On May 15, 2024, the Securities and Exchange Commission (SEC) finalized amendments to Regulation S-P, the primary regulation governing the privacy and confidentiality of consumer financial information for SEC-regulated entities. The updated regulation aims to strengthen customer data protection and enhance cybersecurity practices within the financial services sector. The following is an overview of the key changes and implications for impacted financial services companies and vendors to financial services companies.

Background

Regulation S-P, adopted in 2000, requires SEC-regulated financial institutions to provide notice to customers about their privacy policies and practices, as well as to safeguard customer information. The regulation applies to a wide range of financial institutions, including broker-dealers, investment advisers, and investment companies, as well as certain transfer agents.

Key Amendments

The final amendments to Regulation S-P introduce several significant changes, which are generally effective in 18 or 24 months after publication in the Federal Register, depending on the size of the institution. The amendments introduce new definitions of “customer information” and “sensitive customer information,” which include not just information of customers of the financial institution, but also information that is received from other financial institutions.  There are two primary areas that the amendments impact:

1.     Incident Response and Notification

o   Written Policies and Procedures: Requires the development and implementation of written incident response and notification policies and procedures in the event of a data breach or unauthorized access to customer information. The written policies and procedures must include mechanisms to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use.

o   Notification: Notification is required within 30 days of affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used, at the financial institution or a service provider, without authorization, unless the financial institution, after a reasonable investigation of the facts and circumstances of the of the incident determines that the information is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience. The contents of the notification are spelled out in detail. Similar to the SEC’s Public Company Cybersecurity Disclosure Rules, delays of notifications to individuals may be requested by the US Attorney General.

o   Sensitive customer information means any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information. The SEC included a list of examples in the amendment. 

2.     Service Provider Oversight

o   Policies and Procedures: Financial Institutions will be required to establish, maintain, and enforce written policies and procedures for oversight of service providers.

o   Due Diligence: Financial institutions must establish, maintain and enforce written procedures to conduct due diligence on service providers to ensure they have adequate information security controls.

o   Contractual Requirements: Financial institutions must include certain contractual provisions in their agreements with service providers, including:

o   A requirement for the service provider to implement and maintain adequate information security controls.

o   A requirement for the service provider to notify the financial institution within 72 hours of any data breach or unauthorized access to a customer information system maintained by the service provider. The SEC did not include exceptions for service providers regulated by the SEC, the Federal Reserve, or other regulators.

Importantly, the SEC also clarified certain record-keeping requirements.  The one that will have the largest impact on incident response is the requirement to make and maintain written documentation of any investigation and determination as to whether notification is required.  Many incident response lawyers do not allow preparation of reports relating to incidents, as attorney-client privilege asserted in connection with such reports may be challenged.  The SEC has left no doubt that incident reports are required for covered financial institutions.   

Implications and Next Steps

The amended Regulation S-P imposes significant obligations on SEC-regulated financial institutions to strengthen their cybersecurity and incident response practices. The 30-day notification timeframe is faster than state notification requirements.  Often, the investigation of the incident is not yet completed.  This will strain the financial institutions and the incident response teams.  Additionally, a number of the required procedures are often in place, but not written.  To ensure compliance, institutions should:

1.     Review and update their written information security policies and procedures, with a focus on incident response, to meet the new requirements.

2.     Review written service provider due diligence policies and procedures and draft or update them accordingly.

3.     Review and update contracts with service providers to make sure that required contractual provisions are included in agreements.

4.     Add incident response counsel who understand financial institutions to cyber insurance policies. If you don’t have cyber insurance, engage incident response counsel before an incident so that they can hit the ground running.

5.     Conduct a tabletop exercise to test the written policies and procedures, and the ability to notify individuals within 30 days.

,The SEC has ratcheted up notification requirements for the financial that they regulate.  Compliance requires focus and preparation.  Financial services companies should start working on this right away. We are still waiting for the SEC to act on proposed Cybersecurity Rules for these same financial institutions.  The revisions to Regulation S-P suggest that the SEC will continue to take a hard line.