"Protecting Customer Information"

On May 16, the Securities and Exchange Commission (“SEC”) announced the adoption of amendments to Regulation S-P, aimed at modernizing and enhancing the rules governing the treatment of consumers’ nonpublic personal information by certain financial institutions. These amendments respond to the ever-shifting landscape of cybersecurity risk and the vastly expanded use of technology in the industry since the rule’s adoption in 2000.

As a refresher, “certain financial institutions” described above, are “Covered Institutions” as in: broker-dealers, funding portals, investment companies, registered investment advisers, and transfer agents. The gist is: if you are a “Covered Institution,” and you have a security breach, then you must notify. What does that mean?

1. Incident Response Program: Covered Institutions are now required to develop, implement, and maintain written policies and procedures for an incident response program. This program should be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer/client/investor information.

2. Notice Requirements: Covered institutions must provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization from the customer. This notice must be provided as soon as practicable, but not later than 30 days after becoming aware of the incident. It should include details about the incident, the data accessed or used, and guidance for affected individuals to protect themselves.

These amendments will be effective 60 days after published in the Federal Register. Larger entities will have 18 months, while smaller entities will have 24 months, from the date of publication to comply.

The adoption of these amendments is another example, similar to the adoption of the New Marketing Rule, of the SEC’s commitment to modernizing the rules and regulations in an ever evolving technological, and cybersecurity landscape.