Earlier this month, the SEC announced proposed amendments to Regulation S-P that would enhance the protection of customer information by requiring that investment advisers (as well as broker-dealers, investment companies, and transfer agents) to notify individuals who are affected by certain types of data breaches that may put them at risk of identity theft or other harm.
BACKGROUND
Regulation S-P, which was adopted in 2000, currently requires covered firms, including investment advisers, to adopt written policies and procedures to help protect customer records and information and to notify customers about how they use their personal information. Regulation S-P, however, does not currently require firms to notify customers about breaches.
PROPOSED CHANGES TO REGULATION S-P
Under the proposal, investment advisers and other covered firms would need to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. Covered firms would also need to provide notice to customers in cases where their sensitive customer information was or is reasonably likely to have been used or accessed without authorization.
Next Steps
The SEC’s proposal will be subject to a comment period, which will remain open for 60 days after publication in the Federal Register. A copy of the proposed rule can be found here.
For more information about the proposed changes discussed above, please contact NCA Compliance.
Hayley Nelson is the President and Principal Consultant of NCA Compliance, Inc., a compliance consulting firm providing a wide range of customized compliance solutions for investment advisors. Ms. Nelson previously worked for the Securities and Exchange Commission and a large investment manager in New York.