To address data security risks associated with emerging
technologies, the Securities and Exchange Commission (SEC) adopted amendments
to Regulation S-P to modernize and enhance rules governing the treatment of
consumers’ nonpublic personal information by certain financial institutions.
With the updated amendments, covered institutions will be
required to develop, implement and maintain written policies and procedures for
incident response programs reasonably designed to detect, respond to and
recover consumer information when accessed or used by an unauthorized source.
These response programs must include procedures for notifying individuals whose
sensitive customer information was or is reasonably likely to have been
accessed or used without authorization, according to an SEC press release.
The amendments are intended to address the expanded use of
technologies offered by broker-dealers (including funding portals), investment
companies, registered investment advisers and transfer agents since Regulation
S-P was adopted more than 20 years ago.
“Over the last 24 years, the nature, scale, and impact of
data breaches has transformed substantially,” SEC Chair Gary Gensler said in
the release. “These amendments to Regulation S-P will make critical updates to
a rule first adopted in 2000 and help protect the privacy of customers’
financial data. The basic idea for covered firms is if you’ve got a breach,
then you’ve got to notify. That’s good for investors.”
Covered institutions will have to provide consumers notice
as soon as practicable, but no later than 30 days after learning their
information was reasonably likely to have been accessed or used without authorization.
The notice must include details about the incident, the breached data and how
affected individuals can respond to the breach to protect themselves.
According to a fact sheet
provided by the SEC, the newly adopted amendments also make the following
updates to Regulations S-P:
·
“Expand and align the safeguards and disposal
rules to cover both nonpublic personal information that a covered institution
collects about its own customers and nonpublic personal information it receives
from another financial institution about customers of that financial
institution;
·
“Require covered institutions, other than
funding portals, to make and maintain written records documenting compliance
with the requirements of the safeguards rule and disposal rule;
·
“Conform Regulation S-P’s annual privacy notice
delivery provisions to the terms of an exception added by the FAST Act, which
provide that covered institutions are not required to deliver an annual privacy
notice if certain conditions are met; and
·
“Extend both the safeguards rule and the
disposal rule to transfer agents registered with the Commission or another
appropriate regulatory agency.”
The amendments will take effect 60 days after publication in
the Federal Register. Larger entities will have 18 months following the
publication date to comply with the new requirements. Smaller entities will
have 24 months to comply.