Under the proposed amendments to Regulation S-P (please see previous post), an investment adviser’s information security program must include procedures for responding to incidents of unauthorized access to or use of personal information. Such procedures should include notice to affected individuals if misuse of sensitive personal information has occurred or is reasonably possible. Procedures must also include notice to the SEC in circumstances in which an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.

Accordingly, investment advisers should have written procedures to:

1. Assess any incident involving unauthorized access or use, and identify in writing what personal information systems and what types of personal information may have been compromised;
2. Take steps to contain and control the incident to prevent further unauthorized access or use and document all such steps taken in writing;
3. Promptly conduct a reasonable investigation and determine in writing the likelihood that the information has been or will be misused after the adviser becomes aware of any unauthorized access to sensitive personal information; and
4. Notify individuals with whom the information is identified as soon as possible (and document the provision of such notification in writing) if the adviser determines that misuse of the information has occurred or is reasonably possible.

In March 2008, the SEC released a set of proposed amendments to Regulation S-P which seek to require registered investment advisers to enhance the protection of consumer financial information. The proposed amendments set forth more specific requirements for safeguarding information and responding to information security breaches,. They also broaden the scope of the information covered by Regulation S-P’s safeguarding and disposal provisions. In addition, they also would extend the application of the disposal provisions to natural persons associated with brokers, dealers, investment advisers registered with the SEC (“registered investment advisers”) and transfer agents registered with the SEC (“registered transfer agents”) and would extend the application of the safeguarding provisions to registered transfer agents. Finally, the proposed amendments would permit a limited transfer of information to a nonaffiliated third party without the required notice and opt out when personnel move from one broker-dealer or registered investment adviser to another.

Information and Security Breach Requirements

Under the present iteration of Regulation S-P, investment advisers are required to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendment takes this requirement a step further by requiring advisers to develop, implement, and maintain a comprehensive “information security program,” including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.

The information security program must be appropriate to the adviser’s size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue. The information security program should have to be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or security holder who is a natural person. “Substantial harm or inconvenience” would include theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the unauthorized use of the information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise use the individual’s account.

Elements of Information Security Plan

As part of their information security plan, advisers should:

1. Designate in writing an employee or employees to coordinate the information security program;
2. Identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information;
3. Design and document in writing and implement information safeguards to control the identified risks;
4. Regularly test or otherwise monitor and document in writing the effectiveness of the safeguards’ key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision;
5. Train staff to implement the information security program;
6. Oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing); and
7. Evaluate and adjust their programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact on the program.