On May 16, 2024, the Securities and Exchange Commission (“SEC”) approved amendments to Regulation S-P to address unauthorized access to or use of “customer information” (a new defined term). Regulation S-P governs how registered investment advisers, investment companies, broker-dealers, and transfer agents (collectively, “covered institutions”) treat their customers’ nonpublic personal information (the “Rule”).[1] Notably, the amended Rule expands the scope of the Rule by focusing on covered institutions’ cybersecurity policies and procedures and requires notification to individuals affected by disclosure of sensitive customer information. The amended Rule aims to modernize and enhance the protection of nonpublic personal information by:

• Requiring covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
• Requiring covered institutions, as part of their incident response program, to establish, maintain and enforce written policies and procedures reasonably designed to require oversight of service providers;
• Requiring that covered institutions’ incident response program include procedures to provide timely notification (as soon as practicable, but not later than 30 days) to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization;
• Requiring that covered institutions ensure that their service providers provide notification as soon as possible, but no later than 72 hours after, becoming aware that a covered breach has occurred;
• Expanding the Rule’s scope to incorporate a newly defined term “customer information”, which includes nonpublic personal information that covered institutions collects about their own customers and nonpublic personal information covered institutions received from another financial institution about customers of that financial institution;
• Requiring transfer agents to comply with both the safeguarding and disposal provisions of the Rule; and
• Conforming the Rule’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are met.[2]

After the date of publication in the Federal Register, larger covered institutions will have 18 months, and smaller covered institutions will have 24 months, to comply with the amended Rule.[3]

Footnotes

[1] SEC Press Release, SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information, May 16, 2024, available at https://www.sec.gov/news/press-release/2024-58.

[2] SEC Fact Sheet, Final Rules: Enhancements to Regulation S-P, May 15, 2024, available at https://www.sec.gov/files/34-100155-fact-sheet.pdf (“SEC Fact Sheet”).

[3] Larger investment companies are investment companies who, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more. Larger registered investment advisers are registered investment advisers with $1.5 billion or more in assets under management. Larger broker-dealers and transfer agents are broker-dealers and transfer agents that are not small entities for the purposes of the Regulatory Flexibility Act of 1980. SEC Fact Sheet, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, SEC Rel. Nos. 34-100155; IA-6604; IC-35193, available at https://www.sec.gov/files/rules/final/2024/34-100155.pdf.