On May 15, 2024, the SEC announced it would make amendments to Regulation S-P (Reg S-P). This will be the first amendment to the regulation since its adoption 24 years ago in 2000. The regulation focuses on how institutions handle customers’ private personal information. The amendment comes in response to the ever-evolving technologies that expose individuals’ sensitive data to potential security breaches. SEC Chair Gary Gensler stated “Over the last 24 years, the nature, scale and impact of data breached has transformed substantially” and that “amendments to regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”
The new amendments to Reg S-P require firms to (1) have an incident response program, including written policies and procedures, (2) provide notice to customers in the event of a breach no later than 30 days of its discovery, and (3) provide oversight through due diligence and monitoring of service providers, though firms ultimately retain the burden of ensuring that notice of any breach is provided to affected customers per Reg S-P’s requirements.
On June 6, 2024, FINRA’s Cybersecurity Advisory sent out a reminder to its member firms that the new amendments apply to all of FINRA’s “covered institutions”: broker-dealers, investment companies, registered investment advisers and transfer agents and urged them to “review the amendments to ensure their cybersecurity programs are modified, as needed to come into compliance by the applicable compliance date for their firms.” The amendment was recently published in the Federal Register on June 3, 2024, and those amendments become effective 60 days afterward. Larger entities1 have 18 months and smaller entities 24 months from the June 3, 2024, date to become compliant with the new amendments.
The amendments arrive at a crucial moment in the financial services industry. Recently, there have been several high-profile data breaches, affecting tens of thousands of customers. FINRA has also been focused on cybersecurity, making it a priority for the last several years and pursuing enforcement actions.
With the rapid pace of technology advances and reliance on tech for customer interface comes the need to secure personal data from cybersecurity attacks. The amendments to Reg S-P recognize the possibility of such breaches and require Member Firms to plan for rapid responses and disclosures to customers in the event such breaches occur.
[1] The SEC defines larger entities as investment companies with net assets of more than $1 billion; registered investment advisors with $1.5 billion assets under management; and broker-dealers and transfer agents that are not considered “small entities” under the Securities and Exchange Act for purposes of the Regulatory Flexibility Act.
