Category: Regulation S-P

Regulation S-P, enforced by the U.S. Securities and Exchange Commission (SEC), establishes rules designed to safeguard the privacy and security of customer information held by financial institutions. It requires these institutions, including broker-dealers, investment advisers, and other entities registered with the SEC, to adopt policies and procedures that protect the confidentiality and integrity of nonpublic personal information about their customers. Regulation S-P mandates the disclosure of privacy policies to customers and imposes restrictions on the sharing of personal information with third parties, outlining conditions under which such sharing is permissible. Compliance with Regulation S-P is crucial for maintaining trust and confidentiality in financial relationships, ensuring that customer data is handled responsibly and securely in accordance with legal requirements.

SEC-PR-2024-58

SEC NEWS - SEC-PR-2024-58SEC-PR-2024-58 (MAY. 16, 2024)

PRESS RELEASE | 2024-58

Securities and Exchange Commission Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information

Washington D.C., May 16, 2024 — The Securities and Exchange Commission today announced the adoption of amendments to Regulation S-P to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions. The amendments update the rules’ requirements for broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”) to address the expanded use of technology and corresponding risks that have emerged since the Commission originally adopted Regulation S-P in 2000.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

The amendments require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The amendments also require that the response program include procedures for, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.

The amendments require a covered institution to provide notice as soon as practicable, but not later than 30 days, after becoming aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notice must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves.

The amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.


RELATED INFORMATION: