Pushing Reg S-P: SEC Adopts Amendments to Modernize and Enhance Regulation S-P

On May 16, 2024, the Securities and Exchange Commission (“SEC”) approved amendments to Regulation S-P to address unauthorized access to or use of “customer information” (a new defined term). Regulation S-P  governs how registered investment advisers, investment companies, broker-dealers, and transfer agents (collectively, “covered institutions”) treat their customers’ nonpublic personal information (the “Rule”).[1] Notably, the amended Rule expands the scope of the Rule by focusing on covered institutions’ cybersecurity policies and procedures and requires notification to individuals affected by disclosure of sensitive customer information. The amended Rule aims to modernize and enhance the protection of nonpublic personal information by:

  • Requiring covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
  • Requiring covered institutions, as part of their incident response program, to establish, maintain and enforce written policies and procedures reasonably designed to require oversight of service providers;
  • Requiring that covered institutions’ incident response program include procedures to provide timely notification (as soon as practicable, but not later than 30 days) to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization;
  • Requiring that covered institutions ensure that their service providers provide notification as soon as possible, but no later than 72 hours after, becoming aware that a covered breach has occurred;
  • Expanding the Rule’s scope to incorporate a newly defined term “customer information”, which includes nonpublic personal information that covered institutions collects about their own customers and nonpublic personal information covered institutions received from another financial institution about customers of that financial institution;
  • Requiring transfer agents to comply with both the safeguarding and disposal provisions of the Rule; and
  • Conforming the Rule’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are met.[2]

After the date of publication in the Federal Register, larger covered institutions will have 18 months, and smaller covered institutions will have 24 months, to comply with the amended Rule.[3]

If you have any questions about the Rule or the regulation of investment advisers, investment companies, or broker-dealers generally, please feel free to contact us.

By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton

This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice.  Viewers should not rely on the posted materials as advice about specific legal problems.  Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved.  Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer.  If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.

***

Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.

For more information, please refer to our Terms of Use and Privacy Policy.

 

 

Footnotes


[1] SEC Press Release, SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information, May 16, 2024, available at https://www.sec.gov/news/press-release/2024-58.

[2] SEC Fact Sheet, Final Rules: Enhancements to Regulation S-P, May 15, 2024, available at https://www.sec.gov/files/34-100155-fact-sheet.pdf (“SEC Fact Sheet”).

[3] Larger investment companies are investment companies who, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more. Larger registered investment advisers are registered investment advisers with $1.5 billion or more in assets under management. Larger broker-dealers and transfer agents are broker-dealers and transfer agents that are not small entities for the purposes of the Regulatory Flexibility Act of 1980. SEC Fact Sheet, Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, SEC Rel. Nos. 34-100155; IA-6604; IC-35193, available at https://www.sec.gov/files/rules/final/2024/34-100155.pdf.

 

close
Loading...
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their