SEC Changes to the SP Regulation

On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation SP, a regulation that regulates the processing of consumers’ nonpublic personal information by certain financial institutions. The changes apply to broker-dealers, investment firms and registered investment advisers (collectively, “covered institutions”) and are intended to modernize and enhance protections for consumers’ financial information. Regulation SP continues to require covered institutions to implement written policies and procedures to protect customer records and information (the “Security Rule”), to properly dispose of consumer information to protect against unauthorized uses (the “Deletation Rule”), and to implement a privacy policy policy notice with an opt-out option. Registered investment advisers with assets under management of more than $1.5 billion will have until November 16, 2025 (18 months), and entities with less will have until May 16, 2026 (24 months).

Incident response program

Covered institutions will be required to implement an Incident Response Program (the “Program”) in their written policies and procedures if they have not already done so. The program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident should be documented and further steps taken to prevent further unauthorized use. Covered institutions will also be responsible for adopting procedures to oversee third-party service providers that receive, store, process, or access their customer data. The Safeguards Rule and Deletion Rule require that nonpublic personal information received from a third party about its customers be treated the same as if it were your own customer.

Customer notification requirement

The changes require covered institutions to notify affected individuals whose sensitive customer information has been or is likely to have been accessed or used without authorization. The amendments require a covered institution to notify as soon as practicable, but no later than 30 days after becoming aware, that unauthorized access to or use of customer information has occurred or is reasonably likely to occur. Notifications must include details about the incident, the data that was breached, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide notice if it determines that sensitive customer information has not been, and is not likely to be, used in a way that would cause significant harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, the covered institution may be able to provide a single notice to satisfy the notification obligations under both the final amendments and state law, provided , that the notice includes all information required under both the final changes and state law, which may reduce the number of notices an individual receives.

Record keeping

Covered institutions will have to keep and keep the following data in their books and registers:

  • Written policies and procedures to be adopted and implemented in accordance with the Security Policy, including an incident response program;
  • Written documentation of any unauthorized access to or use of customer information detected, and any response and recovery from such unauthorized access to or use of customer information required by the incident response program;
  • Written documentation of any investigations and determinations made regarding the need to notify customers, including the basis for any determinations made and any written documentation from the United States Attorney General related to the delay in notification, and a copy of any notices sent after such determination;
  • Written policies and procedures required for oversight of the service provider;
  • Written documentation of any contracts entered into in accordance with the service provider’s supervision requirements; AND
  • Written policies and procedures to be adopted and implemented as part of the takedown policy.

Registered investment advisers will be required to keep this documentation for five years, the first two years in an easily accessible place.