High-level Overview: Amendments to Regulation S-P
Amendments to Reg S-P require investment advisers to have a vendor management program, an incident response program, and more.
On May 16, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P to require financial institutions, including investment companies and registered investment advisers, to implement and maintain policies and procedures regarding an incident response program that are designed to detect, respond, and recover from unwarranted access or use of client information.
Covered institutions must have each of the following in place to comply with the amendments:
- Vendor Management Program: The amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers. If you do not already have a vendor management program in place, consider starting there. Already, the SEC routinely requests for vendor due diligence in cyber-related exam requests. Note: Service providers have a 72-hour notice requirement to covered institutions.
- Incident Response Program: Under the adopted amendments, covered institutions will be required to maintain an incident response program. The program must be designed to detect, respond, and recover from unauthorized access or use of client information and prevent unauthorized use. Note: Even if you have an incident response plan in place, you will still need to update your program to comply with the adopted amendments.
- Customer Notification Requirement: Covered institutions will be required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used. Note: Covered institutions have a 30-day notice requirement to customers.
- Expansion of Safeguards and Disposal Rules (including written records): The amendments expand the safeguards and disposal rules to cover nonpublic personal information that a covered institution obtains about its own clients and nonpublic personal information received from another financial institution about clients of that institution. Covered institutions (except funding portals) must also maintain written records evidencing compliance with the safeguards and disposal rules.
Timing
While covered institutions will have 18-24 months to implement the required changes, including updating Incident Response Programs to comply with the adopted amendments, firms should consider establishing a roadmap to compliance given competing regulatory changes on the horizon.
Need help meeting these requirements? We can help. Contact us at info@fairviewinvest.com.