On May 16, 2024, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P (“Reg S-P”) to update and strengthen the guidelines overseeing the handling of consumers' nonpublic personal information by certain financial institutions.
Currently, Reg S-P requires broker-dealers, investment companies, and registered investment advisers (referred to as “Covered Institutions”) to establish and maintain written policies and procedures to protect customer records and information (the “Safeguards Rule”) and to ensure the appropriate disposal of consumer report information (the “Disposal Rule”). The amendments to Reg S-P (the “Amended Rule”) add new requirements including: (1) the adoption of incident response programs, (2) providing customer notifications within 30 days of a data breach, (3) conducting service provider oversight, (4) expanding the scope of the Safeguards Rule and Disposal Rule, (5) implementing new recordkeeping, and (6) providing an exception to the annual privacy notice requirement.
Covered Institutions will need to review their privacy policies and procedures to conform to the Amended Rule by the compliance dates discussed below. In many ways, the Amended Rule aligns Reg S-P with the privacy standards promulgated by federal banking regulators, the Financial Industry Regulatory Authority (“FINRA”) and the Federal Trade Commission (“FTC”). A summary of the requirements of the Amended Rule, along with proposed subsequent steps, is provided below.
Incident Response Program:
The Amended Rule requires Covered Institutions to integrate an incident response program into their written policies and procedures under the Safeguards Rule. This program must be designed in a manner that is reasonable and effective for detecting and responding to, unauthorized access to, or use of, customer information. The Amended Rule specifies that the incident response program procedures must include: (1) Assessment: procedures to evaluate the nature and scope of any such incident; (2) Containment and Control: appropriate measures to limit and manage such incidents to prevent further unauthorized assess or use; and (3) Notice to Affected Individuals:a mandate to inform each affected individual whose sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization.
Customer Notification Requirement:
The Amended Rule requires Covered Institutions to notify individuals affected by the unauthorized access or use of sensitive customer information. Covered Institutions must notify affected individuals of any unauthorized access or use of customer information as promptly as possible, with a deadline of no later than 30 days after becoming aware of the incident. The information that must be incorporated into a notice, includes: (1) a description of the incident and type of sensitive customer information that was accessed; (2) contact information for the Covered Institution so that affected individuals can inquire about the incident; (3) a recommendation that the individual obtain credit reports and how to obtain the same free of charge; and (4) information about the availability of guidance from the Federal Trade Commission and www.usa.gov/identity-theft regarding how individuals can protect themselves against identity theft.
It is important to note that a Covered Institution is exempted from the notification requirement if it concludes that the sensitive customer information has not been, and is not likely to be, utilized in a manner that would cause significant harm or inconvenience.
Oversight of Service Providers:
The Amended Rule requires incident response programs to include procedures to supervise service providers, including due diligence and continuous monitoring to ensure compliance and effectiveness in managing potential privacy risks arising from service provider activities. Covered Institutions must ensure that service providers take appropriate measures to: (1) prevent unauthorized access to, or use of, customer information; and (2) notify the Covered Institutions within 72 hours of becoming aware of a security breach leading to such unauthorized access. While the obligation to provide notice to affected customers remains with the Covered Institution, a Covered Institution may delegate that task to a service provider or vendor.
Upon receipt of a breach notification from a service provider (or upon independent detection of an incident of unauthorized access to or use of customer information), the Covered Institution must initiate its incident response program, as discussed above.
Expanded Scope of Safeguards Rule and Disposal Rule:
The Amended Rule enhances the Safeguards Rule by broadening the scope of “customer information” to specify the records it encompasses. This now includes any record containing nonpublic personal information maintained by a Covered Institution. Changes made to the Disposal Rule provide that Covered Institutions must properly dispose of customer information and consumer information after retention periods (which vary from 3 years for transfer agents, to 6 years for investment advisers, as described below) expire. “Consumer information” includes records that include or are derived from a “consumer report”, such as a credit score. The Amended Rule extends both the Safeguards Rule and the Disposal Rule to include not only information about their customers but information about another financial institution’s customers that they may possess. Covered Institutions must document compliance with the Safeguards Rule and the Disposal Rule in accordance with applicable recordkeeping rules, described below. Unlike the current rules, the SEC has now applied both the Safeguard Rule and the Disposal Rule to transfer agents.
Recordkeeping:
The Amended Rule requires maintenance of detailed records including: (1) written policies and procedures to comply with the Safeguards Rule and the Disposal Rule and records of compliance to be able to effectively assess whether compliance with these rules has been achieved; (2) written documentation of any detected unauthorized access to or use of customer information and any response to such event; (3) written documentation of any investigation and determination made regarding whether customer notification would be required with respect to such an event; and (4) written policies and procedures and contracts regarding service providers. All records mentioned will need to be retained for durations that align with the recordkeeping regulations already in place for these entities under existing rules for broker dealers, investment advisers, and investment companies.
Annual Privacy Notice:
The Amended Rule provides an exception to the annual privacy notice mandated by Reg S-P, if the Covered Institution: (1) solely furnishes non-public personal information to non-affiliated third parties when an exception to third-party opt-out is applicable, and (2) has not altered its policies and procedures regarding the disclosure of non-public personal information since its most recent disclosure sent to customers.
Compliance Dates:
“Large entities” have until December 3, 2025 (18 months after the date of publication in the Federal Register) to comply with the Amended Rule and smaller entities (i.e., those that are not “large entities”) have until June 3, 2026 (24 months after publication). A ‘large entity’ is –
Investment companies, along with other investment entities within the same related group, whose combined net assets reach $1 billion or more at the conclusion of the most recent fiscal year.
Registered investment advisers: $1.5 billion or more in assets under management.
Broker-dealers and transfer agents: All broker-dealers and transfer agents that do not meet the criteria for small entities as defined by the Securities Exchange Act of 1934 (as amended) and the Regulatory Flexibility Act of 1980 (as amended).
Next Steps:
Covered Institutions should consult counsel and initiate the process of evaluating the impact of the Amended Rule and enhancing their compliance programs to ensure readiness for the Amended Rule before the December 2025 and June 2026 compliance dates, depending on whether they are a small or large entity. To accomplish this, Covered Institutions should take the following actions:
Review and revise existing policies and procedures related to compliance with Reg S-P, with a specific focus on the Safeguards Rule and Disposal Rule.
Review practices of their services providers to assess whether they have policies and procedures to protect against unauthorized access to, or use of, customer information and can satisfy notification requirements, and review contractual arrangements with service providers to ensure they meet the requirements of the Reg S-P Amendments.
Provide training and education to relevant employees or other staff regarding the updated regulations and their implications for handling customer information.
Establish processes for documenting compliance with the Safeguards Rule and Disposal Rule, including the retention of required records for the required time periods.
For assistance with the review of the Amended Rule’s application to your firm, to update your Privacy and Information Security policies, or if you have questions about this article, contact Sadis & Goldberg LLP.
