The SEC has announced adoption of amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information. The goal is to protect individuals from harm when their personal information is involded in security incidents.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” – SEC Chair Gary Gensler
The amendments require SEC-registered RIAs develop incident response programs that include customer notification as part of their written policies and procedures. In addition, firms must establish, maintain, and enforce policies and procedures that are “reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information.” The policies and procedure must cover:
- Assessment of the nature and scope of any security incident involving access to or use of customer information systems
- Appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information
- Notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization
- Oversight through due diligence and ongoing monitoring of service providers
A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.
The amendments become effective 60 days after publication in the Federal Register. (June 3, 2024)
- For SEC-registered firms with over $1.5 billion AUM, the deadline for compliance is 18 months after publication (December 3, 2025)
- For SEC-registered firms with less than $1.5 billion AUM, the deadline for compliance is 24 months after publication (June 3, 2026)
