What is SEC Regulation S-P and How Is It Changing?

The SEC is adopting significant cybersecurity amendments to Regulation S-P.

Maybe you’re wondering, what does this mean for your business? Or perhaps, what is Regulation S-P?

This blog will break down the existing framework of Regulation S-P, upcoming changes, and what this means for different businesses and industries. 

What is Regulation S-P?

Regulation S-P is a rule established by the U.S. Securities and Exchange Commission (SEC) under the Gramm-Leach-Bliley Act. It’s aimed at safeguarding the privacy and security of customer information held by financial institutions. Essentially, Regulation S-P requires these institutions to provide clear notices about their privacy policies and practices and to protect the confidentiality of nonpublic personal information of their customers. This regulation applies to various financial institutions, including banks, securities firms, insurance companies, and investment advisers. Violations of Regulation S-P can result in penalties imposed by the SEC.

When Do Regulation S-P Changes Go Into Effect?

Changes to existing Regulation S-P rules went into effect on May 16, 2024, one year after issuance of the proposed amendments. 

The goal of the amendments is to modernize requirements for broker-dealers (including funding portals); investment companies such as mutual funds, closed-end funds, and business development companies (BDCs); SEC-registered investment advisers (RIAs); and transfer agents (collectively, “Covered Institutions”) to address the expanded use of technology and corresponding risks that have developed since the rules were first adopted in 2000.

The new rules include  the following:

• Broadening of the scope of information covered by Regulation S-P
• New requirements regarding a Covered Institution’s incident response plan
• New requirements regarding a Covered Institution’s service provider oversight
• New requirements regarding a Covered Institution’s recordkeeping and notices to individuals following a security incident

An important note to the amended rules: these adopted rules are entirely different from additional cybersecurity requirements that the SEC proposed for RIAs, registered funds, and BDCs in February 2022.

Businesses will need to take action soon: from the date of publication in the Federal Register, Large Covered Institutions will have 18 months, while smaller Covered Institutions will have 24 months to comply with adopted rules. The following qualifications mean you are considered a large entity subject to the 18-month timeline: 

• Investment companies that, together with other investment companies in the same group of related companies, have net assets of $1 billion or more at the end of the most recent fiscal year
• RIAs with $1.5 billion or more in assets under management
• All broker-dealers and transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act

Now, let’s dive deeper into each of the components of the Regulation S-P changes.

Addressing Your Business’ Incident Response Plan

Every business considered a Covered Institution must implement an incident response plan as part of their cybersecurity program. To have a compliant incident response plan, policies and procedures must:

• Be “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”
• Address the Covered Institutions’ ability to assess the nature and scope of any incident involving unauthorized access to customer information
• Identify the systems and types of customer information that may have been compromised
• Notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, compromised
• Take appropriate steps to contain and control the incident to prevent further unauthorized access or use

Rule Requiring Notice to Individuals 

A key component of Regulation S-P surrounds notifying individuals that their sensitive customer information was compromised. Covered Institutions must notify affected individuals within 30 days, including the following information:

• Nature and date of the incident, including any types of sensitive customer information that was or is reasonably believed to have been compromised
• Contact information for the Covered Institution, including at least a telephone number (toll-free if available), an email address or equivalent, a postal address, and the name of a specific office to contact for more information and assistance
• Recommendation that the individual review any related account statements and report suspicious activity
• Information regarding consumer credit files, including a recommendation that the individual obtain a copy of their credit report, how to obtain a copy, and how to place a fraud alert on the report
• Information regarding online resources that individuals can use to prevent identity theft

Vendor Management Program Through Service Providers

New Regulation S-P amendments require Covered Institutions to enter into written agreements with their service providers that agree to terms surrounding Vendor Management Programs. These include: 

• Reasonably designed oversight implementation, including through due diligence and monitoring, for any service providers with whom the Covered Institution shares customer information.
• Policies and procedures that are  designed to ensure that service providers notify the Covered Institution as soon as possible and within 72 hours of discovery of any security incident suffered by the service provider that affects customer information. 
• A potential requirement that  their service providers must notify any individuals affected by a security incident directly. 

Rules on Recordkeeping

Covered Institutions are also required to make and maintain records documenting:

• Policies and procedures required to ensure service provider oversight
• Any contract entered into under the service provider oversight requirements
• Any investigation and determination made regarding whether notification to customers is required, including the basis for any determination and a copy of any notices transmitted to individuals following such determination
• Any unauthorized access of customer information, as well as any response to and recovery from such unauthorized access, is required by the incident response program

Compliance Support For Your Small Business

What should your business’ next steps be? All Covered Institutions should begin reviewing and updating their privacy and data security policies and procedures to ensure compliance before the effective date for their size and type of institution. 

Questions about these amendments to Regulation S-P or the February 2022 proposals for RIAs, registered funds, or BDCs, or general business compliance questions? Reach out to PK Tech.