On May 15, 2024, the U.S. Securities and Exchange Commission (SEC) approved amendments to Regulation S-P, the first update to the regulation since its adoption in 2000. Known as the safeguards rule, Regulation SP governs the treatment of non-public personal information about consumers by certain financial institutions, including broker-dealers, investment companies, registered investment advisers, and transfer agents (covered institutions).
The current rule mandates that covered institutions implement policies and procedures to safeguard and dispose of sensitive customer data, provide privacy notices, and offer opt-out procedures. The amendments aim to broaden the responsibilities of covered institutions in protecting consumers. Since the adoption of Regulation S-P, technological advancements in the collection, sharing, and maintenance of individuals' personal information have increased the risk of harm. These amendments are intended to enhance the protection of consumers' non-public personal information.
“I believe that these amendments will help customers maintain their privacy and protect themselves. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors,” SEC Chair Gary Gensler said in a statement.
What’s Required
Incident Response Program: To protect against potential harms from security incidents involving customer information, the amendments mandate that covered institutions implement an incident response program as part of their written policies and procedures under the safeguards rule. This program must be designed to effectively detect, respond to, and recover from unauthorized access to or use of customer information. It should include procedures to assess the nature and scope of such incidents and take appropriate measures to contain and control them, preventing further unauthorized access or use. Additionally, the amendments require the incident response program to establish, maintain, and enforce written policies and procedures that ensure oversight of service providers through due diligence and monitoring.
Customer Notification Requirement: The amendments require covered institutions to notify individuals whose sensitive customer information has been, or is likely to have been, accessed or used without authorization. This notification must be provided as soon as practicable but no later than 30 days after the institution becomes aware of the unauthorized access or use, except in certain limited circumstances. The notices must include details about the incident, the breached data, and steps affected individuals can take to protect themselves. However, notification is not required if the institution determines that the sensitive customer information has not been, and is not likely to be, used in a way that would cause substantial harm or inconvenience.
Regulation S-P Amendments Broaden the Scope of Information Covered:
What Advisers Can Do to Prepare
The amendments take effect 60 days after publication in the Federal Register with a compliance date of 18 months after the effective date for “Larger Entities”, which includes registered investment advisers with $1.5 billion or more in assets under management, and two years for firms below that threshold. To prepare, it is recommended that investment advisers review their policies and procedures as it relates to Regulation S-P and update them to ensure the new amendments are reflected. Additionally, the investment adviser should train firm employees on how to prevent and detect authorized access to personal data and how to report it.
How Petra Can Help
Petra Funds Group’s compliance team has decades of experience managing SEC regulatory compliance programs for private fund advisers. The group’s expertise enables them to provide insight and guidance on a wide range of regulatory compliance services, from investment adviser registration to ongoing compliance support to performing SEC mock examinations. Learn more about Petra’s comprehensive compliance offering here and contact Jesse Brown with questions.