Pushing Reg S-P: SEC Adopts Amendments to Modernize and Enhance Regulation S-P
On May 16, 2024, the Securities and Exchange Commission (“SEC”) approved amendments to Regulation S-P to address unauthorized access to or use of “customer information” (a new defined term). Regulation S-P governs how registered investment advisers, investment companies, broker-dealers, and transfer agents (collectively, “covered institutions”) treat their customers’ nonpublic personal information (the “Rule”).[1] Notably, the amended Rule expands the scope of the Rule by focusing on covered institutions’ cybersecurity policies and procedures and requires notification to individuals affected by disclosure of sensitive customer information. The amended Rule aims to modernize and enhance the protection of nonpublic personal information by:
- Requiring covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
- Requiring covered institutions, as part of their incident response program, to establish, maintain and enforce written policies and procedures reasonably designed to require oversight of service providers;
- Requiring that covered institutions’ incident response program include procedures to provide timely notification (as soon as practicable, but not later than 30 days) to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization;
- Requiring that covered institutions ensure that their service providers provide notification as soon as possible, but no later than 72 hours after, becoming aware that a covered breach has occurred;
- Expanding the Rule’s scope to incorporate a newly defined term “customer information”, which includes nonpublic personal information that covered institutions collects about their own customers and nonpublic personal information covered institutions received from another financial institution about customers of that financial institution;
- Requiring transfer agents to comply with both the safeguarding and disposal provisions of the Rule; and
- Conforming the Rule’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provide that covered institutions are not required to deliver an annual privacy notice if certain conditions are met.[2]
After the date of publication in the Federal Register, larger covered institutions will have 18 months, and smaller covered institutions will have 24 months, to comply with the amended Rule.[3]
If you have any questions about the Rule or the regulation of investment advisers, investment companies, or broker-dealers generally, please feel free to contact us.
By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton
This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice. Viewers should not rely on the posted materials as advice about specific legal problems. Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved. Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer. If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.
***
Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.
For more information, please refer to our Terms of Use and Privacy Policy.
Footnotes
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.