FLASH FRIDAY is a weekly content series looking at the past, present and future of capital markets trading and technology. FLASH FRIDAY is sponsored by Instinet, a Nomura company.
On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) finalized amendments to Regulation S-P, which requires registered broker-dealers among other entities to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
Benjamin Schiffrin, Director of Securities Policy, Better Markets, explained that this includes procedures for, in most instances, providing notification to individuals whose sensitive customer information was accessed or used without authorization.
This notice must be provided as soon as reasonably practicable, but not later than 30 days after the broker-dealer becomes aware that unauthorized access to or use of sensitive customer information has occurred, he said.
Joe Swanson, Partner at law firm Foley & Lardner, added that since its adoption, Regulation S-P has required broker-dealers to adopt written policies and procedures to safeguard customer records and information.
The new amendments expand on the safeguards rule by also requiring the policies and procedures to include an incident response program, he said.
“Although the amended regulation imposes additional compliance obligations on broker-dealers and other covered institutions, many of those institutions (particularly the larger ones) will have existing cybersecurity frameworks that may lessen the burden,” he said.
According to Swanson, readiness across the industry is varied. While larger broker-dealers are better positioned to adapt quickly due to existing cybersecurity frameworks, smaller firms will need to undertake greater efforts to align with the new requirements, he said.
“We’re advising all of our clients to take advantage of the SEC’s implementation timeline—18 months for larger entities and 24 months for smaller entities—to evaluate existing frameworks relative to the new requirements and create a roadmap for compliance,” he commented.
Schiffrin cited Better Markets’s comment letter, saying that the financial industry has experienced several cybersecurity incidents in the last few years, which impose huge costs on both firms and their customers.
However, he added several studies show that organizations that contain data breaches within 30 days save millions of dollars.
“The need for broker-dealers to have rigorous cybersecurity measures, including measures to address cybersecurity incidents when they occur and notify affected customers, is self-evident,” he said.
“Indeed, the SEC noted in its adopting release that many entities already have response programs and that many states already require some form of customer notification of data breaches,” he commented.
Schiffrin said that broker-dealers need to ensure that they have an incident response program that complies with the requirements of Regulation S-P.
Prior to these rule amendments, no SEC rule required broker-dealers to have policies and procedures for responding to data breach incidents or for notifying customers of those breaches, he said.
To the extent broker-dealers already have incident response programs, they will need to make sure that their existing programs comply with Regulation S-P, and to the extent broker-dealers do not have such programs, they will have to adopt them so that they can respond to the unauthorized access of customer information and notify customers when such unauthorized access occurs, so that their customers can protect themselves from identity theft, he added.
Swanson said that step one for broker-dealers to comply with the new amendments is to “start now”.
The SEC has provided 18-24 months to come into compliance, he said.
“Depending on the state of their existing cybersecurity framework, smaller organizations may need to take advantage of most of that period to enhance their framework,” he added.
Swanson said the specifics include developing an effective incident response program tailored to the organization’s operations, enhancing service provider oversight, and updating record-keeping practices.
“But most importantly (and regardless of the amended regulation), an effective cybersecurity program should be tested and updated regularly to respond not just to compliance obligations but the evolving threat landscape, changes in personnel, and so forth,” he said.
When asked whether he foresees an increased spending on cybersecurity compliance, Swanson said they’ve already been seeing trends in increased spending on cybersecurity, “given the proliferation of threats and other legal requirements”.
“The amended regulation will certainly add to those trends,” he stressed.
“In general, as cybersecurity compliance has gained in importance not only from a regulatory perspective, but from an overall risk management standpoint, companies have been ramping up their spending in this area,” he commented.
Schiffrin added that the SEC noted in its adopting release that a recent survey found that 58% of financial firms self-reported “underspending” on cybersecurity measures.
“You could see increased spending on cybersecurity compliance, but it won’t all be directly related to the amendments to Regulation S-P or the need to comply with Regulation S-P,” he said.
Schiffrin said the costs of a data breach, and the need to guard against and respond to a data breach, are becoming increasingly clear, and so “it seems likely that firms will want to take the measures that are necessary to protect themselves and their customers”.
Studies have shown, he added, that businesses with an incident response team that tested its incident response plan saw a cost savings of 58% compared to organizations without an incident response team and that did not test their incident response plan.
“Any increase in cybersecurity spending is likely to be offset by savings from the prompt detection and notification of a data breach,” he said.
Schiffrin noted that the longer-term implications are that broker-dealers should experience fewer deleterious consequences from data breaches and customers of broker-dealers should be better protected.
“The amendments reduce the chances that a broker-dealer will find itself in the headlines for failing to properly respond to a data breach,” he said.
And customers will be able to be proactive if a data breach occurs at their broker-dealer. Identity theft has become pervasive due to the exposure of sensitive personal information that results from data breaches. In the long run, Regulation S-P’s notification requirements should enable more customers of the financial industry to take the steps necessary to protect themselves and hopefully result in fewer instances of identity theft.
Swanson said the amended regulation is another marker showing the SEC’s interest in cybersecurity.
“Covered institutions should expect continued focus from the SEC in this area, including in enforcement actions,” he said.
“While the amended regulation may impose additional compliance obligations and costs on covered institutions, many of those institutions may also leverage the opportunity to enhance their cybersecurity frameworks and seek to differentiate themselves from their competitors,” he concluded.