Changes are coming to existing regulations that govern how financial institutions (FIs) manage sensitive customer information. Following the adoption of new amendments to Regulation S-P by the Securities and Exchange Commission (SEC), covered entities in the financial sector will soon be subject to new requirements for how they respond to — and notify consumers of — certain types of data breaches.
These amendments, effective August 2, 2024, mark the first updates to Regulation S-P in the twenty-four years since its adoption in June of 2000. In that time, the SEC says, advances in technology have changed how firms obtain, share and manage personal information — leading to an increased risk of unauthorized access and misuse. Additionally, state-by-state variations in regulations have resulted in a patchwork of compliance requirements, creating the need for a modernized, federal minimum standard of consumer protections. In this article, we’ll outline expected changes from these amendments — and how FIs can prepare to comply. But first…
Regulation S-P: the Before and After New Amendments
Regulation S-P is a set of privacy rules adopted pursuant to the GLBA and the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) that govern the treatment of nonpublic personal information about consumers by certain financial institutions. Adopted by the SEC in 2000, Regulation S-P requires broker-dealers, investment companies, registered investment advisors, funding portals and transfer agents — to adopt policies and implement administrative, technical and physical controls to properly safeguard and dispose of nonpublic customer records and information (These regulations are commonly referred to as the “safeguards rule” and the “disposal rule.”). Regulation S-P also requires FIs to notify customers of changes to privacy policies and create opt out provisions.
Expanded Scope of the Amendments:
- Expands the safeguards and disposal rules to cover — not just the information of an FI’s own customers — but also any information collected on customers of other.
- Requires covered institutions (except for funding portals) to maintain written records documenting compliance.
- Creates exceptions to the annual privacy notice requirement in certain circumstances — e.g., if policies have not changed from the last disclosure sent to customers.
What Are the Biggest Changes FIs Can Expect?
In addition to updating the core rules of Regulation S-P, these amendments also create two important new requirements for covered institutions:
- Establishment of an incident response program
Covered institutions will now be required to adopt and implement an incident response program to detect, respond to and recover from data breaches. As many FIs today contract out some aspect of information management to third parties, the SEC specifies that incident response programs must include written policies to support the proper oversight of service providers, in addition to the institutions themselves.
- New customer notification requirements
In the event of a breach, covered FIs will now have just 30 days to notify customers. In their notification, FIs must provide details on the information impacted and outline steps customers can take to mitigate potential consequences. However, institutions will only be required to notify customers if the data in question is both:
a.) Reasonably likely to have been subject to unauthorized access.
b.) Reasonably likely to be used in a manner that would result in substantial harm or inconvenience.
The final amendments will require notification to all customers of a covered institution affected by a data breach (regardless of State residency), in order to provide timely and consistent disclosure of important information to help affected customers respond to a data breach.
How Much Time Do FIs Have to Comply?
The SEC is aware that adopting these rules will be a significant undertaking for some FIs. That’s why the Commission has set a compliance deadline of 18 months for larger institutions and two years for smaller entities after the date of publication on June 3, 2024. Based on the SEC’s analysis, the 18-month timeline will apply to approximately:
- 77% of registered investment companies and broker-dealers
- 42% of transfer portals
- 23% of registered investment advisors
- 3% of funding portals
Frazier & Deeter Is Your Trusted Compliance Partner
As regulators work to keep pace with evolving technologies and risks, financial institutions will be expected to navigate an increasingly complex compliance landscape – but they don’t have to do it alone. Frazier & Deeter is here to provide support to every aspect of your organization — from design of cybersecurity, third party management and incident response procedures to testing effectiveness of implemented controls, we are here to provide management assurance their organization provides customers the information they need and meets the standards of ever-evolving regulations. Connect with our team and get expert answers to your compliance questions today.
- Gina Gondron, IT Risk & Compliance Partner | gina.gondron@frazierdeeter.com
- Brandon Sherman, Cyber Advisory Partner | brandon.sherman@frazierdeeter.com
- Shelby Nelson, SOC National Practice Partner | shelby.nelson@frazierdeeter.com