April 25, 2025

By Electronic Submission
The Honorable Paul Atkins
Chairman
Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549-1090

Re: Request for Extension of Compliance Dates for Amendments to Regulation S-P (File No. S7-05-23)

Dear Chairman Atkins,

The Securities Industry and Financial Markets Association (“SIFMA”), SIFMA Asset Management Group (“SIFMA AMG”), American Bankers Association (“ABA”), Bank Policy Institute (“BPI”), Institute of International Bankers (“IIB”), Investment Adviser Association (“IAA”), Investment Company Institute (“ICI”), Insured Retirement Institute (“IRI”), and the Committee of Annuity Insurers (“CAI”) (collectively, the “associations”)¹ are hereby requesting a 12-month extension of the compliance dates for the amendments to Regulation S-P approved by the Securities and Exchange Commission (the “Commission” or “SEC”) on May 16, 2024 (the “Amendments”).² The associations appreciate the importance of strong cybersecurity and data protection practices for our country, including appropriate notification of cybersecurity incidents to individuals. Extending the compliance dates is necessary to achieve reasonable compliance with the Amendments and improve our members’ ability to address certain issues discussed below.³

The associations believe this request falls within the President’s Memorandum for Heads of Executive Departments and Agencies, Regulatory Freeze Pending Review, requiring agency heads to consider extending compliance dates for 60 days while additional changes may be considered through notice and comment.⁴ This letter focuses on the need to extend the current compliance dates for the Amendments for at least 12 months. However, the associations want to make clear that there are also significant substantive concerns with the Amendments, including the lack of consistency with existing federal and state privacy requirements. There are currently 50 state breach laws, along with other federal and global privacy requirements. If the
Amendments were to preempt other state and federal privacy laws, arguably there would be a net benefit to investors and the markets. As they stand now, however, the Amendments only add additional compliance burdens without discernible links to threat reduction or protection of investors. Therefore, the associations urge the Commission to consider further amendments to
Reg S-P to better align with existing federal and state requirements.

Given the overlapping regulatory frameworks, the current compliance dates do not provide sufficient time for our members to comply with the Amendments and harmonize the requirements against existing state, federal and global privacy requirements. Although there are some portions of the Amendments that align with other federal and state requirements, our members have faced significant challenges when preparing to comply with the Amendments, including:

1. Third-Party Notification. The Amendments would require significant changes for agreements with service providers and would require significant updates across firms. The Amendments require that covered financial institutions have policies and procedures designed to ensure that service providers provide notice of data breaches within 72 hours. To ensure compliance, this notification requirement may lead firms to amend existing vendor agreements that fall into the scope of the Amendments. A 12-month extension of the compliance dates will be needed for most covered financial institutions to assess which vendor contracts to amend and then negotiate and execute those amendments.⁵ This additional time should allow time for the 72-hour notification requirement to become standardized in contract terms within the market among vendors of different sizes, which will especially benefit smaller firms. Also, the additional time for compliance increases the possibility that vendor contracts may come up for renewal in the normal course, thus making a requested amendment of this type more efficient and perhaps less costly than if a covered financial institution requests an amendment outside of
   the renewal period.
2. Substantial Changes to Existing Policies and Procedures. The Amendments require covered institutions to make significant changes to policies and procedures because the Amendments do not align with existing federal and state laws and regulations with overlapping requirements. In addition to federal and state privacy laws, the Amendments intersect with other regulatory requirements, such as the European Union’s General Data Protection Regulation (“GDPR”) and emerging artificial intelligence laws in the United States and Europe. Coordinating compliance efforts across these overlapping regulations necessitates additional time to identify and avoid conflicts and then to ensure comprehensive adherence. As a result, additional time is required to make the necessary changes to policies, procedures, and processes to better comply with the Amendments.

For example, in relation to response programs for unauthorized access to, or use of, personal information, the Amendments introduce new, expansive definitions of the terms “customer information” and “sensitive customer information” that are far broader than state laws, as well as being broader than the regulations previously enacted by the other federal agencies (e.g., the federal banking agencies and the Federal Trade Commission) pursuant to the same statutory authority the SEC has acted under for the Amendments.

The definition of “customer information” has been extended to cover not only nonpublic personal information that a covered institution collects about its own customers, but also any nonpublic personal information that the covered entity receives from another financial institution about customers of that financial institution. The Amendments would require, under certain circumstances, that a covered institution directly provide notice of a data breach to non-customers regardless of whether the entity that actually owns the customer relationship would also be providing its own notice. This expansion creates a significant new burden on covered financial institutions to adapt existing policies and procedures for this extensive range of new data which was not previously covered by Regulation S-P. Importantly, beyond increasing the regulatory burden across the industry, we believe that this creates the potential for duplication of notification to customers. We understand the Commission has acknowledged this risk and, in the final amendments, included provisions to allow covered institutions to coordinate notification efforts to avoid multiple notices for a single incident. However, the responsibility for ensuring notification still rests with the covered institution, and the potential for over-notification remains a concern. We note that Commissioner Peirce’s statement on the Amendments warned that frequent notifications could desensitize consumers and undermine the effectiveness of such notices.

Finally, the Amendments impose an unnecessarily short period to notify individuals whose information has or may have been accessed or used without authorization. The Amendments require covered financial institutions to provide notice as soon as reasonably practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of customer information has, or is reasonably likely to have, occurred. The “one-size fits all” timeframe fails to take into consideration the complexity of significant cybersecurity incidents. In these cyberattacks, which occur nearly every day, malicious actors strike against both structured and unstructured data.

A well-structured forensic investigation, even when relying on external third parties, usually takes several months, and rarely less than 30 days. The covered financial institution may have an awareness of an intrusion or unauthorized access but is not in a position to accurately inform customers with any precision about the impact on their personally identifiable information. The forensic examination of the structured and unstructured data is still on-going to ascertain (i) which customers were impacted and (ii) what personally identifiable information was exposed. Under these frequent incidents, the SEC’s 30-day notification timeframe will not provide meaningful awareness or guidance to customers but instead will cause individuals to receive frequent unnecessary notices even when their information is not impacted, thus creating unnecessary anxiety and confusion for the recipient. As such, the 30-day notification mandate, and the challenges of building out internal and external systems to support it, should be carefully re-considered and respectfully, underscore the imperative of a 12-month extension.

These examples serve to illustrate significant new burdens imposed on covered financial institutions to adapt existing policies and procedures for data that was not previously covered by Regulation S-P. The associations welcome the opportunity to provide further examples to the Commission.

***

The associations appreciate the Commission’s attention to cybersecurity and data protection. In light of the complex regulatory landscape in which our members operate, we note the importance of fostering alignment across applicable federal and state cybersecurity frameworks. Greater consistency can help reduce conflicting obligations and support more efficient, effective compliance. Accordingly, the associations respectfully recommend that the Commission extend the compliance deadline for the Amendments by 12 months and consider targeted modifications that would better serve investors while mitigating regulatory overlap and burdens. If you would like to discuss this request further, please reach out to Melissa MacGregor at [email protected].

Sincerely,

Securities Industry and Financial Markets Association
SIFMA Asset Management Group
American Bankers Association
Bank Policy Institute
Institute of International Bankers
Insured Retirement Institute
Investment Adviser Association
Investment Company Institute
The Committee of Annuity Insurers

Appendix A – Signatory Associations

The Securities Industry and Financial Markets Association (“SIFMA”) is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”).

SIFMA Contact: Melissa MacGregor, Deputy General Counsel and Corporate Secretary

SIFMA’s Asset Management Group (“SIFMA AMG”) brings the asset management community together to provide views on U.S. and global policy and to create industry best practices. SIFMA AMG’s members represent U.S. and global asset management firms whose combined assets under management exceed $45 trillion. The clients of SIFMA AMG member firms include, among others, tens of millions of individual investors, registered investment companies, endowments, public and private pension funds, UCITS and private funds such as hedge funds and private equity funds.

SIFMA AMG Contact: Kevin Ehrlich, Managing Director

The American Bankers Association (“ABA”) is the voice of the nation’s $23.7 trillion banking industry, which is composed of small, regional, and large banks that together employ more than 2.1 million people, safeguard $18.7 trillion in deposits, and extend $12.2 trillion in loans.

ABA Contact: John Carlson, Vice President, Cybersecurity Regulation and Resilience

The Bank Policy Institute (“BPI”) is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans and serve as a principal engine for the nation’s financial innovation and economic growth.

BPI Contact: Tabitha Edgens, Senior Vice President and Senior Associate General Counsel

The Institute of International Bankers (“IIB”) represents internationally headquartered financial institutions from over thirty-five countries around the world doing business in the United States. The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions enhance the depth and liquidity of U.S. financial markets and contribute greatly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures.

IIB Contact: Michelle Meertens, Deputy General Counsel

The Investment Adviser Association is the leading organization dedicated to advancing the interests of fiduciary investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and U.S. and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. Our members range from global asset managers to the medium and small-sized firms that make up the majority of our industry. Together, the IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations.

IAA Contact: Gail C. Bernstein, General Counsel

The Investment Company Institute (“ICI”) is the leading association representing the asset management industry in service of individual investors. ICI’s members include mutual funds, exchange-traded funds (ETFs), closed-end funds, and unit investment trusts (UITs) in the United States, and UCITS and similar funds offered to investors in other jurisdictions. Its members manage $39.1 trillion invested in funds registered under the US Investment Company Act of 1940, serving more than 120 million investors. Members manage an additional $9.3 trillion in regulated fund assets managed outside the United States. ICI also represents its members in their capacity as investment advisers to collective investment trusts (CITs) and retail separately managed accounts (SMAs). ICI has offices in Washington DC, Brussels, and London.

ICI Contact: Mitra Surrell, Associate General Counsel

The Insured Retirement Institute (“IRI”) is the leading association for the entire supply chain of insured retirement strategies, including life insurers, asset managers, broker dealers, banks, marketing organizations, law firms, and solution providers. IRI members account for 90 percent of annuity assets in the U.S., include the foremost distributors of protected lifetime income solutions, and are represented by financial professionals serving millions of Americans. IRI champions retirement security for all through leadership in advocacy, awareness, research, diversity, equity, and inclusion, and the advancement of digital solutions within a collaborative industry community.

IRI Contact: Emily Micale, Director, Federal Regulatory Affairs

The Committee of Annuity Insurers (“CAI”) is a coalition of life insurance companies that issue annuities. It was formed in 1981 to address legislative and regulatory issues relevant to the annuity industry and to participate in the development of public policy with respect to securities, state regulatory and tax issues affecting annuities. The CAI’s current 33 member companies represent approximately 80% of the annuity business in the United States. For over 40 years, the CAI has been actively involved in shaping and commenting upon many aspects of the Securities and Exchange Commission’s regulatory framework as it affects the offering of annuity and other retirement savings and protection products.

CAI Contact: Alexander F.L. Sand, Partner, Eversheds Sutherland (US) LLP

1. See Appendix A for a description of each of the signatories. [↩]
2. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Securities, Release Nos. 34–97141; IA–6262; IC–34854, 88 Fed. Reg. 20616 (proposed Apr. 6, 2023). [↩]
3. The compliance periods for the Amendments are December 3, 2025 for large entities and June 3, 2026 for smaller entities as defined in the Amendments. [↩]
4. President’s Memorandum to for Heads of Executive Departments and Agencies, Regulatory Freeze Pending Review (January 20, 2025). [↩]
5. This assumes that small firms will be able to negotiate terms with vendors, which many firms may lack the leverage to do. [↩]