News & Insights

SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information

What happened?

On May 16th, 2024, the SEC adopted amendments to Regulation S-P requiring broker-dealers (including funding portals), investment companies, registered investment advisors, and transfer agents (“covered institutions”) to implement and maintain policies and procedures regarding an incident response program that are designed to detect, respond, and recover from unwarranted access or use of client information.

In 2000, the SEC initially adopted Regulation S-P, which:

  1. Broadly requires broker-dealers, investment companies, and registered investment advisers to adopt and maintain policies and procedures to protect customer records and information (the “safeguards rule”);
  2. Requires proper disposal of consumer report information in a way that limits the threat of unauthorized access to or use of such information (the “disposal rule”); and
  3. Implemented privacy policy notice and opt out provisions.

The final, adopted amendments now provide a minimum for covered institutions to provide data breach notifications to affected individuals and expand upon the initial Regulation S-P.

What’s Required?

  1. Incident Response Program:
    • Under the adopted amendments covered institutions will be required to maintain an incident response program. The program must be designed to detect, respond, and recover from unauthorized access or use of client information and prevent unauthorized use. Additionally, the amendments formally establish requirements for covered institutions to adopt policies and procedures regarding due diligence and monitoring of service providers.
  2. Customer Notification Requirement:
    • Covered institutions will be required to notify those whose sensitive information was, or is reasonably likely to have been, accessed or used.
    • Notice will be required as practicable, and no later than 30 days after becoming aware that an incident regarding unwarranted access or use of customer information has occurred or more than likely occurred.
    • Notice is not required if a covered institution determines that sensitive client information has not been and is not reasonably likely to have been used in a way that would cause harm or substantial inconvenience.
  3. Additional Requirements:
    • The amendments expand the safeguards and disposal rules to cover nonpublic personal information that a covered institution obtains about its own clients and nonpublic personal information received from another financial institution about clients of that institution;
    • Covered institutions (except funding portals) must maintain written records evidencing compliance with the safeguards and disposal rules;
    • Align Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provides an exemption to annual privacy notice delivery if certain conditions are met; and
    • The safeguards rule and disposal rule now extend to transfer agents registered with the SEC or another appropriate regulatory agency.

More details are included in the SEC’s fact sheet on the amendments.

Next Steps:

The adopted amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication to comply and smaller entities will have 24 months.

If you do not already have a vendor management program in place, consider starting there. Covered institutions will be required to implement programs to oversee and monitor vendors under the amendments and we are routinely seeing requests for vendor due diligence in cyber-related exam requests.  If an Incident Response Program is not currently in place, covered institutions should work on implementing a program. Aside from being a required rule, establishing a thorough incident response program is a worthwhile business decision as it supports the firm in protecting sensitive client information.

While covered institutions will have 18-24 months to implement the required changes, including updating Incident Response Programs to comply with the adopted amendments, firms should consider establishing a roadmap to compliance given competing regulatory changes on the horizon.

Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the adopted amendments. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.