SEC Amends Regulation S-P to Enhance Protection of Financial Institutions’ Customers


May 2024

Securities and Exchange Commission ("SEC”) Regulation S-P (“Reg S-P”) governs how certain financial institutions treat nonpublic personal information about consumers. On May 15, 2024, the SEC adopted amendments that will require broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions") to develop, implement, and maintain written policies and procedures designed to detect, respond to, and recover from customer data breaches.

The amendments aim to broaden the information covered by Reg S-P and to modernize and enhance the protection of consumer financial information by requiring timely notification to individuals whose sensitive data was, or is reasonably likely to have been, accessed or used without authorization.

Incident Response Program

Covered institutions must now adopt an “incident response program” (the “Program”) as part of their written policies and procedures. The Program must be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The Program’s procedures must assess the nature and scope of any such incident and take appropriate steps to contain and control such incidents to prevent further unauthorized access or use.

The Program must establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers.

Customer Notification Requirement

SEC Chair Gary Gensler said, “The basic idea for covered firms is if you've got a breach, then you've got to notify.” Covered institutions must notify customers whose sensitive information was, or is reasonably likely to have been, accessed or used without authorization. Notice must be provided no later than 30 days after the covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred (except if that information has not been, and is not reasonably likely to be, used in a manner that would result in the customer’s substantial harm or inconvenience). The notice must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves.

The Reg S-P amendments also expand and align the “safeguards rule” (SEC Rule 248.30(a), requiring brokers, dealers, investment companies, and registered investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information) and the “disposal rule” (SEC Rule 248.30(b), which requires proper disposal of consumer report information) to cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about customers of that financial institution (“financial institution” generally means any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956).

Information related to a covered institution’s customers, as well as information about customers of other financial institutions that has been shared with the covered institution, is subject to the safeguards rule. This includes the requirements for an incident response program and customer notification. Covered institutions, other than funding portals, must document compliance with the requirements of the safeguards rule and disposal rule. The amendments also extend both the safeguards rule and the disposal rule to transfer agents registered with the SEC or another appropriate regulatory agency.

Larger entities will have 18 months after the date of publication in the Federal Register (not published as of May 21, 2024) to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.

For a copy of the final Reg S-P amendments or questions, please contact Lawrence Cohen (lcohen@grsm.com) or a member of the Securities Litigation practice group.

Loading...