News & Insights

SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information

What happened?

On May 16th, 2024, the SEC adopted amendments to Regulation S-P requiring broker-dealers (including funding portals), investment companies, registered investment advisors, and transfer agents (“covered institutions”) to implement and maintain policies and procedures regarding an incident response program that are designed to detect, respond, and recover from unwarranted access or use of client information.

In 2000, the SEC initially adopted Regulation S-P, which:

  1. Broadly requires broker-dealers, investment companies, and registered investment advisers to adopt and maintain policies and procedures to protect customer records and information (the “safeguards rule”);
  2. Requires proper disposal of consumer report information in a way that limits the threat of unauthorized access to or use of such information (the “disposal rule”); and
  3. Implemented privacy policy notice and opt out provisions.

The final, adopted amendments now provide a minimum for covered institutions to provide data breach notifications to affected individuals and expand upon the initial Regulation S-P.

Covered institutions must have each of the following in place to comply with the amendments:

  1. Vendor Management Program: The amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers. If you do not already have a vendor management program in place, consider starting there. Already, the SEC routinely requests for vendor due diligence in cyber-related exam requests. NoteService providers have a 72-hour notice requirement to covered institutions.
  2. Incident Response Program: Under the adopted amendments, covered institutions will be required to maintain an incident response program. The program must be designed to detect, respond, and recover from unauthorized access or use of client information and prevent unauthorized use. NoteEven if you have an incident response plan in place, you will still need to update your program to comply with the adopted amendments.
  3. Customer Notification Requirement: Covered institutions will be required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used. NoteCovered institutions have a 30-day notice requirement to customers.
  4. Expansion of Safeguards and Disposal Rules (including written records): The amendments expand the safeguards and disposal rules to cover nonpublic personal information that a covered institution obtains about its own clients and nonpublic personal information received from another financial institution about clients of that institution. Covered institutions (except funding portals) must also maintain written records evidencing compliance with the safeguards and disposal rules.

More details are included in the SEC’s fact sheet on the amendments.

Next Steps:

The adopted amendments will become effective on August 2, 2024. Larger entities will have until December 3, 2025, to comply and the compliance deadline for smaller entities is June 3, 2026.

If you do not already have a vendor management program in place, consider starting there. Covered institutions will be required to implement programs to oversee and monitor vendors under the amendments and we are routinely seeing requests for vendor due diligence in cyber-related exam requests.  If an Incident Response Program is not currently in place, covered institutions should work on implementing a program. Aside from being a required rule, establishing a thorough incident response program is a worthwhile business decision as it supports the firm in protecting sensitive client information.

While covered institutions will have 18-24 months to implement the required changes, including updating Incident Response Programs to comply with the adopted amendments, firms should consider establishing a roadmap to compliance given competing regulatory changes on the horizon.

Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the adopted amendments. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.