SEC Approves New Amendments to SP Rules

On May 16, the Securities and Exchange Commission (SEC) unanimously approved changes to Regulation SP that impose new rules on cybersecurity breaches involving investment advisers and broker-dealers. Larger entities are obliged to comply with the new rules by January 3, 2026, while smaller entities by June 3, 2026.

The SP Regulation previously consisted of three main elements: the information protection rule, the privacy rule and the information deletion rule. Information privacy policies typically require financial institutions – including broker-dealers, financing portals, investment advisors, registered investment companies and employee-owned securities companies – to adopt written policies and procedures to protect customers’ nonpublic personal information (customer information) from unauthorized access and use, including anticipated threats or threats to the security or integrity of the Customer Information. The privacy rules require these institutions to provide customers with initial and annual privacy notices that describe their information sharing practices and inform customers of their rights. The information deletion rule generally requires financial institutions to properly dispose of customer and consumer information.

The amendments to Regulation SP will add a fourth requirement requiring covered institutions to adopt written policies and procedures that are reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer nonpublic personal information. This recovery or response program shall include procedures to (1) assess the nature and scope of each incident; (2) take appropriate steps to contain and control the incident; and (3) notify affected persons to whom Sensitive Customer Information (as defined below) has been accessed or is reasonably likely to have been accessed or used without authorization, unless the covered institution determines, after a reasonable investigation, that the Sensitive Customer Information has not been made available and is not likely to be used in a way that will cause significant harm or inconvenience.

“Sensitive Customer Information” is a subset of Customer Information that, if breached, would create a reasonably probable risk of significant harm or inconvenience to a person identified with the information. The amendments to the SP Regulation provide a non-exhaustive list of sensitive customer information divided into two categories. The first category is information that can uniquely identify an individual (e.g., social security number or biometric identifiers). Second, Sensitive Customer Information includes information that can be used to gain access to your account (e.g., username combined with password or mother’s maiden name).

Importantly, the revised rule expands the definition of Customer Information to include not only information about persons with whom a financial institution has a customer relationship, but also information about “customers of other financial institutions for whom such information has been provided to a covered institution.” This expanded definition of Customer Information does not apply to the Regulation SP privacy principles, but does apply to the Information Security Rule, the Information Deletion Rule, and the new rules for detecting and responding to unauthorized access to Customer Information (all of the above collectively constitute the Information Protection Principles). As a result, financial institutions are expected to adopt policies and procedures to ensure compliance with the Information Privacy Principles with respect to non-public personal information they hold about individuals with whom they do not have a customer relationship.

The notice required under the amended SP Regulation must be provided as soon as practicable, but generally no later than 30 days after the financial institution becomes aware of an unauthorized breach of Sensitive Customer Information. The notification must include detailed information about the incident, the data that was breached, and how affected individuals can respond to the breach to protect themselves. Notification is necessary even if the financial institution is unable to determine which specific individuals accessed or used unauthorized Sensitive Customer Information. In such circumstances, the financial institution must notify all persons whose Sensitive Customer Information is in the Customer Information System and who has been or was reasonably likely to have been accessed without authorization.

Under the changes to Regulation SP, financial institutions’ incident response programs must include policies and procedures “reasonably designed to require oversight of service providers, including through due diligence and monitoring,” to ensure that the financial institution complies with notification requirements customers. Such policies and procedures must be reasonably designed to monitor whether service providers are taking appropriate measures to:

• protect against unauthorized access or use of customer information; and
• notify the covered institution as soon as possible, but no later than within 72 hours of becoming aware of a security breach resulting in unauthorized access to the Customer Information system maintained by the service provider.

The amendments also (1) require covered institutions, other than funding portals, to prepare and maintain written records documenting compliance with the requirements of the Information Protection Rule and the Information Deletion Rule; (2) align the provisions for providing an annual privacy notice in Regulation SP with the terms of the exception added by the FAST Act, which provides that covered institutions are not required to provide an annual privacy notice if certain conditions are met; and (3) extend both the information security rule and the information deletion rule to transfer agents.

Action steps

Review and update policies and procedures. Covered institutions must review their policies and procedures prior to the compliance deadlines. This should include updating existing information security and data disposal policies to include the expanded definition of Customer Information, updating incident response programs, and updating vendor risk management policies and procedures.

Assess competing incident notification requirements. The amendments to Regulation SP add another requirement to the myriad of notification requirements that financial institutions face under other federal and state laws.

#BBD0E0 »