Sign in Subscribe
🧱 Market Reform

SEC Alert! Proposed rule Safeguarding Customer Information OPEN for comment. Current rule protects customer information against unauthorized access or use but does NOT include a requirement to notify affected individuals in the event of a data breach.

Would extend to Transfer Agents (Computershare).

Source: https://public-inspection.federalregister.gov/2023-05774.pdf (224 pages):

r/Superstonk - SEC Alert! Proposed rule Safeguarding Customer Information OPEN for comment. Current rule protects customer information against unauthorized access or use but does NOT include a requirement to notify affected individuals in the event of a data breach. Would extend to Transfer Agents …

Summary:

The SEC is proposing rule amendments that would require brokers and dealers (or “broker-dealers”), investment companies, and investment advisers registered with the Commission to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information.

  • Including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately.
  • The Commission also is proposing to broaden the scope of information covered by amending requirements for safeguarding customer records and information, and for properly disposing of consumer report information.
  • The proposed amendments would extend the application of the safeguards provisions to transfer agents.
  • The proposed amendments would also include requirements to maintain written records documenting compliance with the proposed amended rules.
  • Finally, the proposed amendments would conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act (“GLBA”).

More Details:

  • The Commission adopted Regulation S-P in 2000.
  • Regulation S-P’s provisions include, among other requirements, rule 248.30(a) (“safeguards rule”), which requires brokers, dealers, investment companies, and registered investment advisers to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information.
  • Another provision of Regulation S-P, rule 248.30(b) (“disposal rule”), which applies to transfer agents registered with the Commission in addition to the institutions covered by the safeguards rule, requires proper disposal of consumer report information.
  • Since Regulation S-P was adopted, evolving digital communications and information storage tools and other technologies have made it easier for firms to obtain, share, and maintain individuals’ personal information.
  • This evolution also has changed or exacerbated the risks of unauthorized access to or use of personal information, thus increasing the risk of potential harm to individuals whose information is not protected against unauthorized access or use.
  • Currently, the safeguards rule addresses protecting customer information against unauthorized access or use, but it does not include a requirement to notify affected individuals in the event of a data breach.
  • SEC is concerned that some firms may not maintain plans for addressing incidents of unauthorized access to or use of data.
  • SEC is also concerned the incident response programs that firms have implemented may be insufficient to respond to evolving threats or may not include well-designed plans for customer notification.
  • Requiring firms to adopt incident response programs to address unauthorized access to or use of customer information, including customer notification and recordkeeping requirements, would enhance protections for customer information.

Currently, broker-dealers, investment companies, and registered investment advisers respond to data breaches according to applicable state laws.

  • For example, states differ in the types of information that, if accessed or used without authorization, may trigger a notification requirement.
  • 14 States also differ regarding a firm’s duty to investigate a data breach when determining whether notice is required, deadlines to deliver notice, and the information required to be included in a notice, among other matters.
  • As a result, a firm’s notification obligations arising from a single data breach may vary such that customers in one state may receive notice while customers of the same institution in another state may not receive notice or may receive less information.
  • In reviewing these state laws, SEC determined that certain aspects of these provisions would be appropriately adopted as components of a Federal minimum standard for customer notification, which would help affected customers understand how to respond to a data breach to protect themselves from potential harm that could result.
  • The 30-day notification deadline proposed in this release is shorter than the timing currently mandated by 15 states, and would also offer enhanced protections to individuals in 32 states with laws that do not include a notification deadline as well as those in states that mandate or permit delayed notifications for law enforcement purposes.

Consistent with 22 state laws, this proposal would require customer notification unless, after investigation, the covered institution finds no risk of harm.

  • Twenty-one states currently have a presumption against notifying customers of a breach, and only require notice if, after investigation, the covered institution finds risk of harm.
  • In the 11 states where state customer notification laws do not apply to entities subject to or in compliance with the GLBA, the proposal would help ensure customers of such institutions receive notice of a breach.
  • Establishing a federal minimum standard would protect individuals in an environment of enhanced risk.

The safeguards rule does not currently apply to transfer agents, even though they also obtain, share, and maintain personal information on behalf of securityholders who hold securities in registered form (i.e., in their own name rather than indirectly through a broker).

  • Securityholders whose personal information is maintained by transfer agents could be harmed by the unauthorized access or use of such information in the same manner as customers of broker-dealers, investment companies, and registered investment advisers, yet such securityholders are not currently protected by the safeguards rule.
  • The SEC believes that extending the safeguards rule to cover transfer agents is necessary to ensure that there is a Federal minimum standard for the notification of securityholders who are affected by a data breach that leads to the unauthorized access or use of their information, regardless of whether that data breach occurs at a broker-dealer, investment company, registered investment adviser, or transfer agent.

The safeguards rule currently requires only that institutions protect their own customers’ information.

  • This potentially overlooks information a broker-dealer, investment company, or registered investment adviser may have received from another financial institution about that financial institution’s customers, such as nonpublic personal information from an introducing broker or dealer that clears transactions for its customers through a clearing broker on a fully disclosed basis.
  • Applying the safeguards rule and the disposal rule to customer information that a covered institution receives from other financial institutions would better protect individuals by ensuring customer information safeguards are not lost when a third-party financial institution shares that information with a covered institution.
  • Applying the safeguards rule and the disposal rule to a broader set of information should enhance the security and confidentiality of customers’ personal information.
  • Transfer agents typically do not have consumers or customers for purposes of Regulation S-P because their clients generally are not individuals, but are the issuer in which investors, including individuals, hold shares.
  • With respect to a transfer agent registered with the Commission, under the proposal customer means any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent.

Therefore, the Commission is proposing amendments to Regulation S-P to enhance the protection of this information by:

  1. Requiring covered institutions to include incident response programs in their safeguards policies and procedures to address unauthorized access to or use of customer information, including procedures for providing timely notification to affected individuals;
  2. Extending the safeguards rule to all transfer agents registered with the Commission or another appropriate regulatory agency as defined in section 3(a)(34)(B) of the Exchange Act;
  3. More closely aligning the information protected by the safeguards rule and the disposal rule;
  4. Broadening the set of customers covered by those rules.

They tried to do this back in 2008:

  • In 2008, the Commission proposed amendments to Regulation S-P primarily to help prevent information security breaches in the securities industry and to improve responsiveness when such breaches occur, with the goal of better protecting investors from identity theft and other misuse of what the proposal would have defined as “personal information.”
  • The 2008 Proposal would have set out specific standards for safeguarding customer records and information, including requirements for procedures to respond to incidents of unauthorized access to or use of personal information.
  • Those requirements would have included procedures for notifying the Commission (or a broker-dealer’s designated examining authority) of data breach incidents, and procedures for notifying individuals of incidents of unauthorized access to or misuse of sensitive personal information, if the misuse had occurred or was reasonably possible.
  • The 2008 Proposal also would have amended the safeguards rule and the disposal rule so that both would have protected “personal information,” which would have included any record containing either “nonpublic personal information” or “consumer report information.”
  • In addition, the 2008 Proposal would have extended the safeguards rule to apply to transfer agents registered with the Commission, and would have extended the disposal rule to apply to natural persons who are associated persons of a broker or dealer, supervised persons of a registered investment adviser, and associated persons of any transfer agent registered with the Commission.
  • The 2008 Proposal would have further required brokers, dealers, investment companies, registered investment advisers, and transfer agents registered with the Commission to maintain and preserve written records of their policies and procedures required under the disposal and safeguards rules and compliance with those policies and procedures.
  • The Commission received over 400 comment letters in response to the 2008 Proposal.
  • The current proposal to amend Regulation S-P has been informed by comments received on the 2008 Proposal.
  • Most commenters supported requirements for comprehensive information security programs that are consistent and comparable to the rules and guidance of other Federal financial regulators.
  • Many commenters, however, objected to changes in the scope of information and entities covered by the proposed amendments.
  • Many commenters opposed or suggested modifying the proposed amendments’ information security breach response provisions.
  • Comments were mixed on the proposed exception for disclosures relating to transfers of representatives from one broker-dealer or registered investment adviser to another.

SEC speaks to the functions of a Transfer Agent and what they face:

  • Track, record, and maintain on behalf of issuers the official record of ownership of such issuer’s securities.
  • Cancel old certificates, issue new ones, and perform other processing and recordkeeping functions that facilitate the issuance, cancellation, and transfer of both certificated securities and book-entry only securities.
  • Facilitate communications between issuers and securityholders.
  • Make dividend, principal, interest, and other distributions to securityholders.
  • To perform these functions, transfer agents maintain records and information related to securityholders that may include names, addresses, phone numbers, email addresses, employers, employment history, bank and specific account information, credit card information, transaction histories, securities holdings, and other detailed and individualized information related to the transfer agents’ recordkeeping and transaction processing on behalf of issuers.
  • With advances in technology and the expansion of book-entry ownership of securities, transfer agents today increasingly rely on technology and automation to perform the core recordkeeping, processing, and transfer services described above, including the use of computer systems to store, access, and process the customer information related to securityholders they maintain on behalf of issuers.
  • Systems maintained by transfer agents are subject to threats and hazards to the security or integrity of customer information.
  • The systems maintained by transfer agents are subject to similar types of risks of breach as other covered institutions, and as a consequence, the individuals whose customer information is maintained by transfer agents are subject to similar risks of substantial harm and inconvenience as individuals whose customer information is maintained by other covered institutions.
  • The proposed definition of “customer information” with respect to a transfer agent would include “any record containing nonpublic personal information…identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is handled or maintained by the transfer agent or on its behalf.”
  • Transfer agents would be required to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information.
  • They would also be required to develop, implement, and maintain an incident response program, including customer notifications, for unauthorized access to or use of customer information.
  • Currently, the disposal rule only applies to those transfer agents “registered with the Commission."
  • However, the proposed amendments would also extend the application of the disposal rule to all transfer agents, including those transfer agents that are registered with another appropriate regulatory agency other than the Commission, by defining transfer agent in the proposed definition of a “covered institution” as “a transfer agent registered with the Commission or another appropriate regulatory agency.
  • When coupled with the additional benefit of providing a minimum industry standard for the proper disposal of all customer information or consumer information that any transfer agent maintains or possesses for a business purpose, the SEC believes that extending the disposal rule to now cover all transfer agents would be appropriate for the protection of investors, and in the public interest.
  • According to Form TA-2 filings in 2021, transfer agents distributed approximately $3.8 trillion in securityholder dividends and bond principal and interest payments.
  • Critically, because Form TA-2 does not include information relating to the value of purchase, redemption, and exchange orders by mutual fund transfer agents, the $3.8 trillion amount noted above does not include these amounts.
  • If the value of such transactions by mutual fund transfer agents was captured by Form TA-2 it is possible that the $3.8 trillion number would be significantly higher.
  • Extending the safeguards rule to cover any transfer agent in order to address the risks to the security or integrity of customer information found on the systems they maintain will help prevent securityholders’ customer information from being compromised, which, as noted above, could threaten the ownership interest of security holders or disrupt trading within the securities markets.
  • It also would help establish minimum nationwide standards for the notification of securityholders who are affected by a transfer agent data breach that leads to the unauthorized access or use of their information so that affected securityholders could take additional mitigating actions to protect their customer information, ownership interest in securities, and trading activity.
  • Extending the disposal rule to cover those transfer agents registered with another appropriate regulatory agency would help protect investors and safeguard their securities and funds by reducing the risk of fraud or related crimes, including identity theft, which can lead to the loss of securities and funds

Comment:

  • 60 days to comment
  • Send an email to [email protected]. Please include File Number S7-05-23 on the subject line.
  • Send paper comments to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.
  • All submissions should refer to File Number S7-05-23.
  • The file number should be included on the subject line if email is used.
  • All comments received will be posted without change; the Commission does not edit personal identifying information from submissions.
  • You should submit only information that you wish to make available publicly.

TLDRS:

  • Currently, the safeguards rule addresses protecting customer information against unauthorized access or use, but it does not include a requirement to notify affected individuals in the event of a data breach.
  • The proposed amendments would extend the application of the safeguards provisions to transfer agents.

The safeguards rule does not currently apply to transfer agents, even though they also obtain, share, and maintain personal information on behalf of securityholders who hold securities in registered form (i.e., in their own name rather than indirectly through a broker).

  • Securityholders whose personal information is maintained by transfer agents could be harmed by the unauthorized access or use of such information in the same manner as customers of broker-dealers, investment companies, and registered investment advisers, yet such securityholders are not currently protected by the safeguards rule.
  • The SEC believes that extending the safeguards rule to cover transfer agents is necessary to ensure that there is a Federal minimum standard for the notification of securityholders who are affected by a data breach that leads to the unauthorized access or use of their information, regardless of whether that data breach occurs at a broker-dealer, investment company, registered investment adviser, or transfer agent.
  • Extending the safeguards rule to cover any transfer agent in order to address the risks to the security or integrity of customer information found on the systems they maintain will help prevent securityholders’ customer information from being compromised, which, as noted above, could threaten the ownership interest of security holders or disrupt trading within the securities markets.
  • It also would help establish minimum nationwide standards for the notification of securityholders who are affected by a transfer agent data breach that leads to the unauthorized access or use of their information so that affected securityholders could take additional mitigating actions to protect their customer information, ownership interest in securities, and trading activity.
  • Extending the disposal rule to cover those transfer agents registered with another appropriate regulatory agency would help protect investors and safeguard their securities and funds by reducing the risk of fraud or related crimes, including identity theft, which can lead to the loss of securities and funds
  • The Commission received over 400 comment letters in response to the 2008 Proposal.
  • The current proposal to amend Regulation S-P has been informed by comments received on the 2008 Proposal.
  • Most commenters supported requirements for comprehensive information security programs that are consistent and comparable to the rules and guidance of other Federal financial regulators.
  • Many commenters, however, objected to changes in the scope of information and entities covered by the proposed amendments.
  • Many commenters opposed or suggested modifying the proposed amendments’ information security breach response provisions.
r/Superstonk - SEC Alert! Proposed rule Safeguarding Customer Information OPEN for comment. Current rule protects customer information against unauthorized access or use but does NOT include a requirement to notify affected individuals in the event of a data breach. Would extend to Transfer Agents …

Reddit Post

Read next
Whistleblower Alert! The SEC awards whistleblower more than $37 million

Whistleblower Alert! The SEC awards whistleblower more than $37 million, meaning the fine levied ranged between $123,333,333 and $370,000,000 dollars.

The Securities and Exchange Commission (SEC) announced today a substantial award of more than $37 million to a whistleblower whose information and assistance were pivotal in a successful enforcement action. The whistleblower's internal reporting prompted their employer to conduct an investigation and self-report the findings to the SEC,
dismal-jellyfish
SEC Complaint against Andrew Left

SEC Complaint against Andrew Left: "did not provide for the purpose of concealing that he was receiving over $1 million from a hedge fund in exchange for Citron Research publishing certain reports and tweets."

The Securities and Exchange Commission (SEC) announced charges today against activist short seller Andrew Left and his firm, Citron Capital LLC, accusing them of a multi-year scheme to defraud followers by publishing false and misleading stock trading recommendations, netting $20 million in profits. According to the SEC's complaint,
dismal-jellyfish
Korea's Act on the Protection of Virtual Asset Users to Take Effect from 7/19: "those who are found to have engaged in unfair trading activities may be subject to criminal punishment or penalty surcharge."

Korea's Act on the Protection of Virtual Asset Users to Take Effect from 7/19: "those who are found to have engaged in unfair trading activities may be subject to criminal punishment or penalty surcharge."

Korea's new Act on the Protection of Virtual Asset Users comes into force on July 19, 2024, marking a significant step in safeguarding users and regulating virtual asset service providers (VASPs). This follows a revision in March 2021, which required VASPs to register with financial authorities and introduced
dismal-jellyfish