various proposals. While the Commission preliminarily believes that these requirements are nonetheless appropriate, it is seeking comment on the proposed amendments, given the following: (1) each proposal has a different scope and purpose; (2) the policies and procedures related to cybersecurity that would be required under each of the proposed rules would not be inconsistent; (3) the public disclosures or notifications required by the proposed rules would require different types of information to be disclosed, largely to different audiences at different times; and (4) it should be appropriate for entities to comply with the proposed requirements.

The specific instances in which the regulations, currently and as proposed to be amended, may relate to each other are discussed briefly below. In addition, we encourage interested persons to provide comments on the discussion below.

More specifically, the Commission encourages commenters to identify any areas where they believe the requirements of the proposed amendments to Regulation S–P and the requirements of Regulation SCI (currently and as it would be amended) and the Exchange Act Cybersecurity Proposal is particularly costly or creates practical implementation difficulties, provide details on what in particular about implementation would be difficult, and how the duplication will be costly or create such difficulties, and to make recommendations on how to minimize these potential impacts. In addition, the Commission encourages comments that explain how to achieve the goal of this proposal to reduce or help mitigate the potential for harm to individuals whose sensitive customer information has been accessed or used without authorization. To assist this effort, the Commission is seeking specific comment below on this topic.

b. Covered Institutions That Are or Would Also Be Subject to Regulation SCI and the Exchange Act Cybersecurity Proposal

Various covered institutions under this proposal are or would be subject to Regulation SCI (currently and as it would be amended) and the Exchange Act Cybersecurity Proposal. For example, alternative trading systems (“ATSs”) that trade certain stocks exceeding specific volume thresholds are SCI Entities and would also be covered institutions subject to the requirements of the proposed amendments to Regulation S–P. Therefore, if the proposed amendments to Regulation S–P are adopted (as proposed), broker dealers that operate ATSs would be subject to its requirements in addition to the requirements of Regulation SCI that apply to the ATS (currently and as it would be amended).

The Commission is also proposing to revise Regulation SCI to expand the definition of “SCI entity” to include broker-dealers that exceed an asset-based size threshold or a volume-based trading threshold in national market system (“NMS”) stocks, exchange-listed options, agency securities, or U.S. treasury securities. These entities would also be Market Entities for the purposes of the Exchange Act Cybersecurity Proposal, if adopted as proposed. If the amendments to Regulation SCI are adopted and the proposed amendments to Regulation S–P are adopted (as proposed), these additional Market Entities would be subject to Regulation SCI and also would be subject to the requirements of the proposed amendments to Regulation S–P as well as the requirements of the Exchange Act Cybersecurity Proposal (if adopted).

Additionally, broker-dealers and transfer agents that would be subject to the Exchange Act Cybersecurity Proposal also would be subject to some or all of the requirements of Regulation S–P (currently and as it would be amended).

c. Policies and Procedures To Address Cybersecurity Risks

i. Different Scope of the Policies and Procedures Requirements

Each of the policies and procedures requirements has a different scope and purpose. Regulation SCI (currently and as it would be amended) limits the scope of its requirements to certain systems of the SCI Entity that support securities market related functions. Specifically, it does and would require an SCI Entity to have reasonably designed policies and procedures applicable to its SCI systems and, for purposes of security standards, its indirect SCI systems. While certain aspects of the policies and procedures required by Regulation SCI (as it exists today and as proposed to be amended) are designed to address certain cybersecurity risks (among other things), the policies and procedures required by Regulation SCI focus on the SCI entities' operational capability and the maintenance of fair and orderly markets.

Similarly, Regulation S–P (currently and as it would be amended) also has a distinct focus. The policies and procedures required under Regulation S–P, both currently and as proposed to be amended, are limited to protecting a certain type of information—customer records or information and consumer report information —and they apply to such information even when stored outside of SCI systems or indirect SCI systems. Furthermore, these policies and procedures need not address other types of information stored on the systems of the broker-dealer or transfer agent. Consequently, while Regulation SCI and Regulation S–P may relate to each other, each serves a distinct purpose, and the Commission believes it would be appropriate to apply both requirements to SCI Entities that are covered institutions.

The policies and procedures requirements of the Exchange Act Cybersecurity Proposal are broader in scope with respect to cybersecurity than either the current or proposed forms of Regulation SCI or Regulation S–P. The Exchange Act Cybersecurity Proposal would require Market Entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks. Unlike Regulation SCI, these requirements would therefore cover both SCI systems and information systems that are not SCI systems. And, unlike Regulation S–P, the proposed requirements would also encompass information beyond customer information and consumer information. As discussed below, however, the narrower scope of the cybersecurity-related requirements discussed in this proposal are not intended to be inconsistent with the policies and procedures that would be required under the Exchange Act Cybersecurity Proposal, despite the differences in scope and purpose, which could reduce duplicative burdens for entities to comply with both requirements.

To illustrate, a covered institution could use one comprehensive set of policies and procedures to satisfy the cybersecurity-related requirements of the Regulation S–P proposed amendments and the cybersecurity-related policies and procedures requirements of the Regulation SCI Proposal and the Exchange Act Cybersecurity Proposal, so long as the cybersecurity-related policies and procedures required under Regulation S–P and Regulation SCI fit within and are consistent with the scope of the policies and procedures required under the Exchange Act Cybersecurity Proposal, and the Exchange Act Cybersecurity Proposal policies and procedures also address the more narrowly-focused cybersecurity-related policies and procedures requirements under the Regulation S–P and Regulation SCI proposals.

ii. Consistency of the Policies and Procedures Requirements

The safeguards rule currently requires broker-dealers (but not transfer agents) to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. The safeguards rule further provides that these policies and procedures must: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Additionally, the disposal rule currently requires broker-dealers and transfer agents that maintain or otherwise possess consumer report information for a business purpose to properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

The proposed amendments to the Regulation S–P safeguards rule would require policies and procedures to include a response program for unauthorized access to or use of customer information. Further, the response program would need to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures, among others, to: (1) assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization; and (2) take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information.

The Exchange Act Cybersecurity Proposal would have several policies and procedures requirements that are designed to address similar cybersecurity-related risks to these proposed requirements of Regulation S–P. First, under the Exchange Act Cybersecurity Proposal, a Covered Entity's policies and procedures would require measures designed to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the Covered Entity's information systems and the information residing on those systems. Second, under the Exchange Act Cybersecurity Proposal, a Covered Entity's policies and procedures would require incident response measures designed to detect, respond to, and recover from a cybersecurity incident, including policies and procedures that are reasonably designed to ensure, among other things, the protection of the Covered Entity's information systems and the information residing on those systems. Therefore, the incident response program policies and procedures requirements under the Regulation S–P proposal, which are specifically tailored to address unauthorized access to or use of customer information, would serve a different purpose than, and are not intended to be inconsistent with, the broader cybersecurity and information protection requirements of the incident response policies and procedures required under the Exchange Act Cybersecurity Proposal.

Accordingly, policies and procedures implemented by a broker-dealer that are reasonably designed in compliance with the requirements of the Exchange Act Cybersecurity Proposal discussed above also should generally satisfy the existing policies and procedures requirements of the Regulation S–P safeguards rule to protect customer records or information against unauthorized access or use that could result in substantial harm or inconvenience to any customer, to the extent that such information is stored electronically and, therefore, falls within the scope of the Exchange Act Cybersecurity Proposal. In addition, reasonably designed policies and procedures implemented by a broker-dealer or transfer agent in compliance with the requirements of the Exchange Act Cybersecurity Proposal also should generally satisfy the existing requirements of the disposal rule related to properly disposing of consumer report information, to the extent that such information is stored electronically and, therefore, falls within the scope of the Exchange Act Cybersecurity Proposal.

In addition, with respect to service providers, the proposed amendments to the safeguards rule would require broker-dealers, other than notice-registered broker-dealers, and transfer agents registered with the Commission or another appropriate regulatory agency to include written policies and procedures within their response programs that require their service providers, pursuant to a written contract, to take appropriate measures that are designed to protect against unauthorized access to or use of customer information, including notification to the broker-dealer or transfer agent as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider to enable the broker-dealer or transfer agent to implement its response program expeditiously.

The Exchange Act Cybersecurity Proposal also would have several policies and procedures requirements that are designed to address similar cybersecurity-related risks that relate to service providers. First, as part of the Exchange Act Cybersecurity Proposal's risk assessment requirements, a Covered Entity's policies and procedures under that proposal would need to require periodic assessments of cybersecurity risks associated with the Covered Entity's information systems and information residing on those systems. This element of the policies and procedures would need to require that the Covered Entity identify its service providers that receive, maintain, or process information, or are otherwise permitted to access the Covered Entity's information systems and any of the Covered Entity's information residing on those systems, and assess the cybersecurity risks associated with the Covered Entity's use of these service providers.

Second, under the Exchange Act Cybersecurity Proposal, a Covered Entity's policies and procedures would require oversight of service providers that receive, maintain, or process the Covered Entity's information, or are otherwise permitted to access the Covered Entity's information systems and the information residing on those systems, pursuant to a written contract between the Covered Entity and the service provider. Through that written contract the service providers would be required to implement and maintain appropriate measures that are designed to protect the Covered Entity's information systems and information residing on those systems. Unlike the Exchange Act Cybersecurity Proposal, however, Regulation S–P's proposed policy and procedure requirements related to service providers would specifically require notification to a covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider, in order to enable the covered institution to implement its response program. Therefore, reasonably designed policies and procedures implemented by a broker-dealer or transfer agent pursuant to the requirements of the Exchange Act Cybersecurity Proposal largely would satisfy these proposed requirements of Regulation S–P, to the extent that such information is stored electronically.

The proposed amendments to the disposal rule would require broker-dealers, other than notice-registered broker-dealers, and transfer agents registered with the Commission or another appropriate regulatory agency that maintain or otherwise possess consumer information or customer information for a business purpose, to properly dispose of this information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Any broker-dealer or transfer agent subject to the disposal rule would be required to adopt and implement written policies and procedures that address the proper disposal of consumer information and customer information in accordance with this standard.

The Exchange Act Cybersecurity Proposal would have several policies and procedures requirements that are designed to address similar cybersecurity-related risks as this proposed requirement of the disposal rule. First, a Covered Entity's policies and procedures under the Exchange Act Cybersecurity Proposal would need to include controls: (1) requiring standards of behavior for individuals authorized to access the Covered Entity's information systems and the information residing on those systems, such as an acceptable use policy; (2) identifying and authenticating individual users, including but not limited to implementing authentication measures that require users to present a combination of two or more credentials for access verification; (3) establishing procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication; (4) restricting access to specific information systems of the Covered Entity or components thereof and the information residing on those systems solely to individuals requiring access to the systems and information as is necessary for them to perform their responsibilities and functions on behalf of the covered entity; and (5) securing remote access technologies.

Second, under the Exchange Act Cybersecurity Proposal, a Covered Entity's policies and procedures would need to include measures designed to protect the Covered Entity's information systems and protect the information residing on those systems from unauthorized access or use, based on a periodic assessment of the Covered Entity's information systems and the information that resides on the systems. The periodic assessment would need to take into account: (1) the sensitivity level and importance of the information to the Covered Entity's business operations; (2) whether any of the information is personal information; (3) where and how the information is accessed, stored and transmitted, including the monitoring of information in transmission; (4) the information systems' access controls and malware protection; and (5) the potential effect a cybersecurity incident involving the information could have on the Covered Entity and its customers, counterparties, members, registrants, or users, including the potential to cause a significant cybersecurity incident. A broker-dealer or transfer agent that implements these requirements of the Exchange Act Cybersecurity Proposal should generally satisfy the proposed requirements of the disposal rule that customer information or consumer information held for a business purpose must be properly disposed of, to the extent that such information is stored electronically and, therefore, falls within the scope of the Exchange Act Cybersecurity Proposal.

For these reasons, the more narrowly focused existing and proposed policies and procedures requirements of Regulation S–P that address particular cybersecurity risks should fit within and are not intended to be inconsistent with the broader policies and procedures required under the Exchange Act Cybersecurity Proposal that more comprehensively address cybersecurity risks. Therefore, it should be appropriate for a broker-dealer or transfer agent to comply with the policies and procedures requirements of the Exchange Act Cybersecurity Proposal (if adopted) and the existing and proposed cybersecurity-related policies and procedures requirements of Regulation S–P with an augmented set of policies and procedures that addresses the requirements of both rules, to the extent that such information is stored electronically and, therefore, falls within the scope of the Exchange Act Cybersecurity Proposal.

d. Disclosure

The proposed amendments to Regulation S–P and Regulation SCI, and the Exchange Act Cybersecurity Proposal also have similar, but distinct, requirements related to notification about certain cybersecurity incidents. The proposed amendments to Regulation S–P would require broker-dealers, other than notice-registered broker-dealers, and transfer agents registered with the Commission or another appropriate regulatory agency to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. These broker-dealers and transfer agents would not have to provide notice if, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, they determine that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Moreover, if the cybersecurity incident is or would be an SCI event under the current or proposed requirements of Regulation SCI, a Covered Entity that is or would be subject to the current and proposed requirements of Regulation SCI also could be required to disseminate certain information about the SCI event to certain of its members, participants, or in the case of an SCI broker-dealer, customers, as applicable, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred.

Under the Exchange Act Cybersecurity Proposal, a Market Entity that is a Covered Entity would, if it experiences a “significant cybersecurity incident,” be required to disclose a summary description of each such incident that has occurred during the current or previous calendar year and to provide updated disclosures if the information required to be disclosed materially changes, including after the occurrence of a new significant cybersecurity incident or when information about a previously disclosed significant cybersecurity incident materially changes. These disclosures would be required to be made by filing Part II of proposed Form SCIR on EDGAR, posting a copy of the form on its corporate internet website, and, in the case of a carrying or introducing broker-dealer, by sending the disclosure to its customers using the same means that the customer elects to receive account statements.

However, despite these similarities, there are distinct differences. First, the Exchange Act Cybersecurity Proposal, Regulation SCI (currently and as proposed to be amended), and Regulation S–P (as proposed to be amended) require different types of information to be disclosed. Second, the disclosures generally would be made to different persons: (1) the public at large in the case of the Exchange Act Cybersecurity Proposal; (2) members, participants, or customers, as applicable, of the SCI entity in the case of the Regulation SCI Proposal; and (3) affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization or, in some cases, all individuals whose information resides in the customer information system that was accessed or used without authorization in the case of Regulation S–P (as proposed to be amended).

Additionally, the notification provided about certain cybersecurity incidents is different under each of these proposals given the distinct goals of each proposal. For example, the requirement to disclose summary descriptions of certain cybersecurity incidents from the current or previous calendar year publicly on EDGAR under the Exchange Act Cybersecurity Proposal serves a different purpose than the customer notification obligation proposed by the Regulation S–P amendments, which would provide more specific information to individuals affected by a security compromise involving their sensitive customer information, so that those individuals may take remedial actions if they so choose. For these reasons, the customer notification requirements of the proposed amendments to Regulation S–P are proposed to apply to covered institutions even if they would be subject to the disclosure requirements of Regulation SCI and/or the Exchange Act Cybersecurity Proposal (as proposed).

a. Request for Comment

The Commission requests comment on the multiple requirements under Regulation S–P (as currently exists and as proposed to be amended), the Exchange Act Cybersecurity Proposal, and Regulation SCI (as currently exists and as proposed to be amended). In addition, the Commission is requesting comment on the following matters:

98. Would it be costly or create practical implementation difficulties to apply the proposed requirements of Regulation S–P to have policies and procedures related to addressing cybersecurity risks to covered institutions if these institutions also would be required to have policies and procedures under Regulation SCI (currently and as it would be amended) and/or the Exchange Act Cybersecurity Proposal (if it is adopted) that address certain cybersecurity risks? If so, explain why. If not, explain why not. Conversely, would there be benefits to this approach? Why or why not? Are there ways the policies and procedures requirements of the proposed amendments to Regulation S–P could be modified to minimize these potential impacts while achieving the separate goals of this proposal? If so, explain how and suggest specific modifications.

99. Would it be costly or create practical implementation difficulties to require covered institutions to provide notification to affected individuals under Regulation S–P (as proposed), as well as requiring disclosure for certain cybersecurity-related incidents under the Exchange Act Cybersecurity Proposal and Regulation SCI? If so, explain why. If not, explain why not. Conversely, would there be benefits to this approach? Why or why not? Are there ways the notification requirements of the proposed amendments to Regulation S–P could be modified to minimize the potential impacts while achieving the separate goals of this proposal? If so, explain how and suggest specific modifications.

2. Investment Management Cybersecurity

On February 9, 2022, the Commission proposed new rules and amendments relating to the cybersecurity practices and response measures of registered investment advisers, registered investment companies, and business development companies (“covered IM entities”). The Investment Management Cybersecurity Proposal would require written cybersecurity policies and procedures reasonably designed to address cybersecurity risks; disclosures regarding certain cybersecurity risks and significant cybersecurity incidents; confidential reporting to the Commission within 48 hours of having a reasonable basis to conclude that a significant cybersecurity incident has occurred or is occurring; and certain cybersecurity-related recordkeeping.

If the Investment Management Cybersecurity Proposal and this proposal are both adopted as proposed, covered IM entities would be required to comply with certain similar requirements under both sets of rules. Both sets of rules would require covered IM entities to have policies and procedures regarding measures to detect, respond to, and recover from certain security incidents. Both also address oversight over certain service providers as a part of the required policies and procedures, specifically, requiring the service provider to have appropriate measures that are designed to protect customer, fund, or adviser information, as applicable, pursuant to a written contract.

In addition to similar policies and procedures requirements, covered IM entities would potentially be required to make disclosures to the public and report to the Commission under the Investment Management Cybersecurity Proposal, as well as provide notice to an affected individual under Regulation S–P, for the same incident. The disclosure and reporting that would be required under the Investment Management Cybersecurity Proposal, however, differ in purpose from the notification that would be provided to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization under the proposed amendments to Regulation S–P.

The disclosures and reporting contemplated in the Investment Management Cybersecurity Proposal would generally require disclosure of information appropriate to a wider audience of current and prospective advisory clients and fund shareholders, and would better inform their investment decisions, as well as provide reporting to the Commission of significant cybersecurity incidents. For example, advisers would be required to describe cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize, and address cybersecurity risks created by the nature and scope of their business. The Investment Management Cybersecurity Proposal would also require disclosure about significant cybersecurity incidents to prospective and current clients, shareholders, and prospective shareholders. These disclosures are intended to improve such persons' ability to evaluate and understand relevant cybersecurity risks and incidents and their potential effect on adviser and fund operations. In contrast, as discussed in section II.A.4.f, the notices required under this proposal would provide more specific information to individuals whose sensitive customer information notification was, or is reasonably likely to have been, accessed or used without authorization, so that they can take remedial actions as they deem appropriate. In other words, the Investment Management Cybersecurity Proposal would provide more general information appropriate to the wider audience of current and prospective clients, shareholders, and prospective shareholders, where this proposal would provide more specific information to individual customers about their customer information.

We intend that even if this proposal as well as the Investment Management Cybersecurity are adopted as proposed, covered IM entities would be able to avoid duplicative compliance efforts, including by, for example, developing one set of policies and procedures addressing all of the requirements from these proposals, using similar descriptions in the disclosures regarding the same incident, or providing the required disclosures as a single notice, where appropriate.

We request comment on the application of the proposal and the Investment Management Cybersecurity Proposal, including the following:

100. How would covered IM entities comply with the policies and procedures requirements contemplated in this proposal? Would they do so by having an integrated set of cybersecurity policies and procedures? If not, what costs and burdens would covered IM entities incur? If so, what operational or practical difficulties may arise because of these combined policies and procedures?

101. Should we modify any of the proposed requirements under this proposal for policies and procedures, service provider oversight, and/or notification of certain incidents, in order to minimize potential duplication of similar requirements under the Investment Management Cybersecurity Proposal?

102. What operational or practical difficulties, if any, may arise for covered IM entities that choose to comply with the disclosure requirements contemplated in this proposal and the Investment Management Cybersecurity Proposal by making substantially similar disclosures to market participants and customers? To the extent the proposed disclosure and notification requirements would result in duplication of effort, what revisions would minimize such duplication but also ensure investors and customers receive the information necessary to protect themselves and make investment decisions?

103. Should we require notice to the Commission when notification is provided to individuals under this proposal? If yes, what form should that notification take (for example, a copy of what is provided to affected individuals under this proposal, or something similar to the significant cybersecurity incident reporting that would be required under the Investment Management Cybersecurity Proposal for covered IM entities)? Should the timing of any such notification to the Commission be the same, before or later than notification to the affected individuals?

104. Do commenters believe there are additional areas of potential duplication or similarities between this proposal and the Investment Management Cybersecurity Proposal that we should address in this proposal? If so, please provide specific examples and whether the duplication or similarities should be addressed and if so, how.

H. Existing Staff No-Action Letters and Other Staff Statements

Staff is reviewing certain of its no-action letters and other staff statements addressing Regulation S–P to determine whether any such letters, statements, or portions thereof, should be withdrawn in connection with any adoption of this proposal. We list below the letters and other staff statements that are being reviewed as of the date of any adoption of the proposed rules or following a transition period after such adoption. If interested parties believe that additional letters or other staff statements, or portions thereof, should be withdrawn, they should identify the letter or statement, state why it is relevant to the proposed rule, and how it or any specific portion thereof should be treated and the reason therefor. To the extent that a letter or statement listed relates both to the proposal and another topic, the portion unrelated to the proposal is not being reviewed in connection with any adoption of this proposal.

I. Proposed Compliance Date

We propose to provide a compliance date twelve months after the effective date of any adoption of the proposed amendments in order to give covered institutions sufficient time to develop and adopt appropriate procedures to comply with any of the proposed changes and associated disclosure and reporting requirements, if adopted. The Commission recognizes that many covered institutions would review their policies and procedures at least annually. This compliance date would allow covered institutions to develop and adopt appropriate procedures in alignment with a regularly scheduled review. Based on our experience, we believe the proposed compliance date would provide an appropriate amount of time for covered institutions to comply with the proposed rules, if adopted.

We request comment on the proposed compliance date, and specifically on the following items:

105. Is the proposed compliance date appropriate? If not, why not? Is a longer or shorter period necessary to allow covered institutions to comply with one or more of these particular amendments, if adopted (for example, 18 months if longer, 6 months if shorter)? If so, what would be a recommended compliance date?

106. Should we provide a different compliance date for different types of entities? For example, should we provide a later compliance date for smaller entities, and if so what should this be (for example, 18 or 24 months)? How should we define a “smaller entities” for this purpose? Should any such definition be different depending on the type of covered institution and, if so, how?

III. Economic Analysis

A. Introduction

The Commission is mindful of the economic effects, including the costs and benefits, of the proposed rules and amendments. Section 3(f) of the Exchange Act, section 2(c) of the Investment Company Act, and section 202(c) of the Investment Advisers Act provide that when engaging in rulemaking that requires us to consider or determine whether an action is necessary or appropriate in or consistent with the public interest, to also consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation. Section 23(a)(2) of the Exchange Act also requires us to consider the effect that the rules would have on competition, and prohibits us from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the Exchange Act. The analysis below addresses the likely economic effects of the proposed amendments, including the anticipated and estimated benefits and costs of the amendments and their likely effects on efficiency, competition, and capital formation. The Commission also discusses the potential economic effects of certain alternatives to the approaches taken in this proposal.

The proposed amendments would require every broker-dealer, every investment company, every registered investment adviser, and every transfer agent to notify affected customers of certain data breaches. To that end, the proposed amendments would require these covered institutions to develop, implement, and maintain written policies and procedures that include an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information, and that includes a customer notification component for cases where sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization. The proposal would also extend existing rules for safeguarding customer records and information by broadening the scope of covered records to “customer information” and extending the covered population to transfer agents, impose various related recordkeeping requirements, and include in the regulation an existing statutory exception to annual privacy notice requirements.

The proposed amendments would affect the aforementioned covered institutions as well as customers who would receive the proposed notices. The proposed amendments would also have indirect effects on third-party service providers that receive, maintain, process or otherwise are permitted access to customer information on behalf of covered institutions: under the proposed amendments, unauthorized use of or access to sensitive customer information via third-party service providers would fall under the proposed customer notification requirement and covered institutions would be required to enter into a written contract with these service providers regarding measures to protect against unauthorized access to or use of customer information and notification to the covered institution in the event of a breach.

We believe that the main economic effects of the proposal would result from the proposed notification and incident response program requirements applicable to all covered institutions. For reasons discussed later in this section, we believe the proposed extension of existing provisions of Regulation S–P to transfer agents would have more limited economic effects. Finally, we anticipate the proposed recordkeeping requirements, and the proposed incorporation of the existing statutory exception to annual privacy notice requirements, to have minimal economic effects as discussed further below.

Broadly speaking, we believe the main economic benefits of the proposed notification and incident response program requirements, as well as the proposed extension of Regulation S–P to all transfer agents, would result from reduced exposure of the broader financial system to cyberattacks. These benefits would result from covered institutions allocating additional resources towards information safeguards and cybersecurity to comply with the proposed new requirements and/or to avoid reputational harm resulting from the mandated notifications. More directly, customers would benefit from reduced risk of their information being compromised, and—insofar as the proposed notices improve customers' ability to take mitigating actions—by allowing customers to mitigate the effects of compromises that occur nonetheless. The main economic costs from these new requirements would be reputational costs borne by firms that would not otherwise have notified customers of a data breach, increased expenditures on safeguards to avoid such reputational costs, and compliance costs related to the development and implementation of required policies and procedures.

Because all states require some form of customer notification of certain data breaches, and many entities are likely to already have response programs in place, we generally anticipate that the economic benefits and costs of the proposed notification requirements will—in the aggregate—be limited. Our proposal would, however, afford many individuals greater protections by, for example, defining “sensitive customer information” more broadly than the current definitions used by certain states; providing for a 30-day notification deadline that is shorter than the timing currently mandated by many states, including in states providing for no deadline or those allowing for various delays; and providing for a more sensitive notification trigger than in most states.

Further, in certain states, state customer notification laws do not apply to entities subject to or in compliance with the GLBA, and our proposal would help ensure customers receive notice of a breach in these circumstances.

For these reasons, the requirements being proposed here would improve customers' knowledge of when their sensitive information has been compromised. Specifically, we expect that the proposed minimum nationwide standard for notifying customers of data breaches, along with the preparation of written policies and procedures for incident response, would result in more customers being notified of data breaches as well as faster notifications for some customers, and that both these effects would improve customers' ability to act to protect their personal information. Moreover, such improved notification would—in many cases—become public and impose additional reputational costs on covered institutions that fail to safeguard customers' sensitive information. We expect that these potential additional reputational costs would increase the disciplining effect on covered institutions, incentivizing them to improve customer information safeguards, reduce their exposure to data breaches, and thereby improve the cyber-resilience of the financial system more broadly.

To the extent that a covered institution does not currently have policies and procedures to safeguard customer information and respond to unauthorized access to or use of customer information, it would bear costs to develop and implement the required policies and procedures for the proposed incident response program. Moreover, transfer agents—who have heretofore not been subject to any of the customer safeguard provisions of Regulation S–P—would face additional compliance costs related to the development of policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information as already required by current Regulation S–P.

As adopting policies and procedures involves fixed costs, doing so is almost certain to impose a proportionately larger compliance cost on smaller covered institutions, which would—in principle—reduce smaller covered institutions' ability to compete with their larger peers ( i.e., for whom the fixed costs are spread over more customers). However, given the considerable competitive challenges arising from economies of scale and scope already faced by smaller firms, we do not anticipate that the costs associated with this proposal would significantly alter these challenges. Similarly, although the proposed amendments may lead to improvements to economic efficiency and capital formation, existing state rules are similar in many respects to this proposal and so we do not expect the proposed amendments to have a significant impact on economic efficiency or capital formation vis-à-vis the baseline.

Many of the benefits and costs discussed below are difficult to quantify. Doing so would involve estimating the losses likely to be incurred by a customer in the absence of mitigation measures, the efficacy of mitigation measures implemented with a given delay, and the expected delay before notification can be provided under the proposed rules. In general, data needed to arrive at such estimates are not available to the Commission. Thus, while we have attempted to quantify economic effects where possible, much of the discussion of economic effects is qualitative in nature. The Commission seeks comment on all aspects of the economic analysis, including submissions of data that could be used to quantify some of these economic effects.

B. Broad Economic Considerations

In a perfectly competitive market, market forces would lead firms to “efficiently” safeguard customers' information: firms that fail to provide the level of safeguards demanded by customers would be driven out of the market by those that do. Among the several assumptions required to obtain this efficient outcome is that of customers having complete and perfect information about the firm's product or service and the processes and service provider relationships by which they are being provided, including customer information safeguards. In the context of covered institutions—firms whose services frequently involve custody of highly-sensitive customer information—this assumption is unrealistic. Customers have little visibility into the internal processes of a firm and its service providers, so it is impossible for them to directly observe whether a firm is employing adequate customer information safeguards. Moreover, firms often lack incentives to disclose when such information is compromised (and likely have substantial incentives to avoid such disclosures), limiting customers' (current or prospective) ability to penalize ( i.e., avoid) covered institutions who fail to protect customer information. The resulting information asymmetry prevents market forces from yielding economically efficient outcomes. This market failure serves as the economic rationale for the proposed regulatory intervention.

The information asymmetry about specific information breaches that have occurred, and—more generally—about covered institutions' efforts at avoiding such breaches, can lead to two inefficiencies. First, the information asymmetry prevents individual customers whose information has been compromised from taking timely actions ( e.g., increased monitoring of account activity, or placing blocks on credit reports) necessary to mitigate the consequences of such compromises. Second, the information asymmetry can lead covered institutions to generally devote too little effort ( i.e., “underspend”) toward safeguarding customer information, thereby increasing the probability of information being compromised in the first place. ³³⁰ In other words, information asymmetry prevents covered institutions that spend more effort on safeguarding customer information from having customers recognize their extra efforts.

The proposed amendments could mitigate these inefficiencies in three ways. First, by ensuring customers receive timely notice when their information is compromised, they would allow customers to take appropriate remedial actions. Second, by revealing when such events occur, they would help customers to draw inferences about a covered institution's efforts toward protecting customer information which could help inform their choice of covered institution, and in so doing influence firms' efforts toward protecting customer information. Third, by imposing a regulatory requirement to develop, implement, and maintain policies and procedures, the proposed amendments might further enhance firms' cybersecurity preparations and would restrict firms' ability to limit efforts in these areas and thereby mitigate the inefficiency from a competitive “race to the bottom.”

The effectiveness of the proposed amendments at mitigating these problems would depend on several factors. First, it would depend on the degree to which customer notification provides actionable information to customers that helps mitigate the effects of the compromise of sensitive customer information. Second, it would also depend on the degree to which the prospect of issuing such notices—and the prospect of resulting reputational harm, litigation, and regulatory scrutiny—helps alleviate underspending on safeguarding customer information. Finally, the effectiveness of the proposed amendments would also depend on the extent to which they induce improvements to existing practices ( i.e., the extent to which they strengthen customer safeguards and increase notification relative to the baseline).

C. Baseline

The market risks and practices, regulation, and market structure relevant to the affected parties in place today form the baseline for our economic analysis. The parties directly affected by the proposed amendments (“covered institutions” ) include every broker-dealer (3,509 entities), every investment company (13,965 distinct legal entities), every investment adviser (15,129 entities) registered with the Commission, and every transfer agent (402 entities) registered with the Commission or another appropriate regulatory agency. In addition, the proposed amendments would affect current and prospective customers of covered institutions as well as certain service providers to covered institutions.

1. Safeguarding Customer Information—Risks and Practices

Over the last two decades, the widespread adoption of digitization and the migration toward internet-based products and services has radically changed the manner in which firms interact with customers. The financial services industry has been at the forefront of these trends and now represents one the most digitally mature sectors of the economy. This progress came with a cost: increased exposure to cyberattacks that threaten not only the financial firms themselves, but also their customers. Cyber threat intelligence surveys consistently find the financial sector to be among the most attacked industries.

The trend toward digitization has increasingly turned the problem of safeguarding customer records and information into one of cybersecurity. Because financial firms are part of one of the most attacked industries, the problem of cybersecurity is acute, as the customer records and information in their possession can be quite sensitive ( e.g., personal identifying information, bank account numbers, financial transactions) and the compromise of which could lead to substantial harm. Not surprisingly, the financial sector is one of the biggest spenders on cybersecurity measures: a recent survey found that non-bank financial firms spent an average of approximately 0.4% of revenues—or $2,348/employee/year—on cybersecurity.

While spending on cybersecurity measures in the financial services industry is considerable, it may nonetheless be inadequate—even in the estimation of financial firms themselves. According to one recent survey, 58% of financial firms self-reported “underspending” on cybersecurity measures. And while adoption of cybersecurity best practices has been accelerating overall, some firms continue to lag in their adoption.

As discussed in more detail below, the Commission does not currently require covered institutions to notify customers (or the Commission) in the event of a data breach, so statistics relating to data breaches at covered institutions are not readily available. However, data compiled from notifications required under various state laws indicates that in 2021 the number of data breaches reported in the U.S. rose sharply to 1,862—a 68% increase over the prior year. Of these, 279 (15%) were reported by firms in the financial services industry. It is estimated that the average total cost of a data breach for a U.S. firm in 2022 was $9.44/million. The bulk of these costs is attributed to detection and escalation (33%), lost business (32%), and post-breach response (27%); customer notification is estimated to account for only a small fraction (7%) of these costs. Thus, for the U.S. financial industry as a whole, this implies aggregate notification costs under the baseline on the order of $200 million, which—given the greater exposure of financial firms to cyber threats—almost surely represent a lower bound.

2. Regulation

Two features of the existing regulatory framework are most relevant to the proposed amendments. First are the regulations already in place that require covered institutions to notify customers in the event that their information is compromised in some way. Second are regulations that affect covered institutions' efforts toward safeguarding customers' information. While the relevance of the former is obvious, the latter is potentially more significant: regulations aimed at increasing firms' efforts toward safeguarding customer information reduce the need for data breach notifications in the first place. In this section, we summarize these two aspects of the regulatory framework.

a. Customer Notification Requirements

All 50 states and the District of Columbia impose some form of data breach notification requirement under state law. These laws vary in detail from state to state, but have certain common features. State laws trigger data breach notification obligations when some type of “personal information” of a state's resident is either accessed or acquired in an unauthorized manner, subject to various common exceptions. For the vast majority of states (47), a notification obligation is triggered only when there is unauthorized acquisition, while a handful of states (4) require notification whenever there is unauthorized access.

Generally, states can be said to adopt either a basic or an enhanced definition of personal information. A typical example of a basic definition specifies personal information as the customer name linked to one or more pieces of nonpublic information such as Social Security number, driver's license number (or other state identification number), or financial account number together with any required credentials to permit access to said account. A typical enhanced definition will include additional types of nonpublic information that trigger the notification requirement; examples include: passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Enhanced definitions would also trigger notification when a username or email address in combination with a password or security question and answer that would permit access to an online account is compromised. Most states (39) adopt some form of enhanced definition, while a minority (12) adopt a basic definition.

Most states (43) provide an exception to the notification requirement if, following a breach of security, the entity investigates and determines that there is no reasonable likelihood that the individual whose personal information was breached has experienced or will experience certain harms (“no-harm exception”). Although the types of harms vary by state, they most commonly include: “harm” generally (12), identity theft or other fraud (10), misuse of personal information (8). Figure 1 plots the frequency of the various types of harms referenced in states' no-harm exceptions.

In general, state laws provide a general principle for timing of notification ( e.g., delivery shall be made “without unreasonable delay,” or “in the most expedient time possible and without unreasonable delay”). Some states augment the general principle with a specific deadline ( e.g., notice must be made “in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that the breach occurred” unless certain exceptions apply.” Figure 2 plots the frequency of different notification deadlines in state laws.

State laws generally require persons or entities that own or license computerized data that includes private information to notify residents of the state when a data breach results in the compromise of their private information. In addition, state laws generally require persons and entities that do not own or license such computerized data, but that maintain such computerized data for other entities, to notify the affected entity in the event of a data breach (so as to allow that entity to notify affected individuals). Therefore, we understand that all proposed covered institutions are already complying with one or more state notification laws. Variations in these state laws, however, could result in residents of one state receiving notice while residents of another receive no notice, or receive it later, for the same data breach incident.

Covered institutions may use service providers to perform certain business activities and functions, such as trading and order management, information technology functions and cloud computing services. As a result of this outsourcing, service providers may receive, maintain, or process customer information, or be permitted to access it, and therefore a security incident at the service provider could expose information at or belonging to the covered institution. In some cases, these service providers may be required to notify customers directly under state notification laws ( i.e., when the service provider owns or licenses the customer data). We anticipate however, that more frequently service providers would fall under provisions of state laws that require persons and entities that maintain computerized data to notify the data owners in the event of a breach. We also understand contracts between covered institutions and service providers could, and may already, call for the service provider to notify the covered institution of a data breach. Thus, we anticipate that most service providers contracting with covered institutions that would be affected by this proposal are already notifying covered institutions of data breaches, pursuant to either contract or state law.

b. Customer Information Safeguards

Regulation S–P currently requires all currently covered institutions to adopt written policies and procedures reasonably designed to: (i) insure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records and information that could result in substantial harm or inconvenience to any customer.

Covered institutions that hold transactional accounts for consumers may also be subject to Regulation S–ID. Such entities must develop and implement a written identity theft program that includes policies and procedures to identify relevant types of identity theft red flags, detect the occurrence of those red flags, and respond appropriately to the detected red flags. As some compromise of customer information is generally a prerequisite for identity theft, it is reasonable to expect that some of the policies and procedures implemented to effect compliance with Regulation S–ID incorporate red flags related to the potential compromise of customer information.

Some covered institutions may also be subject to other regulators' rules implicating customer information safeguards. Transfer agents supervised by one of the banking agencies, would be subject to the Banking Agencies' Incident Response Guidance. The Banking Agencies' guidelines require covered financial institutions to develop a response program covering assessment, notification to relevant regulators and law enforcement, incident containment, and customer notice. The guidelines require customer notification if misuse of sensitive customer information “has occurred or is reasonably possible.” They also require notices to occur “as soon as possible,” but permit delays if “an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.” Under the guidelines, “sensitive customer information” means “a customer's name, address, or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.” In addition “any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number” is also considered sensitive customer information under the guidelines. The guidelines also state that the OCC Information Security Guidance directs every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

In addition, certain ATSs are subject to obligations regarding their systems that relate to securities market functions under Regulation SCI aimed at enhancing the capacity, integrity, resiliency, availability, and security of those systems.

We also understand that advisers to private funds may be subject to the Federal Trade Commission's recently amended Standards for Safeguarding Customer Information (“FTC Safeguards Rule”) that contains a number of modifications to the existing rule with respect to data security requirements to protect customer financial information. The FTC Safeguards Rule generally requires financial institutions to develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. The rule also requires financial institutions to design and implement a comprehensive information security program with various elements, including incident response. In addition, it requires financial institutions to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information and require those service providers by contract to implement and maintain such safeguards.

A variety of guidance is available to institutions seeking to address information security risk, particularly through the development of policies and procedures. These include the NIST and CISA voluntary standards discussed elsewhere in this release, both of which include assessment, containment, and notification elements similar to this proposal. We do not have extensive data spanning all types of covered institutions on their use of these or similar guidelines or on their development of written policies and procedures to address incident response. However, past Commission examination sweeps of broker-dealers and investment advisers suggest that such practices are widespread. Thus, we believe that institutions seeking to develop written policies and procedures likely would have encountered these and similar standards and may have included the critical elements of assessment and containment, as well as notification; we request public comment on this assumption.

c. Annual Notice Delivery Requirement

Under the baseline, a broker-dealer, investment company, or registered investment adviser must generally provide an initial privacy notice to its customers not later than when the institution establishes the customer relationship and annually after that for as long as the customer relationship continues. If an institution chooses to share nonpublic personal information with a nonaffiliated third party other than as disclosed in an initial privacy notice, the institution must generally send a revised privacy notice to its customers.

The types of information required to be included in the initial, annual, and revised privacy notices are identical. Each privacy notice must describe the categories of information the institution shares and the categories of affiliates and non-affiliates with which it shares nonpublic personal information. The privacy notices also must describe the type of information the institution collects, how it protects the confidentiality and security of nonpublic personal information, a description of any opt out right, and certain disclosures the institution makes under the FCRA.

3. Market Structure

The amendments being proposed here would affect four categories of covered institutions: broker-dealers other than notice-registered broker-dealers, registered investment advisers, investment companies, and transfer agents registered with the Commission or another appropriate regulatory agency. These institutions compete in several distinct markets and offer a wide range of services, including: effecting customers' securities transactions, providing liquidity, pooling investments, transferring ownership in securities, advising on financial matters, managing portfolios, and consulting to pension funds. Many of the larger covered institutions belong to more than one category ( e.g., a dually-registered broker-dealer/investment adviser), and thus operate in multiple markets. In the rest of this section we first outline the market for each class of covered institution and then consider service providers.

a. Broker-Dealers

Registered broker-dealers include both brokers (persons engaged in the business of effecting transactions in securities for the account of others) as well as dealers (persons engaged in the business of buying and selling securities for their own accounts). Most brokers and dealers maintain customer relationships, and are thus likely to come into the possession of sensitive customer information. In the market for broker-dealer services, a relatively small set of large- and medium-sized broker-dealers dominate while thousands of smaller broker-dealers compete in niche or regional segments of the market. Broker-dealers provide a variety of services related to the securities business, including (1) managing orders for customers and routing them to various trading venues; (2) providing advice to customers that is in connection with and reasonably related to their primary business of effecting securities transactions; (3) holding customers' funds and securities; (4) handling clearance and settlement of trades; (5) intermediating between customers and carrying/clearing brokers; (6) dealing in corporate debt and equities, government bonds, and municipal bonds, among other securities; (7) privately placing securities; and (8) effecting transactions in mutual funds that involve transferring funds directly to the issuer. Some broker-dealers may specialize in just one narrowly defined service, while others may provide a wide variety of services.

Based on an analysis of FOCUS filings from year-end 2021, there were 3,509 registered broker-dealers. Of these, 502 were dually-registered as investment advisers. There were over 72 million customer accounts reported by carrying brokers. However, the majority of broker-dealers are not “carrying broker-dealers” and therefore do not report the numbers of customer accounts. Therefore, we expect that this figure of 72 million understates the total number of customer accounts because many of the accounts at carrying broker dealers have corresponding accounts with non-carrying brokers. Both carrying and non-carrying broker-dealers potentially possess sensitive customer information for the accounts that they maintain. Because non-carrying broker-dealers do not report on the numbers of customer accounts, it is not possible to ascertain with any degree of confidence the distribution of customer accounts across the broader broker-dealer population.

b. Investment Advisers

Registered investment advisers provide a variety of services to their clients, including: financial planning advice, portfolio management, pension consulting, selecting other advisers, publication of periodicals and newsletters, security rating and pricing, market timing, and conducting educational seminars. Although advisers engaged in any of these activities are likely to possess sensitive customer information, the degree of sensitivity will vary widely across advisers. An adviser that offers advice only on personalized investment advice may not hold much customer information beyond address, payment details, and the customer's overall financial condition. On the other hand, an adviser that performs portfolio management services will possess account numbers, tax identification numbers, access credentials to brokerage accounts, and other highly sensitive information.

Based on Form ADV filings received up to June 1, 2022, there were 15,129 SEC-registered investment advisers with a total of 51 million individual clients and $128 trillion in assets under management. Practically all (97%) of these advisers reported providing portfolio management services to their clients. Over half (56%) reported having custody of clients' cash or securities either directly or through a related person with client funds in custody totaling $46 trillion.

Figure 3 plots the cumulative distribution of the number of individual clients handled by SEC-registered investment advisers. The distribution is highly skewed: thirteen advisers each have more than one million clients while 95% of advisers have fewer than 2,000 clients. Many such advisers are quite small, with half reporting fewer than 62 clients.

Similarly, most SEC-registered investment advisers are limited geographically. SEC-registered investment advisers must generally make a “notice filing” with a state in which they have a place of business or six or more clients. Figure 4 plots the frequency distribution of the number the number of such filings. Based on notice filings, half of SEC-registered investment advisers operate in fewer than four states, and 38% operate in only one state.

c. Investment Companies

Investment companies are companies that issue securities and are primarily engaged in the business of investing in securities. Investment companies invest money they receive from investors on a collective basis, and each investor shares in the profits and losses in proportion to that investor's interest in the investment company. Investment companies that would be subject to the proposed rules include registered open-end and closed-end funds, business development companies (“BDCs”), Unit Investment Trusts (“UITs”), and employee securities' companies. Because they are not operating companies, investment companies do not have “customers” as such, and thus are unlikely to possess significant amounts of nonpublic “customer” information in the conventional sense. They may, however, have access to nonpublic information about their investors.

Table 1 summarizes the investment company universe that would be subject to the proposed rules. In total, as of the end of 2021, there were 13,965 investment companies, including 12,420 open-end management investment companies, 681 closed-end managed investment companies, 662 UITs, 103 BDCs, and 43 employees' securities companies. Many of the investment companies that would be subject to the proposed rules are part of a “family” of investment companies. Such families often share infrastructure for operations ( e.g., accounting, auditing, custody, legal) and potentially marketing and distribution. We believe that many of the compliance costs and other economic costs discussed in the following sections would likely be borne at the family level. We estimate that there were up to 1,144 distinct operational entities (families and unaffiliated investment companies) in the investment company universe.

d. Transfer Agents

Transfer agents maintain records of security ownership and are responsible for processing changes of ownership (“transfers”), communicating information from the firm to its security-holders ( e.g., sending annual reports), replacing lost stock certificates, etc. However, in practice most U.S.-registered securities are held in “street name,” where the ultimate ownership information is not maintained by the transfer agent, but rather in a hierarchal ledger. In this structure, securities owned by individuals are not registered in the name of the individual with the transfer agent. Rather the individual's broker maintains the records of the individual's ownership claim on securities. Brokers, in turn, have claims on securities held by a single nominee owner who maintains records of the claims of the various brokers. This arrangement makes securities lending feasible and facilitates rapid transfers. In such cases, the transfer agent is not aware of the ultimate owner of the securities and therefore does not hold sensitive information belonging to those owners.

Despite the prevalence of securities held in street name, a large number of individuals nonetheless hold securities directly through the transfer agent. Securities held directly may be held either in the form of a physical stock certificate or in book-entry form through the Direct Registration System (“DRS”). In either case, the transfer agent would need to maintain sensitive information about the individuals who own the securities. For example, to handle a request for replacement certificate, the transfer agent would need to confirm the identity of the individual making such a request and to maintain a record of such confirmation. Similarly, to effect DRS transfers a transfer agent would need to provide a customer's identification information in the message to DRS.

In 2022, there were 335 transfer agents registered with the Commission, with an additional 67 registered with the Banking Agencies. On average, each transfer agent reported 1.2 million individual accounts, with the largest reporting 56 million. Figure 5 plots the cumulative distribution of the number of individual accounts reported by transfer agents registered with the Commission. Approximately one third of SEC-registered transfer agents reported no individual accounts, and half reported fewer than ten thousand individual accounts.

e. Service Providers

The proposed policies and procedures provisions would require covered institutions, pursuant to a written contract between the covered institution and its service providers, to require the service providers to take appropriate measures that are designed to protect against unauthorized access to or use of customer information. These contracting requirements on a covered institution would affect a third party service provider that “receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to [the] covered institution.”

Covered institutions' relationships with a wide range of service providers would be affected. Specialized service providers with offerings geared toward outsourcing of covered institutions' core functions would generally fall under the proposed contracting requirements. Those offering of customer relationship management, customer billing, portfolio management, customer portals ( e.g., customer trading platforms), customer acquisition, tax document preparation, proxy voting, and regulatory compliance ( e.g., AML/KYC) would likely fall under the proposed contracting requirements. In addition, various less-specialized service providers could potentially fall under these requirements. Service providers offering Software-as-a-Service (SaaS) solutions for email, file storage, and similar general-purpose services could potentially be in a position to receive, maintain, or processes customer information. Similarly, providers of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), as well as those offering more “traditional” consulting services ( e.g., IT contractors) would in many cases be “otherwise [ ] permitted access to customer information” and could fall under the contracting provisions.

Due to data limitations, we are unable to quantify or characterize in much detail the structure of these various service provider markets. However, it has long been recognized that the financial services industry is increasingly relying on service providers through various forms of outsourcing.

D. Benefits and Costs of the Proposed Rule Amendments

The proposed amendments can be divided into four main components. First, they would create a requirement for covered institutions to adopt incident response programs, including notification to customers in the event sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Second, they would broaden the scope of information covered by the safeguards rule and the disposal rule and extend the application of the safeguards rule to transfer agents. Third, they would require covered institutions to maintain and retain records related to the foregoing. Fourth, they would include in regulation an existing statutory exemption for annual privacy notices. We discuss costs and benefits of each provision in turn.

1. Response Program

The proposed amendments would require covered institutions to “develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information” which must include a response program “designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures.” Under the proposal, covered institutions' response programs would be required to address incident assessment, containment, as well as customer notification.

The question of how best to structure the response to a cyber-incident has received considerable attention from firms, IT consultancies, government agencies, standards bodies, and industry groups, resulting in numerous reports with recommendations and summaries of best practices. While the emphasis of these reports varies, certain key components are common across many cybersecurity incident response programs. For example, NIST's Computer Security Incident Handling Guide identifies four main phases to cyber incident handling: (1) preparation; (2) detection and analysis; (3) containment, eradication, and recovery; and (4) post-incident activity. The assessment, containment, and notification prongs of the proposed policies and procedures requirement correspond to the latter three phases of the NIST recommendations. Similar analogues are found in other reports, recommendations, and other regulators' guidelines. Thus, the proposed procedures of the incident response program are substantially consistent with industry best practices and these other regulatory documents that seek to develop effective policies and procedures in this area.

In addition to helping ensure that customers are notified when their data is breached, the proposed requirements for policies and procedures to address assessment and containment of incidents are likely to have various other benefits. Having reasonably-designed strategies for incident assessment and containment ex ante could reduce the frequency and scale of breaches through more effective intervention and improved managerial awareness. Any such improvements to covered institutions' processes would benefit their customers ( i.e. by reducing harms to customers resulting from data breaches), as well as the covered institutions themselves ( i.e. by reducing the expected costs of handling data breaches).

In the remainder of this section, we first consider the benefits and costs associated with requiring covered institutions to develop, implement, and maintain written policies and procedures for a response program generally. We then consider costs and benefits of the proposed service provider provisions. We conclude this section with an analysis of the proposed notification requirements vis-à-vis the notification requirements already in force under the various existing state laws.

a. Written Policies and Procedures

Written policies and procedures are a practical prerequisite for organizations to implement standard operating procedures, which have long been recognized as necessary to improving outcomes in critical environments. While we are not aware of any studies that assess the efficacy of written policies and procedures specifically in the context of financial regulation, we expect that requiring written policies and procedures for the proposed response program would improve its effectiveness in a number of ways. Although data breach incidents are increasingly common, they are nonetheless a relatively rare event for any given covered institution. As the process for handling them is unlikely to be routine for a covered institution' staff, written policies and procedures can help ensure that the covered institution's personnel know what corrective actions to take and when. Moreover, written policies and procedures can help ensure that the incident is handled in an optimal manner. Finally, establishing incident response procedures ex ante can facilitate discussion among the covered institution's staff and expose flaws in the incident response procedures before they are used in a real response.

As noted in section III.C , all states and the District of Columbia generally require businesses to notify their customers when certain customer information is compromised, but they do not typically require the adoption of written policies and procedures for the handling of such incidents. However, despite the lack of explicit statutory requirements, covered institutions—especially those with a national presence—may have developed and implemented written policies and procedures for a response program that incorporates various standard elements, including the ones being proposed here: assessment, containment, and notification. Given the numerous and distinct state data breach laws, it would be difficult for larger covered institutions operating in multiple states to comply effectively with existing state laws without having some written policies and procedures in place. As such covered institutions are generally larger, they are more likely to have compliance staff dedicated to designing and implementing regulatory policies and procedures, which could include policies and procedures regarding incident response. Moreover, to the extent covered institutions that have already developed written policies and procedures for incident response have based such policies and procedures on common cyber incident response frameworks ( e.g., NIST Computer Security Incident Handling Guide, CISA Cybersecurity Incident Response Playbook), generally accepted industry best practices, or other applicable regulatory guidelines, these large covered institutions' written policies and procedures are likely to include the proposed elements of assessment, containment, and notification, and to be substantially consistent with the proposed rule's requirements.

Thus, we do not anticipate that the proposed requirement for written policies and procedures would result in substantial new benefits from its application to large covered institutions, those with a national presence, or those already subject to comparable Federal regulations. For the same reasons, it is unlikely to impose significant new costs for these institutions. Here, we expect the main cost associated with the proposed requirement to be the cost of reviewing existing policies and procedures to verify that they satisfy the new requirement. We further expect that these costs—although not significant—would ultimately be passed on to customers of these institutions.

We expect that the proposed written policies and procedures requirement would have more substantial benefits and costs for smaller covered institutions without a national presence, such as small registered investment advisers and broker-dealers who cater to a clientele based on geography, as compared to larger covered institutions. For smaller covered institutions the potential reputational cost of a cybersecurity breach is likely to be relatively small, while the cost of developing and implementing written policies and procedures for a response program is proportionately large. Moreover, these smaller covered institutions could potentially comply effectively with the relevant state data breach notification laws without adopting written policies and procedures to deal with customer notification: they may only need to consider—on an ad hoc basis—the notification requirements of the small number of states in which their customers reside.

Thus, we expect that for such covered institutions, the proposed amendments would likely impose additional compliance costs related to amending their existing written policies and procedures for safeguarding customer information. While these smaller covered institutions could potentially pass some of these costs on to customers in the form of higher fees, their ability to do so may be limited due to the presence of larger competitors with more customers. In addition, covered institutions that improve their customer notification procedures in response to the proposed amendments could suffer reputational costs resulting from the additional notifications.

Although the relevant baseline for the analysis of this proposal incorporates only regulations currently in place, we note that several concurrent Commission proposals would impose broader policies and procedures requirements relating to cybersecurity and data protection on some covered institutions. Insofar as these related proposals are adopted, the response program being proposed here would represent a refinement of elements addressing incident response and recovery found in the concurrent proposals. Thus, we anticipate that costs of developing the response programs being proposed here could largely be subsumed in the costs of developing policies and procedures for these concurrent proposals (if adopted).

The benefits ensuing from smaller, more geographically limited covered institutions incorporating incident response programs to their written policies and procedures can be expected to arise from improved efficacy in notifying affected customers and—more generally—from improvements in the manner in which such incidents are handled with aforementioned attendant benefits to customers and to the covered institutions themselves.

Lacking data on the improvements to efficacy—whether it be efficacy of customer notification, incident assessment, or incident containment—that would result from widespread adoption of written response programs, we cannot quantify the economic benefits of the proposed requirements. Similarly, quantifying the indirect economic costs such as reputational cost of any potential increased efficacy in customer notification is not feasible. However, as noted earlier, the effects of these requirements are likely to be small for covered institutions with a national presence who—we understand—are likely to already have such programs in place. For such institutions, we expect direct compliance costs to be largely limited to reviews of existing policies and procedures. Smaller, more geographically limited covered institutions—which are less likely to have written policies and procedures to address incident response—we expect would be more likely to bear the full costs associated with adopting and implementing such procedures.

The proposed requirements could potentially provide great benefit in a specific incident, for example in the case of a data breach at an institution that does not currently have written policies and procedures and was unprepared to promptly respond in keeping with law, and best practice. Such an institution would also bear the highest cost in complying with the proposal. In the aggregate, however, considering the proposed amendments in the context of the baseline, these benefits and costs are likely to be limited. As we have noted above, all states have previously enacted data breach notification laws with substantially similar aims and, therefore, we think it likely that many institutions have written policies and procedures to support compliance with these laws. In addition, we anticipate that larger covered institutions with a national presence—who account for the bulk of covered institutions' customers—have already developed written incident response programs consistent with the proposed requirements in most respects. Thus, the benefits and costs of requiring written incident response programs would largely be limited to smaller covered institutions without a national presence—institutions whose policies affect relatively few customers.

b. Service Provider Provisions

The proposed amendments would require that a covered institution's incident response program include written policies and procedures that cover activity by service providers. Specifically, these policies and procedures would require covered institutions, pursuant to a written contract between the covered institution and its service providers, to require the service providers to take appropriate measures that are designed to protect against unauthorized access to or use of customer information, including notification to the covered institution in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider to enable the covered institution to implement its response program. Under the proposed amendments, “service provider” is defined broadly, as “any person or entity that is a third party and receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” Thus, the proposed requirement could affect contracts with a broad range of entities, including potentially email providers, customer relationship management systems, cloud applications, and other technology vendors.

As modern business processes increasingly rely on third-party service providers, ensuring consistency in regulatory requirements increasingly requires consideration of the functions performed by service providers, and how these functions interact with the regulatory regime. Ignoring such aspects would create opportunities for regulatory arbitrage through outsourcing of functions to unregulated service providers. Thus, the proposed requirement would function to strengthen the benefits of the proposal by helping ensure that the proposed requirements have similar effects regardless of how a covered institution chooses to implement its business processes ( i.e., whether those processes are implemented in-house or outsourced).

For service providers that provide specialized services aimed at covered institutions, the proposed requirement would create additional market pressure to enhance service offerings so as to facilitate covered institutions' compliance with the proposed requirements. These service providers would have increased market pressure to adapt their services to facilitate covered institutions' compliance with the proposed amendments. This would entail costs for the service providers, including the actual cost of adapting business processes to accommodate the requirements, as well as costs related to renegotiating service agreements with covered institutions to include the required contractual provisions. It is difficult for us to quantify these costs, as we have no data on the number of specialized service providers used by covered institutions and on the ease with which they could adapt business processes to satisfy the new contractual provisions. That said, we preliminarily believe that these costs are justified and would not represent an undue cost as both the specialized service providers and the covered institutions contracting with them are adapted to operating in a highly-regulated industry, and would be accustomed to adapting their business processes to meet regulatory requirements. We further expect that such costs would largely be passed on to covered institutions and ultimately their customers.

With respect to more generic service providers ( e.g., email, customer-relationship management), the situation could be quite different. For these providers, covered institutions are likely to represent a small fraction of their customer base. These generic service providers may be unwilling to adapt their business processes to the regulatory requirements of a small subset of their customers. Under the proposed requirement, some covered institutions could find that some of their existing generic service providers would be unwilling to take the steps necessary to facilitate covered institutions' compliance with the proposed amendments. In such cases, the covered institutions would need to switch service providers and bear the associated switching costs, while the service providers would suffer loss of customers. Although these costs would be offset by benefits arising from enhanced efficacy of the regulation, they would be particularly acute for smaller covered institutions which lack bargaining power with generic service providers and would in many cases be forced to switch providers.

Moreover, in some cases generic service providers may have the business processes in place to facilitate covered institutions' compliance, but may be unwilling to enter into suitable written contracts. This situation is likely to arise with large, best-of-breed generic service providers with large market share, and could lead to perverse outcomes where the aims of the proposed amendments are undermined. For example, large, established server hosting providers could be particularly unwilling to make contractual accommodations. At the same time, these hosting providers would have the greatest economic incentive—and means—to reduce generic vulnerabilities within their control. Thus, if a covered institution is forced to switch away from a large, established hosting provider unwilling to amend its contractual terms, it is likely to end up relying on a smaller, less established hosting provider that—while more amenable to specific contractual language—may be less capable of addressing the generic vulnerabilities within its control. Given the increasing reliance of firms on such generic service providers, switching could generate substantial costs and bring with it reduced ability to protect customer information if such generic service providers are either unwilling to contractually agree to certain provisions or unable to address the vulnerabilities within their control.

Finally, even in cases where service providers are willing to adapt processes and contractual terms to meet covered institutions requirements, the task of renegotiating service agreements could—in itself—impose substantial contracting costs on the parties. Contracting costs are likely to be most acute for larger covered institutions, which may have hundreds of contracts that would require renegotiation. These additional costs would likely be passed on to customers in the form of higher fees.

c. Notification Requirements

The proposed requirements would provide for a strong minimum standard for data breach notification, applicable to the sensitive customer information of all customers of covered institutions (including customers of other financial institutions whose information has been provided to a covered institution) regardless of their state of residence. The “strength” of a data breach notification standard is a function of its various provisions and how these provisions interact to provide customers with thorough, timely, and accurate information about when their information has been compromised. Customers receiving notices that are more thorough, timely, and accurate have a better chance of taking effective remedial actions, such as placing holds on credit reports, changing passwords, and monitoring account activity. These customers would also be better able to abandon institutions that have allowed their information to be compromised. Similarly, non-customers who learn of a data breach, for example from individuals notified as a result of the minimum standard, could use this information to avoid covered institutions that allow compromises to occur.

As discussed in section III.C.2.a all 50 states and the District of Columbia already have data breach laws generally applicable to compromises of their residents' information. Thus, the benefits of the proposed minimum standard for notification to customers (vis-à-vis the baseline) would vary depending on each customer's state of residence, with the greatest benefits accruing to customers that reside in states with “weaker” data breach laws.

Unfortunately, with the data available, it is not practicable to decompose the marginal contributions of the various state law provisions to the overall “strength” of state data breach laws. Consequently, it is not possible for us to quantify the benefits of the proposed minimum standard to customers residing in the various states. Thus, in considering the benefits of the proposed notification requirement, we limit consideration to the “strength” of individual provisions of the proposal vis-à-vis the corresponding provisions under state laws, and consider the number of customers that could potentially benefit from each.

Similarly—albeit to a somewhat lesser extent—the costs to covered institutions will also vary depending on the geographical distribution of each covered institution's customers. Generally, the costs associated with this proposal will be greater for covered institutions whose customers reside in states with weaker data breach laws than for those whose customers reside in states with stronger data breach laws. In particular, smaller covered institutions whose customers are concentrated in states with weak state data breach laws are likely to face proportionately higher costs.

In the rest of this section, we consider key provisions of the proposed notification requirements, their potential benefits to customers (vis-à-vis existing state notification laws), and their costs.

i. Effect With Respect to Customers of Other Financial Institutions

The scope of customer information subject to protection under the proposed amendments extends to “all customer information in the possession of a covered institutions, and all consumer information that a covered institution maintains or otherwise possesses for a business purpose, as applicable, regardless of whether such information pertains to individuals with whom the covered institution has a customer relationship, or pertains to the customers of other financial institutions and has been provided to the covered institution.”

This aspect of the proposal would generally extend the benefits of the proposed amendments, and in particular of the proposed notification requirements, to a wide range of individuals such as prospective customers, account beneficiaries, recipients of wire transfers, or any other individual whose customer information a covered institution comes to possess, so long as the individuals are customers of a financial institution.

We do not anticipate that extending the scope of information covered by the proposed amendments to include these additional individuals would have a significant effect on costs faced by covered institutions resulting from a data breach. We further anticipate that costs of preventative measures taken by covered institutions to protect customers in response to the proposed amendments would generally be effective at protecting these additional individuals. However, we acknowledge that in certain instances, this may not be the case. For example, information about prospective customers used for sales or marketing purposes may be housed in separate systems from the covered institution's “core” customer account management systems and require additional efforts to secure. That said, given that the distinction between customers and other individuals is generally not relevant under existing state notification laws—which apply to information pertaining to residents of a given state—we expect that most covered institutions will have already undertaken to protect and provide notifications of data breaches to these additional individuals.

ii. Effect With Respect to GLBA Safe Harbors

A number of state data breach laws provide exceptions to notification for entities subject to and in compliance with the GLBA. These “GLBA Safe Harbors” may result in customers not receiving any data breach notification from registered investment advisers, broker dealers, investment companies, or transfer agents. The proposal would help ensure customers receive notice of breach in cases where they may not currently because notice is not required under state law.

Based on an analysis of state laws, we found that 11 states provide a GLBA Safe Harbor. Together, these states account for 15% of the U.S. population, or approximately 8 million customers who may potentially benefit from this provision. While we do not have data on the exact geographical distribution of customers across all covered institutions, we are able to identify registered investment advisers whose customers reside exclusively in GLBA Safe Harbor states. We estimate that there are 215 such advisers, representing 1.4% of the adviser population. These advisers represent up to 11,000 clients, and tend to be small, with a median regulatory assets under management of $223 million. We expect that a similar percentage of broker-dealers would be found to be operating exclusively in GLBA Safe Harbor states.

Changing the effect of the GLBA Safe Harbors is not likely to impose significant direct compliance costs on most covered institutions. For the reasons outlined above, most covered institutions have customers from states without a GLBA Safe Harbor and we therefore expect they have existing procedures for notifying customers under state law. However, covered institutions whose customer base is limited to these GLBA Safe Harbor states may not have implemented any procedures to notify customers in the event of a data breach. These covered institutions would face proportionately higher costs than entities with some notification procedures already in place.

iii. Accelerating Timing of Customer Notification

Under the proposed amendments, a covered institution would be required to provide notice to customers in the event of a data breach as soon as practicable, but not later than 30 days after becoming aware that a data breach has occurred. As discussed in section III.C.2.a, existing state laws vary in terms of notification timing. Most states (32) do not include a specific deadline, but rather require that the notice be given in an expedient manner and/or that it be provided without unreasonable delay; these states account for 61% of the U.S. population with approximately 31 million potential customers residing in these states. Four states have a 30-day deadline; we estimate that 5 million customers reside in these states. The remaining 15 states provide for longer notification deadlines; we estimate that 14 million customers reside in these states. For the 14 million customers residing in these 15 states, the proposed 30-day deadline would tighten the notification timeframes by between 15 to 60 days. In addition, the 30-day deadline we are proposing is likely to tighten notification timeframes for approximately 31 million customers residing in states with no specific deadline; however, the aggregate effects on these 31 million customers may be limited insofar as the relevant state laws are not generally interpreted as allowing delays in notification greater than 30 days. Finally, because the proposal would not provide for broad exceptions to the 30-day notification requirement, in many cases it would tighten notification timeframes even for the 5 million customers residing in states with a 30-day deadline.

Tighter notification deadlines should increase customers' ability to take effective measures to counter threats resulting from their sensitive information being compromised. Such measures may include placing holds on credit reports or engaging in more active monitoring of account and credit report activity. In practice, however, when it takes a long time to discover a data breach, a relatively short delay between discovery and customer notification may have little impact on customers' ability to take effective countermeasures.

Based on data from the Washington Attorney General's Office, in 2021 it took an average of 170 days (standard deviation: 209 days) from the time a breach occurred to its discovery. This suggests that time to discovery is likely to prevent issuance of timely customer notices in most cases. However, as plotted in Figure 6, while some firms take many months—even years—to discover a data breach, others do so in a matter of days: 15% of firms were able to detect a breach within 2 weeks, and 20% were able to do so within 30 days. Thus, while the proposed 30-day notification deadline may not substantially improve the timeliness of customer notices in many cases, in some cases it could.

While we do not preliminarily believe that the proposed 30-day deadline to customer notifications would impose significant direct costs relative to a longer deadline (or relative to having no fixed deadline), the shorter deadline could potentially lead to indirect costs arising from the reporting deadline potentially interfering with incident containment efforts. Based on data from the Washington Attorney General's Office for 2021, “containment” of data breaches generally occurs quickly—4.4 days on average. However, according to IBM's study for 2021, it takes an average of 75 days to “contain” a data breach. The discrepancy suggests that there exists some ambiguity in the interpretation of “containment,” raising the possibility that the 30-day notification deadline could require customer notification to occur before some aspects of incident containment have been completed and potentially interfering with efforts to do so.

In some circumstances, requiring customers to be notified within 30 days may hinder law enforcement investigation of an incident by potentially making an attacker aware of the attack's detection. While the proposal would allow the covered institution to delay notification in specific circumstances related to national security, most law enforcement investigations would not rise to this level. Thus, the proposed 30-day customer notification requirement could impose costs on the public insofar as it interferes with law enforcement investigations that do not raise national security concerns and, thus, decreases recoveries or impedes deterrence.

iv. Broader Scope of Information Triggering Notification

In the proposal, “sensitive customer information” is defined more broadly than in most state statutes, yielding a customer notification trigger that is broader in scope than the various state law notification triggers included under the baseline. The broader scope of information triggering the notice requirements would cover more data breaches impacting customers than the notice requirements under the baseline. This increased sensitivity could benefit customers who would be made aware of more cases where their information has been compromised. At the same time, the increased sensitivity could lead to false alarms—cases where the “sensitive customer information” divulged does not ultimately harm the customer. Such false alarms could be problematic if they reduce customers' sensitivity to data breach notices. In addition, the proposed scope will also likely imply additional costs for covered institutions, which may need to adapt their processes for safeguarding information to encompass a broader set of customer information, and may need to issue additional notices.

In the proposal, “sensitive customer information” is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” The proposed definition's basis in “any component of customer information” creates a broader scope than under state notification laws. In addition to identification numbers, PINs, and passwords, many other pieces of nonpublic information have the potential to satisfy this standard. For example, many financial institutions have processes for establishing identity that require the user to provide a number of pieces of information that—on their own—are not especially sensitive ( e.g., mother's maiden name, name of a first pet, make and model of first car), but which—together—could allow access to a customer's account. The compromise of some subset of such information would thus potentially require a covered institution to notify customers under the proposed amendments.

The definitions of information triggering notice requirements under state laws are generally much more circumscribed, and can be said to fall into one of two types: basic and enhanced. Basic definitions are used by 12 states, which account for 20% of the U.S. population. In these states, only the compromise of a customer's name together with one or more enumerated pieces of information triggers the notice requirement. Typically, the enumerated information is limited to Social Security number, a driver's license number, or a financial account number combined with an access code. For the estimated 10 million customers residing in these states, a covered institution's compromise of the customer's account login and password would not necessarily result in a notice, nor would a compromise of his credit card number and PIN. Such compromises could nonetheless lead to substantial harm and inconvenience.

Thus, the proposed amendments would significantly enhance the notification requirements applicable to these customers.

States adopting enhanced definitions for information triggering notice requirements extend the basic definition to include username/password and username/security question combinations. They may also include additional enumerated items whose compromise (when linked with the customer's name) can trigger the notice requirement ( e.g., biometric data, tax identification number, and passport number). For the estimated 40 million customers residing in the states with enhanced definitions, the benefits from the proposed amendment will be somewhat more limited. However, even for these customers, the proposal would tighten the effective notification requirement. There are many pieces of information not covered by the enhanced definitions the compromise of which could potentially lead to substantial harm or inconvenience. For example, under California law, the compromise of information such as a customer's email address in combination with a security question and answer would only trigger the notice requirement if that information would—in itself—permit access to an online account; moreover, the compromise of information such as a customer's name, combined with her transaction history, account balance, or other information not specifically enumerated would not trigger the notice requirement under California law.

The broader scope of information triggering a notice requirement under the proposed amendments would benefit customers. As noted earlier, many pieces of information not covered under state data breach laws could, when compromised, cause substantial harm or inconvenience. Under the proposed amendments, data breaches involving such information could require customer notification in cases where state law does not, and thus potentially increase customers' ability to take actions to mitigate the effects of such breaches. At the same time, there is some risk that the broader minimum standard will lead to notifications resulting from data compromises that—while troubling—are ultimately less likely to cause substantial harm or inconvenience. A large number of such notices could undermine the effectiveness of the notice regime.

The broader minimum standard for notification is likely to result in higher compliance costs for covered institutions. In particular, it is possible the covered institutions have developed processes and systems designed to provide enhanced information safeguards for the specific types of information enumerated in the various state laws. For example, it is likely that IT systems deployed by financial institutions only retain information such as passwords or answers to security questions in hashed form, reducing the potential for such information to be compromised. Similarly, it is likely that such systems limit access to information such as Social Security numbers to a limited set of employees.

It may be costly for covered institutions to upgrade these systems to expand the scope of enhanced information safeguards. In some cases, it may be impractical to expand the scope of such systems. For example, while it may be feasible for covered institutions to strictly limit access to Social Security numbers, passwords, or answers to secret questions, it may not be feasible to apply such limits to account numbers, transaction histories, account balances, related accounts, or other potentially sensitive customer information. In these cases, the proposed minimum standard may not have a significant prophylactic effect, and may lead to an increase in reputation and litigation costs for covered institutions resulting from more frequent breach notifications as well as increased administrative costs related to sending out additional notice. In addition, because the proposed notice trigger is based on a determination that there is a reasonably likely risk of substantial harm or inconvenience, it could increase costs related to incident evaluation, legal consultation, and litigation risk. This subjectivity could reduce consistency in the propensity of covered institutions to provide notice to customers, reducing the utility of such notices in customer's inferences about covered institutions' safeguarding efforts.

v. Notification Trigger

Under the proposal, the access or use without authorization of an individual's sensitive customer information (or the reasonable likelihood thereof) triggers the customer notice requirement unless the covered institution is able to determine that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Moreover, if the covered institution is unable to determine which customers are affected by a data breach, a notice to all potentially affected customers would be required. The resulting presumptions for notification are important because although it is usually possible to determine what information could have been compromised in a data breach, it is often not possible to determine what information was compromised or to estimate the potential for such information to be used in a way that is likely to cause harm. Because of this, it may not be feasible to establish the likelihood of sensitive customer information being accessed or used in a way that creates a risk of substantial harm or inconvenience. Consequently, in the absence of the presumption for notification, it may be possible for covered institutions to avoid notifying customers in cases where it is unclear whether customer information was accessed or used in this way. Currently, 21 states' notification laws do not include a presumption for notification.

We do not have data with which to estimate reliably the effect of this presumption on the propensity of covered institutions to issue customer notifications. However, we expect that for the estimated 15 million customers residing in states without the presumption of notification, some notifications that would be required under the proposed amendments are not currently occurring. Thus, we anticipate that the proposed amendments will improve these customers ability to take actions to mitigate the effects of data breaches.

The increased sensitivity of the notification trigger resulting from the presumption for notification would result in additional costs for covered institutions, who would bear higher reputational costs as well as some additional direct compliance costs ( e.g., mailing notices, responding to customer questions, etc.) due to more breaches requiring customer notification. We are unable to quantify these additional costs.

2. Extend Scope of Customer Safeguards To Transfer Agents

The proposed amendments would bring transfer agents within the scope of the safeguards rule. In addition to the costs and benefits arising from the proposed response program discussed separately in section III.D.1 this would create an additional obligation on transfer agents to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information more generally.

As discussed in sections II.C.3 and III.C.3.d, in the U.S., transfer agents provide the infrastructure for tracking ownership of securities. Maintaining such ownership records necessarily entails holding or accessing non-public information about a large swath of the U.S. investing public. Given the highly-concentrated nature of the transfer agent market, a general failure of customer information safeguards at a transfer agent could negatively impact large numbers of customers. In general, transfer agents with written policies and procedures to safeguard this information would be at reduced risk of experiencing such safeguard failures. Further, because the core of the transfer agent business is maintaining customer records, and transfer agents are likely to handle large numbers of customers, transfer agents are likely to have written policies and procedures in place to address safeguarding of customer information. In addition, transfer agents are currently subject to the notification requirements in state law, which would require customer notification in many of the same cases as under the proposed amendments. Thus, we do not expect substantial costs or benefits to arise from extending the scope of the safeguards rule to transfer agents in the aggregate. We anticipate that most transfer agents have policies and procedures in place already, and that the compliance costs of the proposal would thus be limited to the review of those existing policies and procedures for consistency with the safeguards rule. We discuss these costs in section IV.

3. Recordkeeping

Under the new recordkeeping requirements, covered institutions would be required to make and maintain written records documenting compliance with the requirements of the safeguards rule and of the disposal rule. A covered institution would be required to make and maintain written records documenting its compliance with, among other things: its written policies and procedures required under the proposed rules, including those relating to its service providers and its consumer information and customer information disposal practices; its assessments of the nature and scope of any incidents involving unauthorized access to or use of customer information; any notifications of such incidents received from service providers; steps taken to contain and control such incidents; and, where applicable, any investigations into the facts and circumstances of an incident involving sensitive customer information, and the basis for determining that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

These proposed recordkeeping requirements would help facilitate the Commission's inspection and enforcement capabilities. As a result, the Commission would be better able to detect deficiencies in a covered institution's response program so that such deficiencies could be remedied. Insofar as correcting deficiencies results in material improvement in the response capabilities of covered institutions and mitigates potential harm resulting from the lack of an adequate response program, the proposed amendments would benefit customers through channels described in section III.D.1.

We do not expect the proposed recordkeeping requirements to impose substantial compliance costs. As covered institutions are currently subject to similar recordkeeping requirements applicable to other required policies and procedures, we do not anticipate covered institutions will need to invest in new recordkeeping staff, systems, or procedures to satisfy the new recordkeeping requirements. ⁴⁹¹ The incremental administrative costs arising from maintaining additional records related to these provisions using existing systems are covered in the Paperwork Reduction Act analysis in section IV and estimated to be $381/year.

4. Exception From Annual Notice Delivery Requirement

The proposed amendments would incorporate into the regulation an existing statutory exception to the requirement that a broker-dealer, investment company, or registered investment adviser deliver an annual privacy notice to its customers. An institution may only rely on the exception if it has not changed its policies and practices with regard to disclosing nonpublic personal information from those it most recently provided to the customer via privacy notice. Reliance on the exception is further limited to cases where the institution provides information to a third party to perform services for, or functions on behalf of, the institution in accordance with one of a number of existing exemptions that contain notice provisions.

The effect of the exception would be to eliminate the requirement to send the same privacy policy notice to customers on multiple occasions. As such notices would provide no new information, we do not believe that receiving multiple copies of such notices provides any significant benefit to customers. Moreover, we expect that widespread reliance on the proposed exception is more likely to benefit customers, by providing clearer signals of when privacy policies have changed. At the same time, reliance on the exception would reduce costs for covered entities. However, we expect these cost savings to be limited to the administrative burdens discussed in section IV.

Because the exception became effective when the statute was enacted, we believe that the aforementioned benefits have already been realized. Consequently, we do not believe that its inclusion would have any economic effects relative to the current status quo.

E. Effects on Efficiency, Competition, and Capital Formation

As discussed in the foregoing sections, market imperfections could lead to underinvestment in customer information safeguards, and to information asymmetry about cybersecurity incidents. Various elements of the proposed amendments aim to mitigate the inefficiency resulting from these imperfections by imposing mandates for policies and procedures. Specifically, the proposal would require covered entities to include a response program for incidents involving unauthorized access to or use of customer information, which would address assessment and containment of such incidents, and could thereby reduce potential underinvestment in these areas, and thereby improve customer information safeguards. In addition, by requiring notification to customers about certain safeguard failures, the proposal could reduce the aforementioned information asymmetry.

While the proposed amendments have the potential to mitigate these inefficiencies, the scale of the overall effect is likely to be limited due to the presence of state notification laws, and existing security practices, as well as existing regulations. Moreover, insofar as the proposed amendments alter covered institutions' practices, the improvement—in terms of the effectiveness of covered institutions' response to incidents, customers' ability to respond to breaches of their sensitive customer information, and in reduced information asymmetry about covered institutions' efforts to safeguard this information—is generally impracticable to quantify due to data limitations discussed previously. The proposed provisions would not have first order effects on channels typically associated with capital formation ( e.g., taxation policy, financial innovation, capital controls, investor disclosure, market integrity, intellectual property, rule-of-law, and diversification). Thus, the proposed amendments are unlikely to lead to significant effects on capital formation.

Because the proposed amendments are likely to impose proportionately larger costs on smaller and more geographically-limited covered institutions, this may affect their competitiveness vis-à-vis their larger peers. Such covered institutions—which may be less likely to have written policies and procedures for incident response programs already in place—would face disproportionately higher costs resulting from the proposed amendments. Thus, the proposed amendments could tilt the competitive playing field in favor of larger covered institutions. On the other hand, if clients and investors believe that the proposed amendments effectively induce the appropriate level of effort, smaller covered institutions would likely reap disproportionately large benefits from these improved perceptions.

With respect to competition among covered institutions' service providers, the overall effect of the proposed amendments is similarly ambiguous. The standardized terms of service used by some service providers may already contain appropriate measures designed to protect against unauthorized access to or use of customer information. If they do not, however, it is likely that some service providers would decline to negotiate contractual terms with respect to customer information safeguards, effectively causing these service providers to cease offering services to affected covered institutions. This would reduce competition. On the other hand, service providers with fewer customer information safeguards ( i.e., those unwilling to provide said assurances) would be unable to undercut service providers with greater information safeguards. This would improve the competitive position of this latter group.

Finally, we anticipate that neither the proposed recordkeeping provisions, nor the proposed exception from annual privacy notice delivery requirements will have a notable impact on efficiency, competition, or capital formation due to their limited economic effects. As discussed elsewhere in this proposal, we do not expect the proposed recordkeeping requirements to impose material compliance costs, and we expect the economic effects of the proposed exception to be limited.

F. Reasonable Alternatives Considered

In formulating our proposal, we have considered various reasonable alternatives. These alternatives are discussed below.

1. Reasonable Assurances From Service Providers

Rather than requiring policies and procedures that require covered institutions to enter into a written contract with each service provider requiring that it take appropriate measures designed to protect against unauthorized access to or use of customer information, the Commission considered requiring covered institutions to obtain “reasonable assurances” from service providers instead. This would be a lower threshold than the proposed provision requiring a written contract, and as such would be less costly to reach but also less protective.

Under this alternative we would use the proposal's definition of “service provider,” which is “any person or entity that is a third party and receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” Thus, similar to the proposal, this alternative could affect a broad range of service providers including, potentially: email providers, customer relationship management systems, cloud applications, and other technology vendors. Depending on the states where they operate, these service providers may already be subject to state laws applicable to businesses that “maintain” computerized data containing private information. Additionally, it is likely that any service provider that offers a service involving the maintenance of customer information to U.S. financial firms generally, or to any specific financial firm with a national presence, has processes in place to ensure compliance with these state laws; we request public comment on this assumption.

For service providers that provide specialized services aimed at covered institutions, this alternative would, like the proposal, create market pressure to enhance service offerings so as to provide the requisite assurances and facilitate covered institutions' compliance with the proposed requirements. These service providers would have little choice other than to adapt their services to provide the required assurances, which would result in additional costs for the service providers related to adapting business processes to accommodate the requirements. In general, we expect these costs would be limited in scale in the same ways the costs of the proposal are limited in scale: specialized service providers are adapted to operating in a highly-regulated industry, and are likely to have policies and procedures in place to facilitate compliance with state data breach laws. And, as with the proposal, we generally anticipate that such costs would largely be passed on to covered institutions and ultimately their customers. As compared to the proposal's requirement for written contracts, we expect that “reasonable assurances” would require fewer changes to business processes and, accordingly, lower costs. Assuming the covered institution did not use written contracts to document the “reasonable assurances,” however, this alternative would also be less protective than the proposed requirement for contractual language. As compared to “reasonable assurances,” a written contract is clearer, more easily enforced as between the covered institution and the service provider, and more likely to ensure customer notification in the event of a data breach.

With respect to more generic service providers ( e.g., email, or customer-relationship management), the situation could be quite different. For these providers, covered institutions are likely to represent a small fraction of their customer base. As under the proposed service provider provisions, generic service providers may again be unwilling to adapt their business processes to the regulatory requirements of a small subset of their customers under this alternative. Some generic service providers may be unwilling to make the assurances needed, although we anticipate that they would be generally more willing to make assurances than to provide contractual guarantees. If the covered institution could not obtain the reasonable assurances required under this alternative, the covered institution would need to switch service providers and bear the associated switching costs, while the service providers would suffer loss of customers. Although the costs of obtaining reasonable assurances would likely be lower than under the proposed service provider provisions, and the need to switch providers less frequent, these costs could nonetheless be particularly acute for smaller covered institutions who lack bargaining power with generic service providers. And, as outlined above, this alternative would be less protective than contractual language.

2. Lower Threshold for Customer Notice

The Commission considered lowering the threshold for customer notice, such as one based on the “possible misuse” of sensitive customer information (rather than the proposed threshold requiring notice when sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization), or even requiring notification of any breach without exception. A lower threshold would increase the number of notices customers receive. Although more frequent notices could potentially reveal incidents that warrant customers' attention and thereby potentially increase the benefits accruing to customers from the notice requirement discussed in section III.D.1.c, they would also increase the number of false alarms. As discussed in section III.D.1.c.iv, such false alarms could be problematic if they reduce customers' ability to discern which notices require action.

Although a lower threshold could impose some additional compliance costs on covered institutions (due to additional notices being sent), we would not anticipate the additional direct compliance costs to be significant. Of more economic significance to covered institutions would be the resulting reputational effects. However, the direction of these effects is ambiguous. On the one hand, increased notices resulting from a lower threshold can be expected to lead to additional reputation costs for firms required to issue more of such notices. On the other hand, lower thresholds could inundate customers with notices, such that notices are no longer notable, likely leading the negative reputation effects associated with such notices to be reduced.

3. Encryption Safe Harbor

The Commission considered including a safe harbor to the notification requirement for breaches in which only cipher text was compromised. Assuming that such an alternative safe harbor would be sufficiently circumscribed to prevent its application to insecure encryption algorithms, or to secure algorithms used in a manner as to render them insecure, we believe that the economic effects of its inclusion would be largely indistinguishable from the proposal. This is because, as proposed, notification is triggered by the “reasonable likelihood” that sensitive customer information was accessed or used without authorization. Given the computational complexity involved in cracking the cipher texts of modern encryption algorithms generally viewed as secure, the compromise of cipher text produced by such algorithms in accordance with secure procedures would generally not give rise to “a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” It would thus not constitute “sensitive customer information,” meaning that the threshold for providing notice would not be met and thereby rendering an explicit encryption safe harbor superfluous in such cases. In certain other cases, however, an express safe harbor may not be as protective as the proposal's minimum nationwide standard for determining whether the compromise of customer information could create “a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” It may also become outdated as technologies and security practices evolve. Thus, while an explicit (and appropriately circumscribed) safe harbor could provide some procedural efficiencies from streamlined application, it could also be misapplied.

4. Longer Customer Notification Deadlines

The Commission considered incorporating longer customer notification deadlines, such as 60 or 90 days, as well as providing no fixed customer notification deadline. Although longer notification deadlines would provide more time for covered institutions to rebut the presumption in favor of notification discussed in section II.A.4.a, we expect that longer investigations would, in general, correlate with more serious or complicated incidents and would therefore be unlikely to end in a determination that sensitive customer information has not been and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience. We therefore do not believe that longer notification deadlines would ultimately lead to significantly fewer required notifications. Compliance costs conditional on notices being required ( i.e., the actual furnishing of notices to customers) would be largely unchanged under alternative notice deadlines. That said, costs related to incident assessment would likely be somewhat lower due to the reduced urgency of determining the scope of an incident and a reduced likelihood that notifications would need to be made before an incident has been contained. Arguably, longer notification deadlines may increase reputation costs borne by covered institutions that choose to take advantage of the longer deadlines. Overall, however, we do not expect that longer notification deadlines would lead to costs for covered institutions that differ significantly from the costs of the proposed 30-day deadline.

Providing for longer notifications deadlines would likely reduce the promptness with which some covered institutions issue notifications to customers, potentially reducing their customers' ability to take effective mitigating actions. In particular, as discussed in section III.D.1.c.iii, some breaches are discovered very quickly. For customers whose sensitive customer information is compromised in such breaches, a longer notification deadline could significantly reduce the timeliness—and value—of the notice. On the other hand, where a public announcement could hinder containment efforts, a longer notification timeframe could yield benefits to the broader public (and/or to the affected investors).

5. Broader Law Enforcement Exception From Notification Requirements

The Commission considered providing for a broader exception to the 30-day notification deadline, for example by extending its applicability to cases where any appropriate law enforcement agency requests the delay, and not limiting the length of the delay. This alternative law enforcement exception would more closely align with the law enforcement exceptions adopted by the Banking Agencies and many states.

The principal function of a law enforcement exception would be to allow a law enforcement or national security agency to keep cybercriminals unaware of their detection. Observing a cyberattack that is in progress can allow investigators to take actions that can assist in revealing the attacker's location, identity, or methods. Notifying affected customers has the potential to alert attackers that their intrusion has been detected, hindering these efforts. Thus, a broader law enforcement exception could generally be expected to enhance law enforcement's efficacy in cybercrime investigations, which would potentially benefit affected customers through damage mitigation and benefit the general public through improved deterrence and increased recoveries, and by enhancing law enforcement's knowledge of attackers' methods.

That said, use of the exception would necessarily delay notice to customers affected by a cyber-attack, reducing the value to customers of such notices. Incidents where law enforcement would like to delay customer notifications are likely to involve numerous customers, who—without timely notice—may be unable to take timely mitigating actions that could prevent additional harm. Law enforcement investigations can also take time to resolve and, even when successful, their benefits to affected customers ( e.g., recovery of criminals' ill-gotten gains) may be limited.

Information about cybercrime investigations is often confidential. The Commission does not have data on the prevalence of covert cybercrime investigations, their success or lack of success, their deterrent effect if any, or the impact of customer notification on investigations. Thus, we are unable to quantify the costs and benefits of this alternative. We invite public comment on these topics.

G. Request for Comment on Economic Analysis

To assist the Commission in better assessing the economic effects of the proposal, we request comment on the following questions:

107. What additional qualitative or quantitative information should be considered as part of the baseline for the economic analysis of the proposals?

108. Are the effects on competition, efficiency, and capital formation arising from the proposed amendments accurately characterized? If not, why not?

109. Are the economic effects of the alternatives accurately characterized? If not, why not?

110. Are the costs and benefits of the proposals accurately characterized? If not, why not? What, if any, other costs or benefits should be taken into account? Please provide data that could help us quantify any of the aforementioned costs and benefits that we have been unable to quantify.

111. Do institutions that would be covered by this proposal already comply with one or more state data breach notification requirements? If so, how similar or different are the compliance obligations under the state data breach notification laws and our proposal?

112. Do existing contracts between covered institutions and service providers address notification in the event of a data breach? If so, in what circumstances does the service provider notify either the covered institution or the customer whose data was compromised?

113. Do you believe the Commission has accurately characterized the cost of service providers adapting business practices to accommodate the proposed requirements? Please state why or why not, in as much detail as possible.

114. Do policies and procedures implemented to comply with Regulation S–ID incorporate red flags related to potential compromise of customer information?

115. Have potentially covered institutions developed and implemented written policies and procedures for response to data breach incidents?

a. If so, please indicate whether these policies and procedures are written to comply with state data breach notification laws, international law, contracts, and/or other law or guidance.

b. If so, please indicate which elements ( e.g., detection, assessment, containment, lessons learned, notification) such policies contain.

c. Please indicate what kind of institution ( e.g., broker, transfer agent, etc.) your experience reflects.

116. Have service providers to potentially covered institutions developed and implemented written policies and procedures for response to data breach incidents?

a. If so, please indicate whether these policies and procedures are written to comply with state data breach notification laws, international law, contracts, and/or other law or guidance.

b. If so, please indicate which elements ( e.g., detection, assessment, containment, lessons learned, notification) such policies contain.

c. Please indicate what kind of service provider your experience reflects.

117. Do you believe that written policies and procedures to safeguard information lead to reduced risk of safeguard failures? Please share your experience or the basis for your belief.

118. Do you believe that safeguarding the customer information of customers of other financial institutions, or notifying these individuals in the event their sensitive customer information is compromised would entail additional costs?

a. If so, please indicate the nature and scale of the costs.

b. If so, please characterize the population of individuals whose sensitive customer information would entail these significant additional costs.

119. Do you believe a broader law enforcement exception would provide benefits?

a. If so, please indicate the nature and scale of these benefits.

b. If so, to the extent possible, please provide data or case studies that could help establish the scale of these benefits.

120. Do you believe that use of a broader law enforcement exception would entail significant costs to individuals whose sensitive customer information is compromised?

a. If so, please indicate the nature and scale of these costs.

b. If so, to the extent possible, please provide data or case studies that could help establish the scale of these costs.

IV. Paperwork Reduction Act

A. Introduction

Certain provisions of the proposed amendments contain “collection of information” requirements within the meaning of the Paperwork Reduction Act of 1995 (“PRA”). We are submitting the proposed collection of information to the Office of Management and Budget (“OMB”) for review in accordance with the PRA. The safeguards rule and the disposal rule we propose to amend would have an effect on the currently approved existing collection of information under OMB Control No. 3235–0610, the title of which is, “Rule 248.30, Procedures to safeguard customer records and information; disposal of consumer report information.”

An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. The proposed requirement to adopt policies and procedures constitutes a collection of information requirement under the PRA. The collection of information associated with the proposed amendments would be mandatory, and responses provided to the Commission in the context of its examination and oversight program concerning the proposed amendments would be kept confidential subject to the provisions of applicable law. A description of the proposed amendments, including the need for the information and its use, as well as a description of the types of respondents, can be found in section II above, and a discussion of the expected economic effects of the proposed amendments can be found in section III above.

B. Amendments to the Safeguards Rule and Disposal Rule

As discussed above, the proposed amendments to the safeguards rule would require covered institutions to develop, implement, and maintain written policies and procedures that include incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. The response program must include procedures to assess the nature and scope of any incident involving unauthorized access to or use of customer information; take appropriate steps to contain and control the incident; and provide notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization (unless the covered institution makes certain determinations as specified in the proposed rule).

The proposed amendments to the disposal rule would require covered institutions that maintain or otherwise possess customer information or consumer information for a business purpose to adopt and implement written policies and procedures that address proper disposal of such information, which would include taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

Finally, the proposed amendments would require covered institutions to make and maintain written records documenting compliance with the requirements of the safeguards rule and the disposal rule. Under the proposed rules, the time periods for preserving records would vary by covered institution to be consistent with existing recordkeeping rules.

Based on FOCUS Filing and Form BD–N data, as of December 2021, there were 3,401 brokers or dealers other than notice-registered brokers or dealers. Based on Investment Adviser Registration Depository data, as of June 2022, there were 15,129 investment advisers registered with the Commission. As of December 2021, there were 13,965 investment companies. Based on Form TA–1, as of December, 2021, there were 335 transfer agents registered with the Commission and 67 transfer agents registered with the Banking Agencies.

Table 2 below summarizes our PRA initial and ongoing annual burden estimates associated with the proposed amendments to the safeguards rule and the disposal rule.

C. Request for Comment

We request comment on whether these estimates are reasonable. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (1) evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) evaluate the accuracy of the Commission's estimate of the burden of the proposed collection of information; (3) determine whether there are ways to enhance the quality, utility, and clarity of the information to be collected; and (4) determine whether there are ways to minimize the burden of the collection of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology.

Persons wishing to submit comments on the collection of information requirements of the proposed amendments should direct them to the OMB Desk Officer for the Securities and Exchange Commission, MBX.OMB.OIRA.SEC_desk_officer@omb.eop.gov, and should send a copy to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090, with reference to File No. S7–05–23. OMB is required to make a decision concerning the collections of information between 30 and 60 days after publication of this release; therefore, a comment to OMB is best assured of having its full effect if OMB receives it within 30 days after publication of this release. Requests for materials submitted to OMB by the Commission with regard to these collections of information should be in writing, refer to File No. S7–05–23, and be submitted to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549–2736.

V. Initial Regulatory Flexibility Act Analysis

The Regulatory Flexibility Act (“RFA”) requires an agency, when issuing a rulemaking proposal, to prepare and make available for public comment an Initial Regulatory Flexibility Analysis (“IRFA”) that describes the impact of the proposed rule on small entities, unless the Commission certifies that the rule, if adopted, would not have a significant economic impact on a substantial number of small entities. This IRFA has been prepared in accordance with the RFA. It relates to the proposed new rules and amendments described in sections II through IV above.

A. Reason for and Objectives of the Proposed Action

The objectives of the proposed amendments are to: (i) establish a Federal minimum standard for providing notification to all customers of a covered institution affected by a data breach (regardless of state residency) and providing consistent disclosure of important information to help affected customers respond to a data breach; (ii) require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information; (iii) enhance the protection of customers' nonpublic personal information by aligning the information protected under the safeguards rule and the disposal rule by applying the protections of both rules to “customer information,” while also broadening the group of customers whose information is protected under both rules; and (iv) bring all transfer agents within the scope of the safeguards rule and the disposal rule. The proposed amendments also would update applicable recordkeeping requirements and conform Regulation S–P's annual privacy notice delivery provisions to the terms of a statutory exception. The proposed amendments are intended to:

A. Prevent and mitigate the unauthorized access to or use of customer information;

B. Improve covered institutions' preparedness to respond to data breaches involving customer information, and the effectiveness of their response programs to such data breaches when they do occur;

C. Ensure that firms consistently monitor their systems to identify, contain, and control data breach incidents involving customer information quickly;

D. Help affected individuals through the adoption of a minimum standard for notification in response to unauthorized access or use of sensitive customer information that leverages some of the more protective state law practices already in existence;

E. Expand the coverage of the safeguards rule to provide for greater protection of customer information that is maintained by transfer agents;

F. Extend the protections of Regulation S–P to cover customer information that covered institutions receive from another financial institution in the process of conducting business;

G. Create more consistent standards across the safeguards rule and the disposal rule for the handling of the same types of nonpublic personal information; and

H. Require that a covered institution's response program include policies and procedures that require a covered institution, by contract, to require that its service providers take appropriate measures that are designed to protect against unauthorized access to or use of customer information.

B. Legal Basis

We are proposing the new rules and rule amendments described above under the authority set forth in sections 17, 17A, 23, and 36 of the Exchange Act [15 U.S.C. 78q, 78q–1, 78w, and 78mm], sections 31 and 38 of the Investment Company Act [15 U.S.C. 80a–30 and 80a–37], sections 204, 204A and 211 of the Investment Advisers Act [15 U.S.C. 80b–4, 80b–4a and 80b–11], section 628(a) of the FCRA [15 U.S.C. 1681w(a)], and sections 501, 504, 505, and 525 of the GLBA [15 U.S.C. 6801, 6804, 6805 and 6825].

C. Small Entities Subject to Proposed Rule Amendments

The proposed amendments to Regulation S–P would affect brokers, dealers, registered investment advisers, investment companies, and transfer agents, including entities that are considered to be a small business or small organization (collectively, “small entity”) for purposes of the RFA. For purposes of the RFA, under the Exchange Act a broker or dealer is a small entity if it: (i) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year; and (ii) is not affiliated with any person that is not a small entity. A transfer agent is a small entity if it: (i) received less than 500 items for transfer and less than 500 items for processing during the preceding six months; (ii) transferred items only of issuers that are small entities; (iii) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year; and (iv) is not affiliated with any person that is not a small entity. Under the Investment Company Act, investment companies are considered small entities if they, together with other funds in the same group of related funds, have net assets of $50 million or less as of the end of its most recent fiscal year. Under the Investment Advisers Act, a small entity is an investment adviser that: (i) manages less than $25 million in assets; (ii) has total assets of less than $5 million on the last day of its most recent fiscal year; and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that has had total assets of $5 million or more on the last day of the most recent fiscal year.

Based on Commission filings, we estimate that approximately 764 broker-dealers, 158 transfer agents, 85 investment companies, and 522 registered investment advisers may be considered small entities.

D. Projected Reporting, Recordkeeping, and Other Compliance Requirements

The proposed amendments to Regulation S–P would require covered institutions to develop incident response programs for unauthorized access to or use of customer information, as well as imposing a customer notification obligation in instances where sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The proposed amendments also would include new mandatory recordkeeping requirements and language conforming Regulation S–P's annual privacy notice delivery provisions to the terms of a statutory exception.

Under the proposed amendments, covered institutions would have to develop, implement, and maintain, within their written policies and procedures designed to comply with Regulation S–P, a program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. Such policies and procedures would also need to require that covered institutions, pursuant to a written contract between the covered institution and its service providers, require the service providers to take appropriate measures designed to protect against unauthorized access to or use of customer information, including by notifying the covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security that results in unauthorized access to a customer information system maintained by the service provider, in order to enable the covered institution to implement its response program. If an incident were to occur, unless a covered institution has determined, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience, the covered institution must provide a clear and conspicuous notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. As part of its incident response program, a covered institution may also enter into a written agreement with its service provider to have the service provider notify affected individuals on its behalf.

In addition, covered institutions would be required to make and maintain specified written records designed to evidence compliance with these requirements. Such records would be required to be maintained starting from when the record was made, or from when the covered institution terminated the use of the written policy or procedure, for the time periods stated in the amended recordkeeping regulations for each type of covered institution.

Some covered institutions, including covered institutions that are small entities, would incur increased costs involved in reviewing and revising their current safeguarding policies and procedures to comply with these obligations, including their cybersecurity policies and procedures. Initially, this would require covered institutions to develop as part of their written policies and procedures under the safeguards rule, a program reasonably designed to detect, respond to, and recover from any unauthorized access to or use of customer information, including customer notification procedures, in a manner that provides clarity for firm personnel. Further, in developing these policies and procedures, covered institutions would need to include policies and procedures requiring the covered institution, pursuant to a written contract, to require its service providers to take appropriate measures that are designed to protect against unauthorized access to or use of customer information, including notifying the covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach, in the event of any breach in security resulting in unauthorized access to a customer information system maintained by the service provider, in order to enable the covered institution to implement its response program. However, as the Commission recognizes the number and varying characteristics ( e.g., size, business, and sophistication) of covered institutions, these proposed amendments would help covered institutions to tailor these policies and procedures and related incident response program based on the individual facts and circumstances of the firm, and provide flexibility in addressing the general elements of the response program requirements based on the size and complexity of the covered institution and the nature and scope of its activities.

In addition, the Commission acknowledges that the proposed rule would impose greater costs on those transfer agents that are registered with another appropriate regulatory agency, if they are not currently subject to Regulation S–P, as well as those transfer agents registered with the Commission who are not currently subject to the safeguards rule. As discussed above, such costs would include the development and implementation of necessary policies and procedures, the ongoing costs of required recordkeeping and maintenance requirements, and, where necessary, the costs to comply with the customer notification requirements of the proposed rule. Such costs would also include the same minimal costs for employee training or establishing clear procedures for consumer report information disposal that are imposed on all covered institutions. To the extent that such costs are being applied to a transfer agent for the first time as a result of new obligations being imposed, the proposed rule would incur higher present costs on those transfer agents than those covered institutions that are already subject to the safeguards rule and the disposal rule.

To comply with these amendments on an ongoing basis, covered institutions would need to respond appropriately to incidents that entail the unauthorized access to or use of customer information. This would entail carrying out the established response program procedures to (i) assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization; (ii) take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and (iii) notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Where the covered institution determines notice is required, the covered institution would need to provide a clear and conspicuous notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. This notice would need to be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing. Further, the covered institution would need to satisfy the specified content requirements of that notice, the preparation of which would incur some incremental additional costs on covered institutions.

Finally, covered institutions would also face costs in complying with the new recordkeeping requirements imposed by these amendments that are incrementally more than those costs covered institutions already incur from their existing regulatory recordkeeping obligations, in light of their already existing record retention systems. However, the Commission has proposed such record maintenance provisions to align with those most frequently employed as to each covered institution subject to this rulemaking, partially in an effort to minimize these costs to firms.

Overall, incremental costs would be associated with the proposed amendments to Regulation S–P. Some proportion of large or small institutions would be likely to experience some increase in costs to comply with the proposed amendments if they are adopted.

More specifically, we estimate that many covered institutions would incur one-time costs related to reviewing and revising their current safeguarding policies and procedures to comply with these obligations, including their cybersecurity policies and procedures. Additionally, some covered institutions, including transfer agents, may incur costs associated with establishing such policies and procedures as these amendments require if those covered institutions do not already have such policies and procedures. We also estimate that the ongoing, long-term costs associated with the proposed amendments could include costs of responding appropriately to incidents that entail the unauthorized access to or use of customer information.

We encourage written comments regarding this analysis. We solicit comments as to whether the proposed amendments could have an effect that we have not considered. We also request that commenters describe the nature of any impact on small entities and provide empirical data to support the extent of the impact. In addition, we solicit comments regarding our proposal to amend Regulation S–P's annual privacy notice delivery provisions to conform to the terms of a statutory exception.

E. Duplicative, Overlapping, or Conflicting Federal Rules

As discussed above, the proposed amendments would impose requirements that covered institutions develop response programs for unauthorized access to or use of customer information in the form of written policies and procedures designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. Covered institutions are subject to requirements elsewhere under the Federal securities laws and rules of the self-regulatory organizations that require them to adopt written policies and procedures that may relate to some similar issues. The proposed amendments to Regulation S–P, however, would not require covered institutions to maintain duplicate copies of records covered by the rule, and an institution's incident response program for unauthorized access to or use of customer information would not have to be maintained in a single location. We preliminarily believe, therefore, that any duplication of regulatory requirements would be limited and would not impose significant additional costs on covered institutions including small entities. With the exception of the Banking Agencies' Incident Response Guidance and their requirements for safeguarding customer information and disposing of consumer financial report information as they apply to transfer agents that are registered with another appropriate regulatory agency, we believe there are no other Federal rules that duplicate, overlap, or conflict with the proposed reporting requirements.

In the case of transfer agents that are registered with another appropriate regulatory agency, the proposed rule might be considered duplicative of or overlapping with the Banking Agencies' Incident Response Guidance. Specifically, the proposed rule might be considered to overlap or conflict with the Banking Agencies' Incident Response Guidance regarding the safeguarding of customer information, disposal of consumer financial report information, and as to procedures for customer notification in connection with an incident response program.

In general, however, the similarities between the proposed reporting requirements and existing reporting requirements under rules of the Banking Agencies and the FTC are the result of our statutory mandate to set standards for safeguarding customer records and information that are consistent and comparable with the corresponding standards set by the other agencies.

F. Significant Alternatives

The Regulatory Flexibility Act directs us to consider significant alternatives that would accomplish the stated objectives, while minimizing any significant adverse impact on small entities. In connection with the proposed amendments, we considered the following alternatives:

1. establishing different compliance or reporting standards that take into account the resources available to small entities;

2. the clarification, consolidation, or simplification of the reporting and compliance requirements under the rule for small entities;

3. use of performance rather than design standards; and

4. exempting small entities from coverage of the rule, or any part of the rule.

With regard to the first alternative, we have proposed amendments to Regulation S–P that would continue to permit institutions substantial flexibility to design safeguarding policies and procedures appropriate for their size and complexity, the nature and scope of their activities, and the sensitivity of the personal information at issue. We nevertheless believe it necessary to propose to require that covered institutions, regardless of their size, adopt a response program for incidents of unauthorized access to or use of customer information, which would include customer notification procedures. The proposed amendments to Regulation S–P arise from our concern with the increasing number of information security breaches that have come to light in recent years, particularly those involving institutions regulated by the Commission. Establishing different compliance or reporting requirements for small entities could lead to less favorable protections for these entities' customers and compromise the effectiveness of the proposed amendments.

With regard to the second alternative, the proposed amendments should, by their operation, simplify reporting and compliance requirements for small entities. Small covered institutions are likely to maintain personal information on fewer individuals than large covered institutions, and they are likely to have relatively simple personal information systems. The proposed amendments would not prescribe specific steps a covered institution must take in response to a data breach, but instead would give the institution flexibility to tailor its policies and procedures to its individual facts and circumstances. The proposed amendments therefore are intended to give covered institutions the flexibility to address the general elements in the response program based on the size and complexity of the institution and the nature and scope of its activities. Accordingly, the requirements of the proposed amendment already would be simplified for small entities. In addition, the requirements of the proposed amendments could not be further simplified, or clarified or consolidated, without compromising the investor protection objectives the proposed amendments are designed to achieve.

With regard to the third alternative, the proposed amendments are design based. Rather than specifying the types of policies and procedures that an institution would be required to include in its response program, the proposed amendments would require a response program that is reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information. With respect to the specific requirements regarding notifications in the event of a data breach, we have proposed that institutions provide only the information that seems most relevant for an affected customer to know in order to assess adequately the potential damage that could result from the breach and to develop an appropriate response.

Finally, with regard to alternative four, we preliminarily believe that an exemption for small entities would not be appropriate. Small entities are as vulnerable as large ones to the types of data security breach incidents we are trying to address. In this regard, the specific elements we have proposed must be considered and incorporated into the policies and procedures of all covered institutions, regardless of their size, to mitigate the potential for fraud or other substantial harm or inconvenience to investors. Exempting small entities from coverage of the proposed amendments or any part of the proposed amendments could compromise the effectiveness of the proposed amendments and harm investors by lowering standards for safeguarding investor information maintained by small covered institutions. Excluding small entities from requirements that would be applicable to larger covered institutions also could create competitive disparities between large and small entities, for example by undermining investor confidence in the security of information maintained by small covered institutions.

We request comment on whether it is feasible or necessary for small entities to have special requirements or timetables for, or exemptions from, compliance with the proposed amendments. In particular, could any of the proposed amendments be altered in order to ease the regulatory burden on small entities, without sacrificing the effectiveness of the proposed amendments?

G. Request for Comment

We encourage the submission of comments with respect to any aspect of this IRFA. In particular, we request comments regarding:

121. The number of small entities that may be affected by the proposed rules and amendments;

122. The existence or nature of the potential impact of the proposed rules and amendments on small entities discussed in the analysis;

123. How the proposed amendments could further lower the burden on small entities; and

124. How to quantify the impact of the proposed rules and amendments.

Commenters are asked to describe the nature of any impact and provide empirical data supporting the extent of the impact. Comments will be considered in the preparation of the Final Regulatory Flexibility Analysis, if the proposed rules and amendments are adopted, and will be placed in the same public file as comments on the proposed rules and amendments themselves.

VI. Consideration of Impact on the Economy

For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996 (“SBREFA”), the Commission must advise OMB whether a proposed regulation constitutes a “major” rule. Under SBREFA, a rule is considered “major” where, if adopted, it results in or is likely to result in:

A. An annual effect on the economy of $100 million or more;

B. A major increase in costs or prices for consumers or individual industries; or

C. Significant adverse effects on competition, investment, or innovation.

We request comment on whether our proposal would be a “major rule” for purposes of SBREFA. We solicit comment and empirical data on:

• The potential effect on the U.S. economy on an annual basis;
• Any potential increase in costs or prices for consumers or individual industries; and
• Any potential effect on competition, investment, or innovation.

Commenters are requested to provide empirical data and other factual support for their views to the extent possible.

Statutory Authority

The Commission is proposing to amend Regulation S–P pursuant to authority set forth in sections 17, 17A, 23, and 36 of the Exchange Act [15 U.S.C. 78q, 78q–1, 78w, and 78mm], sections 31 and 38 of the Investment Company Act [15 U.S.C. 80a–30 and 80a–37], sections 204, 204A and 211 of the Investment Advisers Act [15 U.S.C. 80b–4, 80b–4a and 80b–11], section 628(a) of the FCRA [15 U.S.C. 1681w(a)], and sections 501, 504, 505, and 525 of the GLBA [15 U.S.C. 6801, 6804, 6805 and 6825].

List of Subjects

17 CFR Parts 240, 270, and 275

• Reporting and recordkeeping requirements; Securities

17 CFR Part 248

• Brokers
• Consumer protection
• Dealers
• Investment advisers
• Investment companies
• Privacy
• Reporting and recordkeeping requirements
• Securities
• Transfer agents

Text of Proposed Amendments

For the reasons set out in the preamble, the Securities and Exchange Commission proposes to amend 17 CFR chapter II as follows:

PART 240—GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934

1. The authority citation for part 240 continues to read, in part, as follows:

Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z–2, 77z–3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c–3, 78c–5, 78d, 78e, 78f, 78g, 78i, 78j, 78j–1, 78j–4, 78k, 78k–1, 78 l, 78m, 78n, 78n–1, 78 o, 78 o –4, 78 o –10, 78p, 78q, 78q–1, 78s, 78u–5, 78w, 78x, 78dd, 78 ll, 78mm, 80a–20, 80a–23, 80a–29, 80a–37, 80b–3, 80b–4, 80b–11, and 7201 et seq., and 8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350; Pub. L. 111–203, 939A, 124 Stat. 1376 (2010); and Pub. L. 112–106, sec. 503 and 602, 126 Stat. 326 (2012), unless otherwise noted.

Section 240.17a–14 is also issued under Public Law 111–203, sec. 913, 124 Stat. 1376 (2010);

Section 240.17Ad–7 is also issued under 15 U.S.C. 78b, 78q, and 78q–1.;

2. Amend § 240.17a–4 by adding paragraphs (e)(13) and (e)(14) to read as follows:

3. Amend § 240.17Ad–7 by revising the section heading and adding paragraphs (j) and (k) to read as follows:

PART 248—REGULATIONS S–P, S–AM, AND S–ID

4. The authority citation for part 248 continues to read, in part, as follows:

Authority: 15 U.S.C. 78q, 78q–1, 78 o –4, 78 o –5, 78w, 78mm, 80a–30, 80a–37, 80b–4, 80b–11, 1681m(e), 1681s(b), 1681s–3 and note, 1681w(a)(1), 6801–6809, and 6825; Pub. L. 111–203, secs. 1088(a)(8), (a)(10), and sec. 1088(b), 124 Stat. 1376 (2010).

5. Amend § 248.2 by revising paragraph (c) to read as follows:

6. Amend § 248.5 by revising the first sentence of paragraph (a)(1), and adding paragraph (e).

The revision and addition read as follows:

7. Amend § 248.17 by, in paragraph (b), replacing the words “Federal Trade Commission” with “Consumer Financial Protection Bureau”; and replacing the words “Federal Trade Commission's” with “Consumer Financial Protection Bureau's.”

8. Revise § 248.30 to read as follows:

PART 270—RULES AND REGULATIONS, INVESTMENT COMPANY ACT OF 1940

9. The authority citation for part 270 continues to read, in part, as follows:

Authority: 15 U.S.C. 80a–1 et seq., 80a–34(d), 80a–37, 80a–39, and Pub. L. 111–203, sec. 939A, 124 Stat. 1376 (2010), unless otherwise noted.

10. Amend § 270.31a–1 by adding paragraph (b)(13) to read as follows:

11. Amend § 270.31a–2 by:

a. In paragraph (a)(7), removing the period at the end of paragraph and adding “; and” in its place; and

b. Adding paragraph (a)(8) to read as follows:

PART 275—RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940

12. The authority citation for part 275 continues to read, in part, as follows:

Authority: 15 U.S.C. 80b–2(a)(11)(G), 80b–2(a)(11)(H), 80b–2(a)(17), 80b–3, 80b–4, 80b–4a, 80b–6(4), 80b–6a, and 80b–11, unless otherwise noted.

Section 275.204–2 is also issued under 15 U.S.C. 80b–6.

13. Amend § 275.204–2 by adding paragraph (a)(20) to read as follows: