The Securities and Exchange Commission (SEC) recently adopted amendments to Regulation S-P. They require broker-dealers, investment companies, registered investment advisers, and transfer agents—collectively known as covered institutions—to develop and maintain written policies and procedures for an incident response program that can detect, respond to, and recover from unauthorized access to or use of customer information and to notify affected individuals of data breaches.

Larger entities have 18 months after the date of publication in the Federal Register to comply with the SEC's amendments while smaller entities have 24 months to comply.

Learn more about the amendments’ new requirements, how they impact investment organizations’ cybersecurity plans, and what your organization can do to prepare below.

Incident Response Program Requirements

According to the amendments, incident response programs must include procedures to assess the nature and scope of any breach incident and to take appropriate steps to contain and control such incidents to prevent further unauthorized access or use.

Incident response programs must also include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including thorough due diligence and monitoring of service providers.

In addition, covered institutions are required to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The notice must be sent as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under certain limited circumstances. The notices must include details about the incident, the data compromised, and how affected individuals can respond to the breach to protect themselves.

Safeguard and Disposal Rules

The amendments safeguard and disposal rules cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from other financial institutions about their customers.

Covered institutions, other than funding portals, are required to make and maintain written records documenting compliance with the safeguard and disposal rule requirements. The amendments also conform Regulation S-P's annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provides that covered institutions aren’t required to deliver an annual privacy notice if certain conditions are met.

Transfer agents registered with the SEC or another appropriate regulatory agency are also subject to the safeguard and disposal rules.

Minimum Federal Standards

The amendments establish a federal minimum standard for covered institutions to provide data breach notifications to affected individuals. Since Regulation S-P's adoption, technological developments in how firms obtain, share, and maintain individuals' personal information have corresponded with increased risk of harm to individuals. The final amendments aim to provide a higher level of protection for customer information and establish a federal minimum standard for covered institutions to provide data breach notifications to affected individuals.

We’re Here to Help

To learn more about the SEC’s amendments and how they impact your company’s cybersecurity protocols, contact your Moss Adams professional.

Additional Resources

• Transaction Consulting Services
• Cybersecurity Consulting Services