• Incident Response Plans and Written Information Security Programs Continue to be Essential and Will Need to Be Reviewed. Most sophisticated organizations currently have in place incident response plans. Those organizations that haven’t implemented a modern and practical incident response plan will need to get on that task right away. Organizations of all sizes will also need to review their information security programs to make sure that they appropriately apply to the “customer information” covered by the Final Rule and include written policies and meet recordkeeping requirements that address the Disposal Rule and all elements of the Safeguards Rule.
• Service Provider Oversight Policies and Protocols Will Take Shape. The Final Rule’s requirement that Covered Institutions develop and enforce written policies and procedures to require oversight and monitoring of its service providers, and its delineation of what that oversight and monitoring should entail, will lead organizations to formalize their vendor management and monitoring protocols in writing if they have not done so already. While many organizations may have focused on existing “tier 1” vendors and used various ad hoc processes to document their review of those vendors, we anticipate organizations will move to a full-scope vendor diligence, onboarding and monitoring process that is documented and reviewed regularly.
• Federal Breach Reporting Standard Will Add to, Not Replace, Existing Breach Reporting Obligations. The new federal reporting standard to which Covered Entities will be subject will not replace their breach reporting requirements under state laws. The federal and various state standards also may not fully align, given the Finals Rule’s presumption of a need to notify (which can be rebutted by a reasonable investigation as to whether the breach is likely to result in substantial harm or inconvenience) and 30-day notification timeline. In practice, this would mean that rather than creating a streamlined reporting standard, Covered Institutions would need to analyze their reporting requirements under state laws, as well as their requirements under federal law. In addition, the 30-day notification requirement likewise will introduce yet another timeline into the mix for companies already dealing with a patchwork of state data breach notification laws.
• The New Definition of “Customer Information” May Not Have Significant Impact. Because Reg S-P had not previously defined “customer records and information” in the Safeguards Rule, many Covered Institutions have, in practice, treated Reg S-P as covering “nonpublic personal information” as defined in Reg S-P. As a result, the new definition of “customer information” may not, alone, result in significant changes to the scope of Covered Institutions’ information security programs.
• The Annual Privacy Notice Delivery Exception is Mainly a Technical Revision to Align with Current Applicable Law. Many Covered Institutions have been relying on the FAST Act amendments to the GLBA and, beginning in 2016, have foregone delivering an annual privacy notice to customers when they meet the applicable requirements (which is often the case). Covered Institutions are still likely to be pleased with the technical revisions to align Reg S-P with the GLBA but will want to give careful consideration to the requirements for restarting annual delivery in the event of changes to data sharing practices that would require a new notice.
• Expansion of the Safeguards Rule to Transfer Agents is Significant. Advisers and funds will likely welcome transfer agents being subject to the same safeguard requirements, and to those requirements being enforceable by the SEC and not simply required as a result of private contractual obligations.

The Securities and Exchange Commission adopted amendments to Regulation S-P (hereinafter, “Reg S-P”) on May 16, 2024. As previously reported in a prior Dechert OnPoint, the SEC first announced its proposed amendments to Reg S-P just over a year ago (hereinafter, the “Proposed Rule”). Reg S-P, which was first enacted in 2000, requires broker-dealers, investment companies, investment advisers registered with the SEC, funding portals and transfer agents registered with the SEC (collectively, “Covered Institutions”) to have in place certain practices designed to protect consumer information.[1] The final amendments (hereinafter, the “Final Rule”) are effective as of August 2, 2024. Larger entities will have until December 3, 2025 to comply, and small entities will have until June 1, 2026 to comply.[2] The Final Rule largely tracks the Proposed Rule, and, in an effort to address growing concern surrounding data privacy and cybersecurity, imposes new requirements on Covered Institutions to protect against unauthorized disclosure and access to nonpublic customer information. These requirements include the following:

• Incident Response Program. The Final Rule requires Covered Institutions to institute written policies and procedures that are “reasonably designed to detect, respond to, and recover from unauthorized access to our use of customer information.”[3] These include procedures to assess the scope of any incident and to take appropriate action to prevent further unauthorized access or use.[4]
• Notification Requirement. The Final Rule requires Covered Institutions to notify all individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notice will not be required if the incident is not likely to result in substantial harm or inconvenience to the customer. If required, notice must be given no later than 30 days after the Covered Institution becomes aware that unauthorized access to or use of customer information has, or is reasonably likely to have, occurred. These new requirements effectively impose a national, federal minimum standard related to breach notification. Covered Institutions will continue to be required to consider relevant state law when assessing a data incident.
• Service Providers. The Final Rule requires Covered Institutions to extend their policies and procedures to include the monitoring of service providers, but, in a change from the Proposed Rule, does not require Covered Institutions to include specific provisions regarding compliance with privacy and data security standards in their agreements with service providers.
• Scope. The Final Rule aligns the information protected under the Safeguards Rule with information protected under the Disposal Rule by applying the protections of both rules to a newly coined term: “customer information.” The Final Rule likewise broadens the group of customers whose information will be protected under both the Disposal Rule and the Safeguards Rule.
• Recordkeeping. The Final Rule requires that Covered Institutions make and maintain written records documenting compliance with the requirements of the Safeguards Rule and Disposal Rule.
• Annual Privacy Notice Delivery Requirements. The Final Rule provides an exception to compliance with the annual privacy notice delivery requirements for Covered Institutions if certain criteria are met.

This Dechert OnPoint summarizes the main elements of the Final Rule, including how it compares to the Proposed Rule, and identifies key takeaways as Covered Institutions seek to navigate this revised regulatory scheme.

Requirements of the Final Rule

1. Incident Response Program Requirements for Covered Institutions

The Final Rule amends the Safeguards Rule to require that Covered Institutions adopt a written incident response program that contains policies and procedures “reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information”—referred to as an “incident” in the Final Rule.

Though the Final Rule does not prescribe specific steps to follow as part of its incident response program, at minimum, the Final Rule requires that the written policies and procedures: (i) assess the nature and scope of the incident; (ii) take measures to control and contain the incident and prevent further unauthorized access to customer information; and (iii) notify each individual whose information was subject to the incident. The Final Rule also notes that Covered Institutions should take steps to periodically review the policies and procedures attendant to their incident response plan to ensure that their plan continues to be reasonably designed to protect against future incidents.

The Final Rule also has specific requirements for the monitoring of services providers. It requires Covered Institutions to develop and enforce written policies and procedures to require oversight and monitoring of its service providers. This includes ensuring that the requisite notice of the incident is provided to consumers, whether by providing such notice itself or by making sure that it is given by its service providers. Service providers are also required to provide notice to Covered Institutions within 72 hours of the service provider becoming aware of an incident.

Changes from the Proposed Rule

The primary modifications to the contours of the incident response program requirement relate to the provisions regarding service providers. The SEC received significant commentary that criticized this proposed requirement, including from Amazon Web Services and Microsoft Corporation and other cloud computing service providers, for being unworkable in practice. Specifically, while the Proposed Rule would have required Covered Institutions to include certain specified provisions in written contracts with their service providers, the Final Rule disposed of that requirement. Instead, the Final Rule requires Covered Entities to enforce written policies governing the monitoring and oversight of its service providers. These written policies incorporate the provisions that the Proposed Rule sought to require in written contracts between Covered Institutions and their service providers, including a requirement that the Covered Institution’s policies and procedures are reasonably designed to ensure that service providers: (i) take appropriate measures to protect against unauthorized access to or use of customer information; and (ii) notify Covered Institutions of any incidents.

The Final Rule also (i) clarifies that regardless of whether a Covered Institution uses a service provider to process customer information, the obligation to comply with the Final Rule rests with the Covered Institution, and (ii) narrows the definition of service provider to mean “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.”[5]

2. Data Breach Notification

The Final Rule creates a federal data breach reporting standard for Covered Institutions. Specifically, the Final Rule requires that Covered Institutions provide clear and conspicuous notice to affected individuals under specific circumstances. Specifically, the Final Rule requires Covered Institutions to notify each individual whose sensitive customer information was, or was reasonably likely to have been, accessed or used without authorization. Notably, the Final Rule creates a presumption that a Covered Institution notify affected individuals unless the Covered Institution has determined, after a reasonable investigation, that the information is not likely to result in substantial harm or inconvenience.

Notices to affected individuals must be clear and conspicuous and provided through a means designed to ensure that an affected individual receives actual written notice of the incident. With respect to timing, notice must be provided as soon as practicable, but no later than 30 days after the Covered Institution becomes aware that unauthorized access to or use of customer information has, or is reasonably likely to have, occurred.

Changes from the Proposed Rule

The majority of the modifications between the Proposed and Final Rule related to the new notice requirements. For example, the Final Rule eliminated the definition of the term “substantial harm or inconvenience” for purposes of determining whether a Covered Institution is required to provide notice of an incident to an individual. According to the SEC, because a determination of whether an incident can result in “substantial harm or inconvenience” to a customer “would depend on the particular facts and circumstances surrounding an incident,” it would be challenging to implement such a standard.[6]

The Final Rule also permits a Covered Institution to delay notification of an incident if the Attorney General notifies the SEC that the notice required under the Final Rule poses a substantial threat to national security or public safety. The Department of Justice would inform the Covered Institution of any communication of this nature being made to the SEC. This addition is consistent with other SEC breach reporting requirements that apply to public companies.

Finally, while the Proposed Rule would have required that Covered Institutions inform individuals regarding what the Covered Entity has done to protect further unauthorized access or use of sensitive customer information, the Final Rule does not include such a requirement.

Comparison with State Law Requirements

The Final Rule takes inspiration from many state law notification requirements; however, its definition of “sensitive customer information” covers a broader range of information than many state laws. For instance, “sensitive customer information” includes identifying information, such as a name, in combination with minimal authenticating information, such as a partial Social Security number or mother’s maiden name. Many state data breach laws define the concept of personal information more narrowly. Moreover, unlike many state laws, the Final Rule does not include a broad exception for encrypted information. Rather, the Final Rule merely allows Covered Institutions to consider encryption as one of many factors in determining whether the compromise of customer information could create a reasonably likely risk of harm or inconvenience. The existence of a risk of harm analysis does mean, however, that the Final Rule is more flexible than some state statutes that include no such provision. But unlike many states that do not require notification unless an investigation reveals a risk of harm or misuse, the Final Rule presumes notifications are required unless a reasonable investigation reveals that impacted information is not likely to result in substantial harm or inconvenience.

3. Expanded Scope of Safeguards Rule and Disposal Rule

The Final Rule seeks to more closely align the scope of two existing components of Reg S-P, the Safeguards Rule and the Disposal Rule. Specifically, the Final Rule:

• Adopts a new definition of “customer information” that applies to both the Safeguards Rule and Disposal Rule.
• Provides that “customer information” protected under both rules includes information that is in the possession of a Covered Institution as well as information that is handled or maintained on its behalf.
• In a notable expansion of the current requirements of Reg S-P, expands the concept of customer information to include information received directly from individuals with whom the Covered Institution has a relationship, as well as the information of customers of other financial institutions that has been provided to the Covered Institution.

4. New Definition of Customer Information

The Final Rule includes a definition of “customer information,” a term that was previously not defined under Reg S-P. For Covered Institutions other than transfer agents,[7] “customer information” means “any record containing nonpublic personal information as defined in section 248.3(t) about a customer of a financial institution, whether in paper, electronic, or other form.”[8]

Changes from the Proposed Rule

Because the Final Rule applies the Safeguards and Disposal Rules to Covered Institutions regardless of their relationship with an affected individual, the Final Rule seeks to eliminate duplicative notice requirements. Specifically, the SEC modified the Final Rule to require a Covered Institution to notify a customer of an incident only if the incident occurred at the Covered Institution or at one of its service providers—and only if that service provider is not itself a Covered Institution. The modified Final Rule also permits Covered Institutions to coordinate amongst each other to determine who will send the notice to the affected customer, without requiring all Covered Institutions to provide the requisite notice.

5. Disposal Rule: Written Policies and Procedures

The Final Rule modifies the Disposal Rule to require the adoption of written policies and procedures related to the proper disposal of customer information and consumer report information.

6. New Recordkeeping Requirements

The Final Rule requires Covered Institutions to create and maintain written records that document the Covered Institution’s compliance with the Safeguards Rule and of the Disposal Rule.

7. Changes to the Annual Privacy Notice Delivery Requirement

The Final Rule provides an exception to the annual privacy notice required by Reg S-P. This change aligns Reg S-P with amendments to the Gramm Leach Bliley Act (“GLBA”) made by the Fixing America's Surface Transportation Act (“FAST Act”) adopted by Congress in 2015. Specifically, a Covered Institution need not provide an annual privacy notice if: (i) the Covered Institution only provides non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies; and (ii) the Covered Institution has not changed its policies and practices with respect to disclosing non-public personal information from its most recent disclosure sent to customers. As a general matter, the Final Rule also provides that a Covered Institution must resume providing annual privacy notices within 100 days of any change in its pertinent policies and practices.[9]

8. Applicability to Transfer Agents

The Final Rule, like the Proposed Rule, extends the Safeguards Rule and Disposal Rule to apply to any transfer agent that is registered with the SEC or another appropriate regulatory agency. The SEC’s stated reason for this change is because transfer agents have access to and maintain sensitive information for securityholders.

1. Reg S-P has required Covered Institutions to: (i) deliver initial and annual privacy notices to individual consumers and customers; (ii) adopt written policies and procedures to (a) ensure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of such records; and (c) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer (the “Safeguards Rule”). Reg S-P also requires Covered Institutions to properly dispose of “consumer report information,” defined by reference to the Fair Credit Reporting Act and meaning “any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report” (the “Disposal Rule”).
2. An entity is a “larger entity” if it meets the following criteria: (i) for investment companies together with other investment companies in the same group of related investment companies: net assets of $1 billion or more as of the end of the most recent fiscal year; (ii) for registered investment advisers: $1.5 billion or more in assets under management; (iii) for broker-dealers: all broker-dealers that are not small entities are larger entities, and a broker or dealer is a small entity if it: (a) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year; and (b) is not affiliated with any person that is not a small entity under the Securities Exchange Act of 1934 for purposes of the Regulatory Flexibility Act; for transfer agents: all transfer agents that are not small entities under the Exchange Act for purposes of the Regulatory Flexibility Act are larger entities and a transfer agent is a small entity if it: (a) received less than 500 items for transfer and less than 500 items for processing during the preceding six months; (b) transferred items only of issuers that are small entities; (c) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year; and (d) is not affiliated with any person that is not a small entity.
3. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Release Nos. 34-100155; IA-6604; IC-35193 (May 16, 2024), at 13.
4. Id.
5. Id. at 345.
6. Id. at 48-49.
7. When applied to Covered Institutions that are transfer agents, “customer information” means “information of any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent. The Final Rule also provides that the Safeguards Rule would apply to all “customer information” and the Disposal Rule would apply to both “consumer information” as well as “customer information.”
8. Id. at 94.
9. There are also certain instances in which revised privacy notices are required to be sent immediately. For example, “if the change in policies and practices will also result in the institution being required to send a revised privacy notice under the current requirements, the revised notice will be treated as an initial notice for the purpose of the timing requirement and the institution will be required to resume notices at the same time it otherwise provides annual privacy notices.” Id. at 127-128.