On May 16, 2024, the Securities and Exchange Commission (“SEC”) announced the adoption of amendments to Regulation S-P (“Reg S-P”) that are designed to modernize and enhance the rules governing the treatment and protection of consumers’ nonpublic personal information by certain financial institutions. The amendments apply to broker-dealers (including funding portals), investment companies, SEC registered investment advisers, and transfer agents (collectively, “Covered Entities”) and are intended to address the expanded use of technology and collection of digitized data, and the corresponding risks that have emerged since Reg S-P was adopted in 2000.

Reg S-P, as initially adopted, broadly requires covered entities to adopt and implement written policies and procedures reasonably designed to safeguard customer records and information (the “safeguards rule”) and to properly dispose of consumer information in a manner that protects against unauthorized access to or use of such information (the “disposal rule”). Reg S-P also implemented privacy policy notice and opt out provisions.

The SEC noted in its materials adopting the amendments that, in the 24 years since Reg S-P’s adoption, technological developments in how covered entities use individuals’ personal information, and the dramatic increase in the volume of that information, have resulted in increased risk of harm to individuals due to misuse of that information. Among other things, these amendments establish a Federal minimum standard for covered entities to provide data breach notifications to affected individuals, discussed in more detail below. SEC Chair Gary Gensler noted that, “[t]hese amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

The amendments require covered entities to develop, implement, and maintain written policies and procedures for an Incident Response Program (the “Program”) that are reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The Program must include procedures to assess the nature and scope of any such incident and to take appropriate steps to contain and control such incidents to prevent further unauthorized access or use. The Program must also include procedures reasonably designed to provide oversight, including through due diligence and monitoring, over how service providers (defined as any third party that “receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to [Covered Entity]”) handle and protect data.

The amendments require covered entities to provide notice to customers as soon as practicable (subject to national security, public safety and other exceptions), but not later than 30 days, after becoming aware that an incident involving unauthorized access to or use of their sensitive customer information (defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information”) has occurred or is reasonably likely to have occurred. The notice must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves (i.e., reviewing account statements for suspicious activity, instituting fraud alerts and credit monitoring, etc.) A Covered Entity is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience, although that conclusion may be difficult to reach.

The amendments also:

• Expand and align the safeguards and disposal rules to cover both nonpublic personal information that a covered entity collects about its own customers and nonpublic personal information it receives from another financial institution about customers of such financial institution, and;

• Require covered institutions to create and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule.

The amendments will become effective 60 days after their publication in the Federal Register. Larger entities[1] will have 18 months after the date of publication to comply with the amendments, and smaller entities will have 24 months after the date of publication to comply.

Many of the new requirements contained in these amendments are best practices and Covered Entities may determine that their existing policies and procedures address the requirements, but entities should take this as a reminder to undertake a review of their cyber-security policies, procedures, systems and controls to ensure that they are reasonably designed to protect customer data and have reasonable response and notification procedures.

[1] Large entities are defined as (i) investment companies with net assets of $1 billion or more; (ii) registered investment advisers with $1.5 billion or more in assets under manager; (iii) all broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act and (iv) all transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act .