Align Insights: Industry Leaders Discuss Enhancements to Regulation S-P

The alternative investment industry is always innovating to help broker-dealers, transfer agents, investment companies, and Registered Investment Advisors keep up with important regulatory changes. The US Securities and Exchange Commissions (SEC) recently announced enhancements to Regulation S-P, another layer of ongoing regulatory changes impacting how financial institutions handle customer data. To navigate the complexities, Align has gathered a group of esteemed industry experts to react to these enhancements to Regulation S-P.

Together we will explore its impact on our industry from various viewpoints – the challenges and opportunities it presents and even explore Regulation S-P’s potential long-term implications.

We invite you to read Align Insights Article: Industry Leaders Discuss Final Rules – Enhancements to Regulation S-P.

Industry Insights into the New SEC Regulations

Alex Bazay, Chief Information Security Officer, Align Managed Services

The recent approvals for amendments to Regulation S-P (also known as "safeguards rules"), which primarily governs the privacy and safeguarding of customer information by financial institutions, are not just a necessary response by the Securities and Exchange Commission to the ever-evolving cybersecurity landscape but also a timely one. The amendments emphasize more stringent requirements for incident response and data breach notifications, mandating that covered entities not only implement comprehensive written policies and procedures for safeguarding customer records but also promptly inform affected individuals and regulatory authorities in the event of significant breaches.

This shift highlights the authorities’ growing recognition of the critical importance of timely communication and transparency in maintaining trust and mitigating the impact of potential data breaches. By holding companies to higher standards of accountability and preparedness, these amendments aim to enhance the overall resilience of the financial sector against cyber threats.

From the practical point, the adopted amendments will require broker-dealers, investment advisers, and investment companies to:

• Create a standalone Incident Response Plan that explicitly addresses scenarios related to unauthorized access to the client's information.
• Demonstrate that such a plan is maintained and tested periodically (e.g., running periodic tabletop exercises).
• Adopt a breach notification protocol in case of customer data compromise (to be done within 30 days after the company becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have happened).
• Adopt a Data Lifecycle Policy that will include guidelines for the disposal of customer information.

Furthermore, the new requirements are not just another set of rules to follow but a supportive measure that aligns well with the broader trend of different regulatory bodies to focus on proactive risk management and governance. The emphasis on regular assessments and updates to security measures ensures that financial institutions are continuously adapting to the latest threats and vulnerabilities. This proactive stance is crucial in an environment where cyber threats constantly evolve and become more sophisticated.

These amendments represent a significant step forward in fortifying the cybersecurity posture of financial institutions. They underscore the importance of robust incident response strategies and highlight the necessity for ongoing vigilance and adaptability in the face of emerging cyber risks.

Wendy Beer, Independent Director, Azimuth Governance

Cyber-criminals are seizing upon the US Securities and Exchange Commission (SEC)’s zealous focus on cybersecurity, finding inventive ways to weaponize them. Recent SEC rules require public companies to disclose “within four business days after they determine that a cybersecurity incident is material and to report ransomware payments within 24 hours”, were used by an active ransomware group to double down on their victim. Hoping for a whistleblower reward, the criminals notified the SEC of the company’s failure to file the required form 8 – K, within the mandated timeframe.

While a similar rule was proposed for private fund advisers, a final rule has not yet been adopted. Perhaps tired of industry pushback against “new rules” , the SEC recently issued amendments to Regulation S-P (“Reg S-P”), broadening its scope for covered entities (which includes alternative investment advisers, whether or not registered with the SEC).The amended rules require notification to individuals whose “sensitive” customer information was accessed without authorization, “unless” it is not “reasonably likely” to be used in a manner resulting in “substantial harm or inconvenience”. The amended rules also extend to service provider data security breaches involving sensitive client information, expanding a manager’s oversight responsibilities.

Beyond written policies and procedures, vulnerability assessments, etc. this expanded scope of Reg S-P pushes governance to the forefront. Managers should proactively be engaging in conversations with independent directors, counsel, and service providers having relevant expertise, as well as top tier insurance carriers offering transcripted cyber-coverage. With such subjective criteria, managers’ ability to make timely decisions around required investor and regulatory disclosures becomes paramount. Decisions made prior to completion of forensic examinations will be reviewed by regulators, with the benefit of hindsight.

Gary Berger, Partner and Financial Services Industry Leader, Northeast, CohnReznick

Fund managers understand the need to protect consumers' nonpublic personal information, however, they express concerns about the increased costs and operational burdens associated with the enhancements to Regulation S-P.  I can’t think of one client who doesn’t support a commitment to strong data security and investor privacy.  With increasingly frequent and complex attacks targeting financial services firms, and per Regulation S-P, fund managers must develop written policies and procedures to protect investor information and create a comprehensive plan to manage data breaches.  We are encouraging our clients to discuss the implementation of Regulation S-P with our Cybersecurity, Technology Risk, and Privacy team or their relevant service providers.

Jacob Cane, Managing Director, Head of Cybersecurity Risk Services, Salus GRC

The new Regulation S-P amendments raise the stakes for RIAs through more stringent disclosure requirements in the event of a cybersecurity breach. Firms will have stronger than ever incentives to implement strong cybersecurity controls to prevent breaches and a clear mandate to implement comprehensive incident response plans. An independent cyber risk assessment remains the best way for most firms to get started in understanding their readiness and to prioritize risk mitigation efforts.

The SEC’s inclusion of service provider due diligence requirements in the amendments is another sign of their continued interest in service provider due diligence and an indication that we should expect strong requirements around service provider management in the finalized versions of the proposed cybersecurity rule and the proposed outsourcing rule. Service provider due diligence expectations are not only here to stay, but they are only going to get more stringent.

On the technical side, we anticipate increased adoption of data discovery, file permissions and access auditing tools. Restricting sensitive data access to necessary employees limits potential exposure and robust audit logs are critical in preventing over disclosure in an environment where the SEC squarely puts the burden of proof on the Adviser

Todd Cipperman, Managing Principal, Cipperman Analytics 

The SEC finally adopted enhancements to the rules governing how investment advisers, broker-dealers, and investment companies must protect customer financial information.  

The headline news is that RIAs, BDs, and mutual funds must immediately (i.e. within 30 days) notify affected customers if a breach occurs.  Notice must be provided in a manner reasonably expected to be received (e.g. email or snail mail if required).   The Rule details the content requirements including information about the breach, who to contact, and what to do.  This new federal notification requirement supplements already-existing state-by-state notification requirements.

This new federal notification requirement sounds good, but what does it really accomplish?   RIAs, BDs and funds have been sending breach notices to customers for years, as required by many state laws.   Consumers already have alert fatigue.  Most firms already want to avoid data breaches for many reasons including asset protection, data integrity, reputation, and the state notice requirements.  Will this new notice requirement wake up some subset of firms who have weak data protection and will now be scared into better behavior because of a federal notification requirement?   Maybe.

I don’t think this revised Regulation S-P will fundamentally change how diligently firms will act to protect personal financial information.  I don’t think it will change the behavior of customers receiving the notices.  However, it does add work for the compliance officers charged with implementing the new rule.  It also gives the SEC another rule to use during exams and enforcement cases.  

Ed Fasano, Co-Founder, EAC LLC

The enhancements to Regulation S-P highlights the SEC’s emphasis on the critical importance of ensuring that financial institutions are taking the necessary precautions to safeguard customer information and maintain privacy. One of the guiding principles that we leverage at our firm is to work with all clients to ensure that they choose the right partners early on to allow for them to follow the Regulations without disrupting workflow, while protecting customer information and privacy. As a partner, we allow our clients to focus on including their Administrator, outsourced COO/CFO, outsourced IT, outsourced compliance, along with others. Clients should work together with all their selected partners to ensure that all processes and procedures in place work towards the goal of maintaining those rules put forth by Regulation S-P. EAC envisions the regulatory landscape will continue to expand to encompass all vendors in the financial services industry, including all outsourced providers. EAC continues to be on top of all updated rules and regulations to ensure we put forth all current best practices and requirements in front of our clients.

James Mignacca, CEO, Cavelo

For the most part, broker-dealers, investment companies and RIAs are aware that knowing where their data is, who has access to it and that they have the ability to report on it post-breach is a basic and fundamental component of SEC compliance. What's different with these amendments are implications to firms who may not have best practices in place to support those functions. When it comes to preventing and responding to breach events, knowing where data resides and who has access to it is essential, but limiting access on a continuous basis is critical best practice. Doing so allows firms to quickly understand threats and liabilities based on who potentially had access to vulnerable data and where it is (or was) within network systems or software.

Factors that affect data (like software and configuration vulnerabilities) will become a focal point moving forward as those factors greatly impact organizational risk. For firms, having the ability to discover an organization's assets and the data they contain on an ongoing basis will support regulatory readiness, especially as new and potential resource-intensive amendments continue to roll out.

Casey Jennings, Counsel, Seward & Kissel

The Regulation S-P amendments will require broker-dealers, investment advisers, investment companies, and transfer agents to devote considerable time and expense to revising their written policies and procedures to deal with potential data breaches.

This won’t be a one-time effort either. Every vendor relationship will need careful scrutiny and every vendor contract involving the processing of data will require detailed legal review. Moreover, every data incident will require legal and compliance review.

In our experience, the S-P amendments merely codify best practices. S&K has seen a dramatic increase in the number of cyber incidents in financial services over the past 12 months, particularly in the investment management industry. While the implementation costs may seem somewhat onerous, complying with the S-P amendments may reduce the chances of a catastrophic data incident. Moreover, vendors often push back against financial institutions inserting data protection contractual provisions; the new rules will give financial institutions firmer grounding to push for important protections in vendor agreements. Finally, the new rules may eliminate the need for painstaking 50-state reviews of data breach notification laws in the event of a breach, thus potentially reducing the costs associated with responding to a data incident.

Vinod Paul, President, Align Managed Services

As the Securities and Exchange Commission adopts amendments to Regulation S-P, it serves as a reminder that broker-dealers, investment companies, and registered investment advisors must prioritize effectively managing their technology footprint and service providers to ensure robust controls are in place to manage this process. Client stakeholders often emphasize finding a quick-fix or band-aid solution, but the focus now goes beyond merely "checking a box."

As fund managers navigate and adopt these new amendments, they must prioritize more than just written policies, procedures, and vulnerability assessments. The expanded scope of Reg S-P underscores the importance of selecting the right service providers from the outset and establishing robust governance.

Given the current cybersecurity threat landscape alongside new regulatory demands and operational due diligence, we encourage stakeholders to stay prepared and embrace a proactive approach. Effective planning is as crucial, if not more so, than any robust response.

Practically speaking, focus on the following:

• Choose strong service providers who can demonstrate their capabilities.
• Implement effective technology and cybersecurity policies from the beginning; do not grow into them.
• If current service providers are unsatisfactory, promptly switch to one that can meet the requirements.
• Develop a standalone Incident Response Plan that explicitly addresses scenarios related to unauthorized access to stakeholders' information.
• Ensure that this plan is maintained and tested periodically, such as through scheduled tabletop exercises.
• Establish a breach notification protocol to be enacted within 30 days of discovering or suspecting unauthorized access to or use of customer information.
• Adopt a Data Lifecycle Policy that includes guidelines for identifying PII, managing data access permissions, and disposing of customer information.

Mark Sangster, Chief of Strategy, Adlumin

The SEC's adoption of Regulation S-P, a set of privacy rules governing the management of nonpublic personal information, illuminates more than data governance. These rules highlight the need for integrated data management and incident response.

Incident response planning is not just about reacting to incidents, but about adopting a proactive 'when not if' philosophy. The rules, while not providing detailed incident response procedures, do set the ambitious goal of policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information. These rules also highlight the importance of identifying nonpublic (protected) information, determining if this data is improperly exposed, and swiftly reducing the risk associated with this exposure.

It reminds us that planning is equally (if not more) important than any vigorous response. Covered institutions should plan for incident response and test these capabilities through tabletops and mock scenarios. Moreover, these exercises allow fund managers and technical leaders to communicate under simulated stress, developing inter-team trust and communication and reminding managers that cybersecurity is not an IT problem to solve; rather, it’s a business risk to manage.

Chris Zadrima, Chief Operating Officer, Align

The long-awaited update to Regulation S-P by the Securities and Exchange Commission has been officially adopted. This update includes enhancements to the rules that govern how investment advisers, broker-dealers, and investment companies must safeguard customer financial information.

Every client we have encountered emphasizes the importance of robust data security and investor privacy. Given the rise in sophisticated cyberattacks against financial institutions and the requirements of Regulation S-P, fund managers must formulate detailed protocols to safeguard investor data and devise a holistic strategy for handling data breaches. Foundational technology controls coupled with strong governance have become an essential requirement for this industry.  Firms must prioritize how their service providers can implement controls with the new requirements around Regulation S-P with Cybersecurity, Technology Risk, and Privacy team or their appropriate service providers.

About the Contributors: