close
close

SEC adopts amendments to Regulation SP regarding cybersecurity requirements

Posted on by darion

Why retirement plan sponsors and fiduciaries need to know about the SEC’s cybersecurity amendments

In 2021, the Department of Labor (DOL) issued cybersecurity guidance for ERISA-covered retirement plans. The guidance expands the responsibilities of retirement plan fiduciaries when selecting service providers. Specifically, the DOL clarifies that when selecting retirement plan service providers, plan fiduciaries must carefully evaluate the cybersecurity of those providers.

On May 15, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation SP, which regulates the processing of consumers’ nonpublic personal information by certain financial institutions, many of which are commonly marketers and service providers of retirement plans. The changes will include, among others: to broker-dealers, investment firms, registered investment advisors and transfer agents. Importantly, the changes establish specific cybersecurity requirements for these entities, which pension plan trustees should be aware of.

Some of the key requirements include:

  • Incident response program: :
  • Covered institutions must develop, implement, and maintain written policies and procedures for the incident response program.
  • The program should be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
  • Notification Requirements: :
    • Covered institutions are required to notify individuals whose confidential customer information has been accessed or used without authorization.
    • The notification must include detailed information about the incident, the data breached, and steps affected individuals can take to protect themselves.
    • Notification must be provided as soon as possible, but no later than 30 days after becoming aware of the incident.
  • Supervision of the service provider
    • Covered institutions shall establish, maintain, and enforce written policies and procedures that reasonably require oversight, including due diligence and monitoring of service providers.

The changes also specify requirements for maintaining written documentation as required. There are different retention period requirements depending on the type of institution covered by the program, but the minimum period is at least 2 years.

The changes take effect 60 days after publication in the Federal Register. Larger entities will have 18 months from the date of publication in the Federal Register to comply with the changes, while smaller entities will have 24 months from the date of publication in the Federal Register to comply.

When assessing the cybersecurity of a retirement plan service provider that is a financial institution, plan fiduciaries may want to be aware of these requirements as part of the assessment process. For example, changes to the SEC’s incident reporting requirements may be useful to retirement plan sponsors as they consider their own incident response plans in the event that a 401(k) plan data breach involves the data of their current and former employees.