On May 15, 2024, the Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P which will, “modernize and enhance rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions.” These financial institutions include broker-dealers, investment companies, registered investment advisors, and transfer agents (“financial institutions”). The modernization focuses on the use of technology and the associated risks, providing clearer rules for notifying investors in the event of breaches. These amendments first proposed in March 2023 underwent public comment prior to adoption. Not all proposed rules were included in the final version. Most significantly, the proposal imposing prescriptive requirements for written agreements with service providers concerning data security and incident notification was excluded.
Regulation S-P, originally adopted in 2000, required financial institutions to implement safeguard rules governing the security of customer information. Over the past twenty-four years, substantial technological developments have increased the risk of harm to individuals’ personal information based on how institutions obtain, share, and maintain the information. The new amendments expand these safeguard rules to cover both nonpublic personal information collected by a covered institution about its own customers and nonpublic personal information received from another financial institution about its customers. This previously had not been the case.
These financial institutions will be required for both the safeguard and disposal rules to “develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” The procedures must assess the nature and scope of any incident and take steps necessary to contain and control incidents to prevent further unauthorized access to the information.
These amendments also require procedures for notifying individuals whose sensitive information has been, or is reasonably likely to have been, accessed or used without authorization. These notifications should be given as soon as practicable, but not later than thirty days after learning of any such incident. The notification must include details about the overall incident, what information was breached, and how investors can respond and protect themselves. If the covered institution determines that the sensitive information has not been or is not reasonably likely to be used in a manner that would lead to substantial harm or inconvenience, a notice is not required to be sent.
The amendments also require delivery of annual notices, unless an exception applies, and expand the application of the safeguard and disposal rules to transfer agents registered with the SEC or other appropriate regulatory agencies.
These policies must be implemented within 18 months for larger entities and within 24 months for smaller entities after the date of publication in the Federal Register to comply. Larger entities are defined as investment companies within the same group of related investment companies having net assets of $1 billion or more as of the end of the most recent fiscal year. Registered investment advisors must have $1.5 billion or more in assets under management to qualify as a larger entity. Entities not meeting this threshold are considered smaller entities. The definition of smaller entities also includes any broker-dealer or transfer agent classified as a small entity under the Securities Exchange Act for the Regulatory Flexibility Act.
These enhancements are designed to address the increase in risks associated with safeguarding customer information and focuses on informing customers of any breaches that could effect them allowing them to respond appropriately to protect themselves. The SEC Chair Gary Gensler stated, “Investors would benefit from a financial privacy rule more modern than the AOL era. Though the current rule requires covered firms to notify customers about how they use their nonpublic personal information, these firms have no requirement to notify customers about breaches. I think we should close this gap.” With these amendments, this gap will be closed as customers will receive appropriate notifications. Businesses should continue to review and update their policies to ensure they are compliant with these new requirements and all other requirements.
For additional information on this topic:
Amendment to Regulation S-P - Fact Sheet
SEC.gov | SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information