Approaching Effective Date For Regulation S-P Amendments: What Businesses Need To Know

On May 16, 2024, the Securities and Exchange Commission ("SEC") adopted amendments (the "Amendments") to modernize Regulation S-P ("Reg S-P").¹ The Amendments include substantially expanded requirements for safeguarding customer information. The key changes include requirements to establish a written incident response plan, notify customers of data breaches, implement additional service provider oversight, and meet new recordkeeping requirements. The Amendments also expand the scope of Reg S-P beyond broker-dealers, investment companies, SEC-registered investment advisers, funding portals and transfer agents registered with the SEC to include all transfer agents whether registered with the SEC or another appropriate regulatory agency (together, "covered institutions").

Large covered institutions (including SEC-registered investment advisers with $1.5 billion in assets under management, investment companies with $1 billion in net assets and all broker-dealers that are not small institutions under the Securities Exchange Act of 1934² ) must be in compliance with the Amendments by December 3, 2025. All other covered institutions must be in compliance by June 3, 2026.

Prior to the compliance dates, all covered institutions should, among other things, review their (i) applicable policies and procedures, including their incident response plans (particularly with respect to customer notification) and (ii) service provider arrangements to ensure they can meet their customer information protection and notification obligations.

Background and Purpose

The SEC adopted Reg S-P in 2000 under the Gramm-Leach-Bliley Act ("GLBA") to protect sensitive consumer personal information at designated financial institutions. Historically, Reg S-P has obligated such institutions to implement administrative, technical, and physical measures to safeguard consumer data ("Safeguards Rule"), ensure appropriate disposal of consumer information ("Disposal Rule"), and implement privacy notices and opt-out protections. Transfer agents registered with the SEC were subject to the Disposal Rule, but not the Safeguards Rule.

On March 15, 2023, the SEC proposed amendments to Reg S-P to "address the expanded use of technology and corresponding risks,"³ which were adopted on May 16, 2024 largely as proposed. The Amendments expanded the list of covered institutions under Reg S-P, broadened key terms, and imposed additional requirements.

Key Changes Introduced by the Amendments

Incident Response Program: Covered institutions are required to create and keep written incident response policies and procedures, which outline their response and recovery protocols in the event of unauthorized access to sensitive customer information. In general, this includes an assessment of which systems and data were affected, the scope of the incident, the steps taken to control and contain the incident, and the covered institution's process for notifying impacted individuals in the event that sensitive customer information is impacted.

The Amendments define "sensitive customer information" as any information that, if compromised, could "create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information."⁴ This includes information that could create substantial risk of harm by itself (e.g., social security number), or information that could create a substantial risk of harm when combined with other information sources (e.g., username).

Customer Notification Requirements: Covered institutions must provide written notice as soon as practicable but not later than 30 days after becoming aware that unauthorized access to or use of customer information occurred or is reasonably likely to have occurred (with very limited exceptions).⁵ Notices must go to all individuals whose sensitive information was likely used or accessed. The Amendments permit covered institutions to engage in a reasonable investigation of the facts and circumstances of the incident during the 30-day period to determine if notification is necessary before providing notice. Notice is not required if a covered institution determines that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.⁶ However, notably, if an incident has or is reasonably likely to have occurred, but the covered institution cannot determine which specific individuals' sensitive customer information has been accessed, the requirement is to notify all individuals whose sensitive customer information resides in the system that was, or was reasonably likely to have been, accessed.

Notices must include a general incident description, including the type of sensitive information accessed, contact information for the covered institution, and the relevant timeframe. The notice should also include recommendations to check account statements for suspicious activity, provide identity theft resources from the Federal Trade Commission (FTC) and USA.gov, and describe how affected individuals may receive a credit report free of charge.

Service Provider Oversight: Covered institutions must implement policies and procedures for engaging in oversight of service providers to ensure they protect against unauthorized access of customer information, including through due diligence and monitoring. Covered institutions must ensure that service providers notify them as soon as possible, but no later than 72 hours if the service provider detects a breach of a customer information system.⁷ After being notified, the covered institution must initiate its incident response program. While covered institutions may contract for the service provider to send customer notices in the case of breach, they remain responsible for ensuring that the notices go out and comply with the regulation framework.

Recordkeeping Requirements: Covered institutions must maintain written records evidencing compliance with the identified requirements, including their internal policies and procedures for their incident response program, customer information disposal practices, record of incidents and responses taken (e.g., investigation and notification determinations, and service provider oversight documentation), and service provider agreements pertaining to the identified requirements.

Expansion of Safeguards and Disposal Rules: Both the Safeguard and Disposal Rules now apply to all "customer information," which includes nonpublic information about customers of the covered institution or nonpublic personal information the covered institution receives from another financial institution about customers of that financial institution (broadening the requirements). In addition, the Amendments now extend the applicability of the expanded Safeguards and Disposal Rules to transfer agents.

Exception to Annual Privacy Notice Requirement: The Amendments include an exception to the annual privacy notice requirement that conforms with the amendment to the GLBA in 2015 commonly known as the FAST Act (i.e., an entity can be exempted from the annual privacy notice requirements if it (i) only provides non-public personal information to non-affiliated third parties when an exception to third party opt-out applies, and (ii) the institution has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers).⁸

Practical Next Steps for Covered Institutions

The new requirements outlined under the Amendments require expedient turnaround regarding incident response and notification. This will necessitate the adoption of new policies and improved coordination across multiple workstreams and teams. As a result, covered institutions should take practical steps to improve their information security and incident response practices.

By focusing on the following steps, covered institutions can streamline their approach to compliance, minimize operational disruption, and better protect customer information:

• Assess your information security program, in particular your incident response plan: Update your incident response plan to integrate the amended Reg S-P requirements and conduct a holistic review of your incident response program. Consider a risk assessment, whether you have identified external support (legal counsel and third-party forensic firms) to assist in an incident, as well as testing and training (tabletop exercises that test the incident response plan and regular security training).
• Develop customer notification templates and protocols: Prepare template notification forms and establish breach notification policies to ensure your organization can effectively respond to a cybersecurity incident and carry out notification requirements in an efficient manner. If notification is determined not to be required, implement a process for documenting the determination and procedure followed. The practical effect of the notification timeline starting with a covered institution "becoming aware" of a reasonable likelihood of unauthorized access, combined with a presumption toward customer notification, creates a difficult standard for covered institutions to meet without sufficient preparation.
• Update service provider arrangements and oversight framework: Update internal policies to ensure robust due diligence and monitoring practices with service providers. Identify service providers who have access to customer information. Update applicable service provider arrangements (by updating contracts or taking other risk-appropriate actions) to ensure they meet the new requirements, in particular the 72-hour notification requirement for breaches involving customer information systems.
• Update written information security and other applicable policies: Update written information security policies that describe the covered institution's administrative, technical and physical safeguards. These policies should be reasonably designed to ensure the security and confidentiality of customer information, protect against anticipated threats to the security of such information and protect against unauthorized access.

1. Final Rule: Regulation S P: Privacy of Consumer Financial Information and Safeguarding Customer Information.

2. A broker-dealer is a small entity under the Exchange Act if the broker-dealer has total capital of less than $500,000 and is not affiliated with any entity that is not a small entity. SEC.gov | Certain Broker-Dealers Deemed Not To Be Investment Advisers.

3. See note 1 above at p. 5.

4. See note 1 above at p. 40.

5. The required notification period may be extended up to 30 days following the original notification deadline only if the U.S. Attorney General determines and notifies the SEC in writing that issuing a notification would pose a substantial risk to national security or public safety. See note 1 above at p. 57.

6. See note 1 above at p. 35

7. See note 1 above at p. 213.

8. See note 1 above at p. 127.