By Robert R. Boeche, Partner; Robert D. Conca, Partner; and Melissa Donaldson, Law Clerk of Shustak Reynolds & Partners, P.C. posted on Tuesday, July 9, 2024.
On May 16, 2024, the Securities and Exchange Commission (“SEC”) adopted significant amendments to Regulation S-P (“Reg S-P”).[1] Among other changes, these amendments require covered institutions to create written policies and procedures for incident response programs addressing unauthorized access to or use of customer data.[2]
Reg S-P is a set of privacy rules governing the handling of consumers’ nonpublic personal information by covered financial institutions.[3] Covered institutions include broker-dealers, investment companies, SEC-registered investment advisers, funding portals, and SEC-registered transfer agents.[4]
Reg S-P, originally adopted in 2000, set foundational standards for how financial institutions safeguard customer information.[5] The data security landscape has drastically changed over the past two decades, and technological advancements have facilitated the management of data at the cost of easier unauthorized access to personal information, increasing risks of data breaches and identity theft. With financial institutions managing increasing amounts of digital information and facing ever more complex cyber-criminal activity, robust data protection mechanisms are crucial.[6] With these amendments, the SEC aims to modernize and enhance consumer financial information protection in light of today’s cybersecurity challenges.
Financial institutions must now develop a written incident response program.[7] This program must consider how a firm detects, responds to, and recovers from unauthorized access to customer information. Key components include:
Financial institutions must now notify individuals when their sensitive customer information has been accessed without authorization.[8] Notifications must be sent as soon as practical, but no later than 30 days after a breach is discovered. The notice must include:
Notification is not needed if the institution determines the breached information is unlikely to cause substantial harm.[9]
Within their incident response program, covered institutions must include oversight policies addressing due diligence and monitoring of service providers. A “service provider” means “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.”[10] These oversight policies must ensure service providers also protect against unauthorized access and provide notice to the covered institution within 72 hours of any security breach affecting customer information.[11]
Covered institutions may enter into contracts with service providers to allow the service provider to notify affected individuals on the institution’s behalf, but the covered institution is ultimately responsible for ensuring those individuals are notified.[12]
The amendments set a federal standard for data breach responses and notifications and are designed to ensure uniform protection across all states. Prior to the new amendments becoming effective, protections and notice requirements vary by state, which creates geographical inconsistencies in handling data breaches and protecting consumer data.
Reg S-P includes a “safeguards rule” requiring written policies to protect customer information and a “disposal rule” for proper disposal of consumer report information. Previously, these two rules applied to different sets of information. Under the amendments, both rules now apply to “customer information,” which is broadly defined to include all nonpublic personal information the institution has or can access, in any form, whether about its own customers or those of other financial institutions.[13]
Institutions must now create written records documenting compliance with Reg S-P and keep the records in accordance with the existing retention period requirements for their entity type.[14] Required records include written Incident Response Program policies and procedures, documentation of unauthorized accesses, incident responses, customer notification determinations, communications from the U.S. Attorney General regarding notice delays, and any service provider oversight contracts.[15]
Reg S-P introduced privacy policy notice and opt-out requirements for registered investment advisers, broker-dealers, and investment companies, mandating annual privacy notices to customers.[16] The new amendments introduce an exception to those requirements, aligning Reg S-P with the 2015 Fixing America’s Surface Transportation Act.[17] Now, institutions may forgo sending annual privacy notices if they share nonpublic personal information with non-affiliated third parties under specific exceptions that do not require customer opt-out. The institution’s policies and practices on the disclosure of non-public personal information must also have not changed since the institution’s last notice to customers.
Larger entities have 18 months from the date of publication to comply with these amendments, while smaller entities have 24 months.[18] Financial institutions should begin updating their policies and procedures promptly to ensure full compliance by the deadline.
Understanding how these amendments affect your business and how you can comply is crucial for reducing risks and adapting to the ever-changing cybersecurity landscape.
Our firm regularly advises financial institutions on SEC regulations, including understanding and complying with new and amended rules. It is crucial to be well-informed about the evolving legal implications of mandated regulatory policies. If you have a situation you would like to discuss, contact Shustak Reynolds & Partners, P.C. for a confidential consultation. We can help you navigate these amendments and take necessary steps to protect your business interests and your customers’ financial data.
Shustak Reynolds & Partners, P.C. focuses its practice on securities and financial services law and complex business disputes.
We represent many investment advisors, financial professionals, broker-dealers, registered representatives, investors and businesses.
Attorney Robert R. Boeche can be reached in the firm’s San Diego office at (619) 696-9500.
[1] See https://www.sec.gov/files/rules/final/2024/34-100155.pdf.
[2] See https://www.sec.gov/news/press-release/2024-58.
[3] See 17 C.F.R. § 248.1.
[4] Note that, under Regulation Crowdfunding (“Reg CF”), funding portals must also comply with Reg S-P as it applies to brokers. See 17 C.F.R. § 227.403(b).
[5] See Privacy of Consumer Financial Information (Regulation S-P), Exchange Act Release No. 42974 (June 22, 2000); 17 C.F.R. § 248.
[6] See https://www.shufirm.com/confidentiality-is-a-top-priority-and-you-should-make-it-yours,-too.
[7] See Final Rule, 17 C.F.R. § 248.30(a)(3).
[8] See id. § 248.30(a)(4).
[9] See id. § 248.30(a)(4)(i).
[10] See id. § 248.30(d)(10).
[11] See id. § 248.30(a)(5)(i).
[12] See id. § 248.30(a)(5)(iii).
[13] See id. § 248.30(d)(5)(i).
[14] See Final Rule 17 C.F.R. § 270.31a–1(b)(13), –2(a)(8), § 275.204–2(a)(25).
[15] Note that funding portals must follow Reg S-P as it applies to brokers but are not subject to the recordkeeping obligations. See 17 C.F.R. § 240.17a-4. Instead, under Rule 404 of Reg CF, funding portals must keep records showing Reg S-P compliance.
[16] See https://www.shufirm.com/sec-issues-risk-alert-for-broker-dealers-and-investment-advisors-related-to-client-privacy-issues.
[17] See Final Rule, 17 C.F.R. § 248.5(e)(1)(i)-(ii).
[18] See https://www.sec.gov/files/34-100155-fact-sheet.pdf.