On May 15, 2024, the SEC adopted amendments to Regulation S-P that apply to SEC registered investment advisors, in addition to other financial institutions. These amendments help enhance the protection of consumers’ nonpublic personal information.
Incident Response Program
- Covered institutions like SEC-registered investment advisors will be required to create an incident response program as part of their written policies and procedures. This program must be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
- The incident response program must have procedures to assess the nature and scope of any such incident and to take appropriate steps to contain and control such incidents to prevent further unauthorized access or use. Policies and procedures must also be established, maintained, and enforced that are reasonably designed to require oversight of service providers, including through due diligence and monitoring.
Customer Notification Requirement
- Covered institutions will be required to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. This notice must be provided as soon as practicable (but not later than 30 days) after the firm becomes aware that there has been unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under certain limited circumstances.
- The notices provided by covered institutions must include details about the incident, the breached data, and how affected individuals can respond to the breach to help protect themselves. However, a notice does not have to be provided if a determination has been made that the sensitive customer information has not been, and is not reasonably likely to be, used in a way where substantial harm or inconvenience would result.
Other Requirements
- The safeguards and disposal rules are updated to bring them in line with amended Regulation S-P so that nonpublic personal information, including the information received from another financial institution, is covered.
- Written records must be made and maintained documenting compliance with the requirements of the safeguards rule and disposal rule.
Next Steps
Large entities will have 18 months after the date of publication of the amendments to comply with the new requirements (24 months for smaller entities). Since a smaller entity must have less than $25 million in assets under management, most SEC-registered investment advisors will be considered large entities.
For more information about these rule changes, please contact NCA Compliance.Hayley Nelson is the President and Principal Consultant of NCA Compliance, Inc., a compliance consulting firm providing a wide range of customized compliance solutions for investment advisors. Ms. Nelson previously worked for the Securities and Exchange Commission and a large investment manager in New York.
