Regulation S-P changes to address evolving customer data risks

The SEC has adopted significant amendments to its Regulation S-P, enhancing protections for consumer financial information. This aims to ensure firms have robust customer information safeguards are in place and that they respond effectively to increasingly frequent and sophisticated cyberattacks. While the new rules go into effect 18-24 months after publication in the federal register depending on the size of firm, there’s plenty of prep work ahead.

Incident response program

The amended rule mandates that covered institutions – including broker-dealers, investment companies, registered investment advisers and transfer agents – develop, implement and maintain written policies and procedures for an incident response program. This program has to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The program must also include procedures to assess the nature and scope of the incident, and take appropriate steps to contain and control it, while preventing further unauthorized access.

Customer notification requirement

Under the new rules, covered institutions are required to notify individuals whose sensitive information was, or is reasonably likely to have been, accessed or used without authorization. This notice must be clear and conspicuous, and provided in a manner that is likely to reach the individuals. It must also include details about the incident, the type of information accessed, and the steps those affected can take to protect themselves. The notice must be given as soon as practicable, but no later than 30 days after becoming aware of the incident.

Service provider oversight

The changes create requirements for covered institutions to create written policies and procedures designed to make sure service providers take appropriate measures to protect against unauthorized use or access to customer information. You must also provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware of a breach.

Expansion of covered information

The scope of information protected under Regulation S-P has been broadened. The new rule replaces the term “customer records and information” with “customer information”. This is defined as any record containing non-public personal information about a customer of a financial institution, whether in paper, electronic or other form.

Recordkeeping requirements

The amendments impose new recordkeeping requirements on covered institutions, including maintaining written records documenting compliance with the new rules. The records must demonstrate that the required policies and procedures for protecting customer information are being followed.

Annual privacy notice changes

The amendments align Regulation S-P annual privacy notice provisions with the statutory exception added by the FAST Act. If you’re covered, you aren’t required to deliver an annual privacy notice if you meet certain conditions. For example, not sharing non-public personal information with non-affiliated third parties except under specific circumstances, and if there’s been no change in your privacy polices since the last notice.

The SEC views these changes as a necessary update to a dated regulation to make sure financial customers’ data is protected. The enhanced requirements for response programs and customer notification mean that affected individuals are promptly informed and can take measures to protect themselves against potential harms.

These rules will go into effect 18 months after their publication in the federal register for larger entities, while smaller entities will have 24 months to comply. This is a good opportunity to start evaluating policies and procedures around data security to address any gaps and meet the new regulatory expectations. The additional changes around service providers mean the SEC will hold you accountable for your customer data being protected even when using a third party.

We can help

Our team of SEC regulatory experts can help you understand the implications of these changes and adapt your compliance systems accordingly.

We help our clients navigate the nuances of regulatory compliance and answer difficult questions by drafting new policies, providing bespoke training and regularly conducting SEC mock examinations to help firms prepare for the real thing.