The Securities and Exchange Commission today proposed amendments to Regulation S-P that would enhance the protection of customer information by, among other things, requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.

“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” said SEC Chair Gary Gensler. “I think we should close this gap. Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves.”

Regulation S-P currently requires broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for the protection of customer records and information (“safeguards rule”). Regulation S-P also requires the proper disposal of consumer report information (“disposal rule”). Today’s proposal, if adopted, would update the rule’s requirements to address the expanded use of technology and corresponding risks since the Commission originally adopted Regulation S-P in 2000.

The Commission’s proposal would require broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”) to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. The proposed amendments would also require, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The proposal would require a covered institution to provide this notice as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.

The proposed amendments would also make a number of additional changes to Regulation S-P, including:

• Broadening and aligning the scope of the safeguards rule and disposal rule to cover “customer information,” a new defined term. This change would extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;

• Extending the safeguards rule, including the proposed enhancements, to transfer agents registered with the Commission or another appropriate regulatory agency, and expanding the existing scope of the disposal rule to include transfer agents registered with another appropriate regulatory agency rather than only those registered with the Commission; and

• Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.

The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.