The Securities and Exchange Commission announced on May 16, 2024, the adoption of amendments to Regulation S-P to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions.
Key Takeaways
- The SEC has adopted amendments to Regulation S-P to enhance data privacy rules, updating the requirements for broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
- These updates address the increased use of technology and associated risks since the original rules were adopted in 2000.
Incident Response Program Requirements
- Covered institutions must develop, implement, and maintain written policies and procedures for an incident response program.
- The program must be reasonably designed to:
- Detect unauthorized access or use of customer information.
- Respond to such incidents.
- Recover from such incidents.
Breach Notification Requirements
- With limited exceptions, covered institutions must notify individuals whose sensitive customer information was or is likely to have been accessed or used without authorization.
- Notification must be provided:
- As soon as practicable.
- No later than 30 days after becoming aware of the incident.
- The notice must include details about the incident, breached data, and how affected individuals can protect themselves.
Compliance Timelines
- Amendments become effective 60 days after publication in the Federal Register.
- Larger entities have 18 months to comply.
- Smaller entities have 24 months to comply.
SEC Chair’s Statement
“These amendments will help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” – Gary Gensler, SEC Chair
If you need additional cybersecurity support for your fund, the Richey May Cyber team is ready to help. Reach out to Steve Vlasak for more information.
