May 16, 2024
What happened?
On May 16th, 2024, the SEC adopted amendments to Regulation S-P requiring broker-dealers (including funding portals), investment companies, registered investment advisors, and transfer agents (“covered institutions”) to implement and maintain policies and procedures regarding an incident response program that are designed to detect, respond, and recover from unwarranted access or use of client information.
In 2000, the SEC initially adopted Regulation S-P, which:
The final, adopted amendments now provide a minimum for covered institutions to provide data breach notifications to affected individuals and expand upon the initial Regulation S-P.
Covered institutions must have each of the following in place to comply with the amendments:
More details are included in the SEC’s fact sheet on the amendments.
Next Steps:
The adopted amendments will become effective on August 2, 2024. Larger entities will have until December 3, 2025, to comply and the compliance deadline for smaller entities is June 3, 2026.
If you do not already have a vendor management program in place, consider starting there. Covered institutions will be required to implement programs to oversee and monitor vendors under the amendments and we are routinely seeing requests for vendor due diligence in cyber-related exam requests. If an Incident Response Program is not currently in place, covered institutions should work on implementing a program. Aside from being a required rule, establishing a thorough incident response program is a worthwhile business decision as it supports the firm in protecting sensitive client information.
While covered institutions will have 18-24 months to implement the required changes, including updating Incident Response Programs to comply with the adopted amendments, firms should consider establishing a roadmap to compliance given competing regulatory changes on the horizon.
Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the adopted amendments. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.