SEC Amends Regulation S-P: Time to Review Your Institution’s Data Privacy and Incident Response Policies

It’s time for investment companies, investment advisors, and other covered institutions to review their data privacy and incident response policies in light of the SEC’s latest amendments to Regulation S-P. On May 16, 2024, the U.S. Securities and Exchange Commission announced the adoption of amendments (“the Amendments”) to Regulation S-P, which regulates covered financial institutions’ handling of customers’ confidential information. Through these Amendments, the SEC seeks to modernize its cybersecurity rules by addressing the expanded role of technology since Regulation S-P was initially adopted.

Background of Regulation S-P

The SEC adopted Regulation S-P in 2000. The Regulation broadly requires covered institutions, including broker-dealers, investment companies, funding portals, registered investment advisors, and now transfer agents, to adopt written policies and procedures meant to safeguard customers’ sensitive or confidential information and records (the “safeguards” rule). The Regulation also requires proper disposal of consumer report information in a manner that protects against future unauthorized access (the “disposal” rule), and it requires those covered institutions to implement privacy policy notice and opt-out provisions to customers regarding the use of their sensitive data.

2024 Amendments

The Amendments update the requirements of Regulation S-P’s “safeguards” and “disposal” rules by requiring covered institutions to implement cybersecurity incident reporting programs and customer notification procedures, and including additional changes to address other risks that have arisen since the adoption of the regulation.

Incident Response Program Requirement

Covered institutions must now implement written incident response programs. These incident response programs must:

• Be reasonably designed to detect, respond to, and recover from unauthorized access to, and/or use of, customers’ nonpublic, confidential data;
• Include procedures to determine the nature and scope of any such incident, as well as procedures to take steps to contain and control such incidents in order to prevent further unauthorized access or use; and
• Include written policies and procedures requiring oversight, including via due diligence and monitoring, of service providers who provide any required notice on behalf of a covered institution.

While the Amendments set forth general program requirements, the SEC has not prescribed any specific requirements for covered institutions in implementing their programs. Covered institutions are responsible for developing and implementing the specific policies and procedures of their organizations’ cybersecurity incident response programs and have the flexibility to tailor them to the institution’s particular circumstances.

Customer Notification Policy Requirement

The Amendments also require covered institutions to notify affected, or potentially affected, customers whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Covered institutions must notify affected customers as soon as practicable, but no later than 30 days after the covered institutions become aware of either: (1) unauthorized access and/or use of sensitive customer information, or (2) that such unauthorized access was reasonably likely to have occurred. “Sensitive customer information” is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

The notice must be clear and conspicuous and must include details about the incident, the data breached, and how affected customers can respond to the breach to protect themselves.

Effective and Compliance Dates

The Amendments are effective 60 days after publication in the Federal Register. Firms must come into compliance within either 18 months (for “larger entities”) or 24 months (for “smaller entities”) from the effective date.

Considerations and Next Steps

Covered institutions should review the Amendments against their existing cybersecurity policies and procedures, including all existing data breach response procedures. When updating policies, covered institutions should also ensure that any revisions comply with other applicable state and federal privacy laws and regulations.

Calfee’s Privacy and Data Security attorneys are here to help answer your questions about these Amendments and cybersecurity policies in general. Please contact a member of our team to discuss how best Calfee can assist you and your institution in determining the next steps.