On May 16, 2024, the SEC breathed new life into its decades-old Regulation S-P, which requires firms to adopt policies and procedures for the protection of customer information and records. The amended rule balloons the entities and data subject to Regulation S-P and creates new obligations for covered institutions such as broker-dealers, investment companies, registered investment advisers, and transfer agents. Larger entities must comply with the amended rule by December 3, 2025, while smaller entities will have until June 3, 2026. To rise to the revised requirements, covered institutions must:
On May 16, 2024, the SEC breathed new life into its decades-old Regulation S-P, which requires firms to adopt policies and procedures for the protection of customer information and records. The amended rule balloons the entities and data subject to Regulation S-P and creates new obligations for covered institutions such as broker-dealers, investment companies, registered investment advisers, and transfer agents. Larger entities must comply with the amended rule by December 3, 2025, while smaller entities will have until June 3, 2026. To rise to the revised requirements, covered institutions must:
- Adopt a written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. This program must include policies and procedures to:
- Assess the nature and scope of any incident involving unauthorized access to or use of customer information;
- Take appropriate steps to contain and control the incident; and
- Notify individuals if their information was, or is reasonably likely to have been, accessed or used without authorization, unless the information involved is not reasonably likely to be used in a manner that could cause substantial harm or inconvenience. This must be done “as soon as practicable,” but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.
Covered institutions may delay notification beyond 30 days only if the U.S. attorney general informs the SEC in writing that the required notice would pose a substantial risk to national security or public safety.
- Establish, maintain, and enforce written policies and procedures reasonably designed to ensure oversight of service providers, including to ensure that affected individuals receive any required notices. This includes ensuring service providers take reasonable measures to protect against unauthorized access to or use of customer information and provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred.
- Comply with newly inflated safeguards and disposal rules for nonpublic personal information received from customers (including customers of other financial institutions) and document compliance with the same. The required retention period for these records varies by entity type, so covered institutions should review and potentially revise their record-keeping practices, including their document retention and deletion policies and examination preparations.
The revised Regulation S-P does, however, come with some favorable tailwinds: it codifies the FAST Act exception to Regulation S-P’s annual reporting requirements, meaning that the revised regulation does not require covered institutions to mail an annual privacy notice if the institution’s data practices do not trigger opt-out rights and its policies and practices have not changed from its most recent disclosure to customers.
Some practical, potentially unintended, consequences of these revisions include:
- The 72-hour notice requirement for service providers to notify covered institutions of a breach may actually be longer than what institutions’ contracts with customers currently provide. In our experience, many parties have typically settled upon 48 hours (rather than 72 hours) for such notifications.
- Rising disclosures and requirements surrounding cyber incidents necessarily increase litigation risk, giving plaintiffs further fodder for feeding frenzies after any incident.
Reading the winds, the revision’s use of a 72-hour notification requirement may also signal that the SEC has reconsidered the 48-hour notification period included in its proposed rules relating to cybersecurity risk management for investment advisers, registered investment companies, and business development companies, which had drawn significant blowback from the industry.
