After 24 years, the Securities and Exchange Commission (SEC) has finally updated its landmark Regulation S-P (“Reg S-P") to reflect the “nature, scale, and impact of data breaches.” Top of the list? A 30-day reporting policy on data breaches discovered within the financial sector. And that’s just the tip of the iceberg.
What Happened on May 16, 2024?
On May 16, 2024, the SEC formally adopted amendments, introduced a year prior, to Regulation S-P.
What Is Regulation S-P?
Regulation S-P was enacted in 2000 and required financial firms to take recordable measures to protect consumer information. Here are the specifics.
Who does Regulation S-P apply to?
- Registered broker-dealers
- Investment companies
- Investment advisors
What does Regulation S-P do?
It requires the above parties to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information,” per the SEC website. This includes:
- Protecting against anticipated threats
- Preventing unauthorized access or use
- Notifying customers annually of data sharing policies and consumer data rights
What Are the Amendments to Regulation S-P?
The 2024 amendments to Regulation S-P are designed to “modernize and enhance” consumer data laws for today’s world. To that end, they seek to accomplish three things:
1. Incident Response Plan
Requires financial firms to have a documented incident response plan that can reasonably accomplish the task of protecting sensitive consumer data
- This is nested under the Safeguards Rule.
- The incident response plan must be “reasonably designed to” detect, respond to, and recover from data breaches.
- It must assess the nature and scope of the incident and take steps to remediate such incidents.
The Plan also requires financial firms to monitor their service providers, via written policies and oversight, to ensure similar breach-prevention standards are met.
2. 30-Day Consumer Breach Notification
Requires those same financial firms to have a plan in place to notify affected individuals in a timely manner when their data has been breached
- Financial firms have 30 days after “becoming aware” of the breach to notify consumers, except in certain limited circumstances. However, this requirement is moot if the exposed data is not “reasonably likely” to cause any harm.
- That means notifying those who have, or might reasonably have, been compromised.
- The notice must include details on the incident, details on the type of information revealed, and how affected consumers can take the next step to protect themselves.
3. Increased Scope
Expands the coverage of Regulation S-P's requirements
- This applies to and expands the scope of the Safeguards and Disposal Rules.
- Covered information now includes nonpersonal information (either collected by the institution about its own customers or received from another institution about their customers).
- Additionally, registered transfer agents are now included in the scope of the Safeguards and Disposal Rules, in addition to the aforementioned registered broker-dealers, investment companies, and investment advisors.
Why the Need to Amend Reg S-P?
As SEC Chair Gary Gensler stated, “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”
Much has changed since the nascent internet days of the early 2000’s. Technological complexity has increased and altered the way financial institutions ask for, store, keep, use, dispose of, and protect consumer information. For over two decades, the legal requirements for protecting that data had not kept pace. The amendments to SEC Reg S-P will bring mandates up to the standards and expectations of the modern era and highlight the need for transparency among customers.
With so much at stake during a data breach, the facts must be known as soon as possible to avoid even greater fallout. On the business side, that fallout could include critical downtime, a likely dip in stock prices, potential disruption to the supply chain, and money spent on PR campaigns and re-training. On the consumer’s side, the consequences are obvious: stolen information, disrupted credit scores and bank accounts, and identity theft, to name three.
Said Gensler in the official press release, “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
These changes come on the heels of one-year-old SEC legislation requiring publicly traded companies to disclose data breaches within four days of their occurrence. Since then, disclosures have been made by major corporations like Microsoft, Hewlett-Packard Enterprise, and UnitedHealth Group. Hopefully, this new legislation will prompt more companies to respond in kind.
What Is the Deadline for Complying with Reg S-P Amendment?
The new SEC amendments will take effect 60 days after being published in the Federal Register (August 2, 2024). Larger companies will have 18 months to adjust to compliance requirements; smaller companies will have two years.
Make Fortra Your Cybersecurity Ally
Our mission at Fortra is to help organizations increase security maturity while decreasing operational burden. Our vision is a stronger, simpler future for cybersecurity. Who’s with us?