SEC Adopts Amendments to Regulation S-P

On May 16, 2024, the SEC adopted amendments to Regulation S-P, the suite of rules that govern the handling of customer nonpublic personal information (“NPI”) by investment advisers and certain other types of financial institutions (“Covered Institutions”). Specifically, the amendments affect the “Safeguards Rule,” which requires Covered Institutions to maintain written policies and procedures reasonably designed to safeguard NPI, and the “Disposal Rule,” which requires Covered Institutions to dispose of NPI in a manner that protects the information against unauthorized access or misuse.

The most meaningful amendment adds a new requirement to the Safeguards Rule that Covered Institutions must adopt a written incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or misuse of NPI. Further, the incident response program must provide for the Covered Institution to notify individuals whose information was accessed or used without authorization if it is reasonably likely that such access or use would result in substantial harm or inconvenience to the affected individuals. Such notification would have to be made as soon as practical, but no later than 30 days after the breach is discovered. Finally, the incident response program must also provide for the Covered Institution to oversee its service providers to ensure they have appropriate controls to protect NPI and to notify affected individuals in the event of a breach.

The amendments also establish the new defined term “customer information,” which expands the scope of information covered by the Safeguards and Disposal Rules. Customer information includes any record containing NPI about a customer of a financial institution that is handled, maintained, or possessed by a Covered Institution or on behalf of the Covered Institution. In addition to covering more types of information, this change also means that the rules apply equally regardless of whether the Covered Institution is handling information about its own customers or about the customers of other financial institutions that have been provided to the Covered Institution.

Covered Institutions will be required to maintain written records documenting their compliance with the Safeguards and Disposal Rules, including the written policies and procedures required by the rules, records of any detected unauthorized access to or use of customer information, and records of any investigation and determination whether to notify affected individuals regarding a breach.

The compliance date for the amended rules will be 18 months after the date of publication in the Federal Register for larger entities and 24 months after the date of publication for smaller entities. For purposes of the compliance dates, larger entities subject to the earlier compliance date include investment advisers with $1.5 billion or more in assets under management, investment companies with a NAV of $1 billion or more as of the end of the most recent fiscal year, and all broker-dealers and transfer agents that are not deemed to be small entities under the Securities Exchange Act of 1934 for purposes of the Regulatory Flexibility Act.