Understanding Recent Amendments to Regulation S-P

The U.S. Securities and Exchange Commission (“SEC”) adopted Regulation S-P on November 13, 2000,[1] which is designed to govern the use and protection of consumer non-public personal data by covered financial institutions.[2] The SEC requires, among others, registered investment advisers and broker-dealers to have written policies and procedures that address how customer data is protected through administrative, technical, and physical safeguards. This regulation was established in response to growing concerns about the erosion of consumer data privacy, and mandates safeguards to protect sensitive customer information.

Since 2000, the SEC has amended Regulation S-P a few times, with the most recent amendment released on May 16, 2024 (“Amended Reg S-P”).  The amendments were implemented to address new challenges brought about by advanced technologies and increasing cybersecurity risks. The Amended Reg S-P is three-pronged:

  • The Safeguarding Rule: This rule requires financial institutions to implement written policies and procedures that detail how they will protect customer information. This includes specific cybersecurity protocols and the establishment of an incident response program to handle potential data breaches.
  • The Disposal Rule: The Disposal Rule obligates financial institutions to implement procedures for securely disposing of customer and consumer information to prevent unauthorized access after the information is no longer needed.
  • The Notification Rule: The Notification Rule mandates that financial institutions notify affected individuals of any security breaches involving their nonpublic personal information within 30 days of detecting the breach unless a waiver applies.

 

Incident Response Program Requirements

Amended Reg S-P mandates that institutions develop written policies and procedures to manage incidents involving unauthorized access to or use of sensitive customer information.

The following are the critical elements that institutions must address in their incident response programs:

  • Assessment of the Incident. Financial institutions must include procedures for assessing any incident where there is unauthorized access to or use of customer information. This includes evaluating the nature and scope of the breach, identifying the systems that were affected, and determining the types of sensitive customer information that may have been compromised. The assessment should aim to clarify whether the breach involves personal, financial, or other sensitive information.
  • Containment and Control. Once an incident is identified, institutions must have procedures in place to contain the breach and prevent further unauthorized access to or use of the affected information. This could involve measures such as isolating the compromised systems, securing access controls, and implementing additional safeguards to prevent further exposure of customer data. The focus is on limiting the damage and protecting the integrity of the institution’s systems and the customer data within them.
  • Customer Notification. The amendments introduce clear requirements for notifying affected individuals. If a breach results in, or is likely to result in, unauthorized access to sensitive customer information, institutions must promptly notify each affected individual within 30 days. The notification must be issued in a timely manner to ensure that customers are aware of the incident and can take appropriate steps to mitigate potential harm.

When drafting notification procedures, covered financial institutions should take steps to ensure they are capturing all the disclosure requirements set forth in the amended rule. Also consider any exceptions that may apply.  For example, if, after conducting a reasonable investigation, the institution determines that the sensitive customer information was not and is not likely to be used in a way that would cause substantial harm or inconvenience to the affected individuals, then notification may not be required.

 

Types of Sensitive Customer Information

Under Amended Regulation S-P, the definition of “customer information” was expanded to include “sensitive customer information”, which refers to data that, if compromised, could expose an individual to significant risk or harm. This includes personal identifiable information (PII) such as social security numbers, tax identification numbers, date of birth, mother’s maiden name, driver’s license, passport information, bank account numbers,  as well as biometric data, and login credentials. If this type of sensitive information is exposed in a data breach, it could cause significant inconvenience to the customer if it is used, and thus triggers the requirement for customer notification.  Notably, sensitive customer information should be defined in a firm’s written policies and procedures.

 

Necessary Steps for Compliance with Regulation S-P

Ensuring compliance with the amended Regulation S-P is critical for financial institutions aiming to protect consumer privacy and safeguard sensitive customer data. The evolving nature of cybersecurity threats and the increased use of digital technologies in the financial sector necessitate proactive and comprehensive measures to meet the regulation’s requirements. Below are the key actions that institutions should take to help ensure full compliance.

Developing and Maintaining Written Policies

The cornerstone of Regulation S-P compliance lies in the establishment and maintenance of clear, written policies and procedures. These policies should address several critical areas related to the protection of consumer data:

  • Data Protection Measures: Financial institutions must define and implement measures to safeguard customer information, including encryption, access controls, and secure storage.
  • Incident Response Strategies: Institutions should prepare a formal incident response plan to swiftly address any breaches or unauthorized access to sensitive data. This plan should outline the steps for investigating incidents, containing threats, and notifying affected individuals as required by the regulation.
  • Secure Disposal Practices: The regulation mandates that sensitive data must be disposed of securely when it is no longer required for business purposes. Institutions should have a documented process for properly destroying or anonymizing consumer data.

By having these policies and procedures in place, financial institutions can demonstrate that they are taking the necessary steps to protect consumer data and comply with Amended Reg S-P.

Incident Documentation

 Documentation is critical when responding to cybersecurity incidents. Institutions should create detailed records of any data breaches or incidents that involve unauthorized access to consumer information. These records should include:

 Incident Details: A thorough description of the breach, including how and when it occurred, what data was compromised, and the extent of the impact.

  • Response Actions: A record of the steps taken to contain the breach and prevent further unauthorized access to consumer data.
  • Investigation Findings: Documentation of any investigations conducted to determine the severity of the breach and whether consumer notification is required under Regulation S-P. This helps demonstrate due diligence in ensuring compliance with notification requirements.

By maintaining comprehensive records, financial institutions can show their commitment to compliance and transparency while also enabling effective response and remediation in the event of a breach.

Service Provider Agreements

Under Amended Reg S-P, covered financial institutions are held accountable for overseeing third-part service providers’ safeguarding of their customer information. For that, covered financial institutions must take the following proactive steps to ensure protection:

  • Formalize Written Agreements: Institutions must have service provider agreements in place that clearly outline the responsibilities of each third-party vendor in relation to consumer data protection. These agreements should specify the cybersecurity standards that vendors must meet and outline required protocols for breach notification and data protection.
  • Ongoing Monitoring: Institutions must regularly assess and monitor the cybersecurity practices of their service providers to ensure they are meeting the required standards for safeguarding sensitive customer data.

This step helps mitigate the risks associated with outsourcing data handling and ensures that vendors align with the institution’s own data protection policies.

Retention of Required Records

Amended Reg S-P introduced new, more stringent recordkeeping requirements for covered financial institutions.  Specifically, covered financial institutions must:

  • Maintain Detailed Documentation: The documentation must be detailed and substantiate the firm’s compliance with Amended Reg S-P. This includes records of security measures taken (both technical and physical), responses to incidents, and employee training.
  • Retain Records for Five Years: Institutions are required to retain documentation of their compliance with Amended Reg S-P and related provisions for a period of up to five years. These records must be easily accessible for review, particularly during audits or regulatory inspections.
  • Ensure Accessibility for the First Two Years: While records must be retained for five years, institutions must ensure they are easily accessible for the first two years, facilitating a timely response to regulatory inquiries or audits.

Proper retention of these records is crucial for demonstrating a covered financial institution’s ongoing commitment to safeguarding consumer data and adherence to the requirements of Amended Reg S-P.

 

Compliance Deadlines

The amended Regulation S-P was published in the Federal Register on June 3, 2024, and went into effect August 2, 2024. The compliance date for larger covered financial institution entities, which are defined in Amended Reg S-P, is December 3, 2025.  For smaller entities, which are covered financial institutions that do not meet the definition of larger entities, the compliance date is June 3, 2026.

 

Conclusion

Regulation S-P is vital for ensuring the protection of consumer privacy within the financial sector. By covered financial institutions developing and maintaining robust safeguarding, notification, and disposal policies, including an incident response program to detect, respond, and mitigate data breaches, consumers’ PII will be further protected.

As cybersecurity threats continue to evolve, it is essential for financial institutions to remain vigilant and proactive in implementing policies and procedures that ensure compliance with Amended Reg S-P. This includes not only safeguarding consumer data but also documenting and monitoring compliance across all areas of operation. By adhering to the amended requirements of Regulation S-P, financial institutions can effectively protect consumer privacy, build trust with their clients, and minimize the risks associated with data breaches.

 

 

Author:  Maggie Tavares, Sr. Compliance Consultant; Editor: Tina Mitchell, Managing Director, Consultation Services; Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

[1] Federal Register: Privacy of Consumer Financial Information (Regulation S-P)

[2] Regulation S-P applies to a range of financial institutions, including broker-dealers, investment companies, and investment advisers since its introduction under the authority of the Gramm-Leach-Bliley Act, specifically Section 504, alongside the Securities Exchange Act of 1934, the Investment Company Act of 1940, and the Investment Advisers Act of 1940.