Cybersecurity Advisory – SEC Amends Regulation S-P Enhancing Protection of Customer Information (Exchange Act Release No. 35193)
Impact: All Member Firms
The Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision program is highlighting the SEC’s recent amendments to Regulation S-P.1 On May 15, 2024, the SEC announced the adoption of amendments designed to modernize and enhance the protection of consumer financial information by broadening the scope of information covered by Regulation S-P’s requirements and requiring covered institutions to (1) adopt an incident response program and (2) notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
These amendments apply to broker-dealers (including funding portals), investment companies, registered investment advisers and transfer agents (“covered institutions”). FINRA recommends that all member firms review the amendments to ensure their cybersecurity programs are modified, as needed, to come into compliance by the applicable compliance date for their firms.
The amendments include, but are not limited to, the following requirements for covered institutions:
- Adopt an incident response program as part of their written policies and procedures under the safeguards rule that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures to, among other things, assess the nature and scope of any such incident and take appropriate steps to contain and control such incidents to prevent further unauthorized access or use;
- Establish, maintain and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers; and
- Notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in the time and manner prescribed by the amendments, including providing notice as soon as practicable, but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under certain limited circumstances.
The amendments to Regulation S-P also:
- Expand and align the safeguards and disposal rules to cover both nonpublic information that the covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about that institution’s customers;
- Require covered institutions, other than funding portals, to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;
- Conform Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the 2015 Fixing America’s Surface Transportation Act, which provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are met; and
- Extend both the safeguards rule and the disposal rule to transfer agents registered with the SEC or another appropriate regulatory agency.
Larger entities will have 18 months, and smaller entities will have 24 months, after June 3, 2024, the date of publication in the Federal Register, to comply.2
The SEC’s final rule release on the Regulation S-P amendments can be found here and an overview of the amendments can be found in the SEC’s Fact Sheet.
General guidance for member firms on cybersecurity issues can be found in the Cybersecurity and Technology Management section of the 2024 FINRA Annual Regulatory Oversight Report. Comprehensive member firm guidance and resources can be found on FINRA’s Cybersecurity Key Topics Page.
1 See Securities Exchange Act Release No. 100155 (May 15, 2024), 89 FR 47688 (June 3, 2024) (Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information).
2 See Securities Exchange Act Release No. 100155 (May 15, 2024), 89 FR 47688, 47724 (June 3, 2024) (Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information). For purposes of the compliance date, entities that are considered “larger entities” are (1) investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more as of the end of the most recent fiscal year, (2) SEC-registered investment advisers that have $1.5 billion or more in assets under management, (3) all broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act, and (4) all transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act. “Smaller entities” are those covered institutions that do not meet these standards.