SEC Announces Proposed Amendments to Regulation S-P

Written By Haley Metteauer

On March 15, 2023, the Securities and Exchange Commission (SEC) announced proposed amendments [1] (“Proposed Amendments”) to enhance Regulation S-P. Regulation S-P requires registered broker-dealers, investment companies, and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."   

Since the adoption of Regulation S-P on June 22, 2000, advancements in technology have made it easier to acquire customers’ personal information, exacerbating the risk of unauthorized access. The Proposed Amendments would require Covered Institutions (defined below) to notify customers affected by certain harmful data breaches. SEC Chair, Gary Gensler, believes the amendments would set the standard for covered institutions to address the growing risks in cybersecurity. 

Covered Institutions would include clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, certain broker-dealers, and transfer agents (“Covered Institutions”).  

Under the Proposed Amendments, Covered Institutions would be required to:  

  • Maintain written policies and procedures relating to incident response programs, which address unauthorized access or use of customers’ nonpublic information;  

  • Provide a customer with notice “as soon as practicable, but not later than 30 days” after it becomes aware that unauthorized access or use of a customer’s information has occurred or is reasonably likely to have occurred. However, they are not required to disclose the incident if they determine that the information accessed would not, or is not reasonably like to, “be used in a manner that would result in substantial harm or inconvenience.”  

  • Maintain written record to document their compliance and, at least annually, review and assess their cybersecurity policies to ensure they reflect the changing cybersecurity risks.  

The Proposed Amendments would also broaden the scope of information covered under Regulation S-P to cover “customer information,” which would include “both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions[.]” 

Lastly, the Proposed Amendments would provide timing requirements for a Covered Institution to begin delivering annual privacy notices if it previously qualified for the exception to Regulation S-P’s requirement to provide such notices, but, due to changes in its policies and practices, no longer does.  

The Proposed Amendment will be published in the Federal Register in the future, and public comment will remain open until 60 days after publication. 

[1] https://www.sec.gov/rules/proposed/2023/34-97141.pdf

Haley Metteauer
Previous

Explainer: Synthetic Data Privacy 
Next

Pennsylvania Data Breach Notification Law