May 16, 2024 — The SEC has announced significant amendments to Regulation S-P, aimed at modernizing and fortifying the protection of consumers’ nonpublic personal information within certain financial institutions. These amendments mark an important step in adapting regulatory frameworks to the evolving landscape of technology and the attendant risks, which have undergone substantial transformation since the initial adoption of Regulation S-P in 2000.
Rationale for Amendments
SEC Chair Gary Gensler emphasized the imperative need for these updates, stating, “Over the last 24 years, the nature, scale, and impact of data breaches have transformed substantially.” The amendments are designed to bolster the privacy of customers’ financial data and mandate critical updates to a rule established over two decades ago. Gensler underscored the essence of the amendments by stating, “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Key Requirements of the Amendments
The amended Regulation S-P mandates covered institutions, including broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents, to develop, implement, and maintain written policies and procedures for an incident response program. This program must be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
Moreover, covered institutions must notify individuals whose sensitive customer information has been accessed or is reasonably likely to have been accessed or used without authorization. Such notice must be furnished as soon as practicable but no later than 30 days after the institution becomes aware of the incident. The notice should contain comprehensive details about the breach, the compromised data, and guidance on protective measures for affected individuals.
Compliance Timeline
The amendments will become effective 60 days after publication in the Federal Register. Larger entities will be granted an 18-month compliance window from the publication date, while smaller entities will have 24 months to ensure compliance.
These amendments reflect the SEC’s commitment to safeguarding consumer data in an era characterized by rapid technological advancement and heightened cybersecurity threats. By imposing stricter requirements and enhancing transparency through mandatory notifications, the SEC endeavors to fortify the resilience of the financial ecosystem against potential breaches and uphold investor confidence.
For further information and updates on the amendments to Regulation S-P, please visit the SEC’s official website or to discuss how the amendments affect your firm, call Sallah Astarita & Cox at 212-509-6544.
 | Representing Advisors and Investors, Nationwide. |
Mark Astarita is a nationally recognized securities attorney, who represents investors, financial professionals and firms in securities litigation, arbitration and regulatory matters, including SEC and FINRA investigations and enforcement proceedings.
He is a partner in the national securities law firm Sallah Astarita & Cox, LLC, and the founder of The Securities Law Home Page - SECLaw.com, which was one of the first legal topic sites on the Internet. It went online in 1995 and is updated daily with news, commentary and securities law related links.
