Covered institutions will need to review their cybersecurity and incident response policies and procedures ahead of the applicable compliance deadline.
The Securities and Exchange Commission (SEC) recently1 adopted amendments to Regulation S-P that expand the scope of requirements applicable to brokers, dealers, investment companies, SEC-registered investment advisers, and foreign (non-resident) SEC-registered brokers, dealers, investment companies, and investment advisers (together, Covered Institutions) in order to:
- bolster the protection of nonpublic personal information;
- help ensure that customers receive timely notification in the event of a security incident (this will likely result in many more notifications than required under existing US state data breach notification laws); and
- modernize the requirements of Regulation S-P (the Amendments).
The Amendments also expand the scope of Regulation S-P to extend a number of requirements to transfer agents.2
Compliance with the new rules will require:
- enhanced programs, policies, and procedures for protecting against and swiftly responding to cyber incidents;
- customer notification requirements;
- proactively supervising vendors and service providers; and
- properly disposing of customer and consumer information.
Latham’s Client Alert analyses the new rules and compliance dates in detail, and provides practical guidance to Covered Institutions for implementation.