SEC adopts cyber amendments to Regulation S-P: Top points

On June 3, 2024, the Securities and Exchange Commission (SEC or the Commission) published in the Federal Register amendments to Regulation S-P, which enhance data security requirements for consumers’ nonpublic personal information, including creating broad obligations related to data breaches (the Amendments).[1]

The Amendments require brokers, dealers, investment companies, registered investment advisers and transfer agents,[2] and funding portals[3] (covered institutions) to:

• Develop an incident response program: Covered institutions must develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to, or use of, customer information.
• Develop security policies and procedures to address vendor risk: Under the Amendments, covered institutions are required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, including to ensure that affected individuals receive any required notices.
• Notify affected individuals of an incident: A covered institution must provide notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of “sensitive customer information” has occurred or is reasonably likely to have occurred. The notice must include details about the incident, the breached data, and how affected individuals can protect themselves in response to the breach.

Larger entities will have 18 months after publication to comply with the new requirements (by December 2025), and small entities will have 24 months to comply (by June 2026).

The following article summarizes the Amendments and notes some next steps for covered institutions.

Incident response program

The Amendments require covered institutions to implement a written incident response program that is reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information.[4] The incident response program must have written policies and procedures that include the following elements:

(i) Assessment of any incident involving unauthorized access to or use of customer information.

The incident response program must include procedures for assessing the nature and scope of any incident involving unauthorized access to or use of customer information, and identifying the customer information systems and types of customer information that may have been accessed or used without authorization.

In the adopting release, the SEC also noted that covered institutions generally should consider reviewing and updating the assessment procedures periodically to ensure that the procedures remain reasonably designed.

(ii) Steps to contain and control the incident.

The response program must also include procedures for taking appropriate steps to contain and control a security incident, in order to prevent further unauthorized access to or use of customer information. The SEC clarified that developing and implementing written containment and control policies and procedures provides a framework to facilitate a covered institution’s decision-making during incident response; however, the underlying strategies for containing and controlling an incident will vary depending upon the type of incident. The SEC identified examples of strategies, including isolating compromised systems, enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords.

(iii) Procedures to notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.

Covered institutions must provide a clear and conspicuous notice to affected individuals[5] whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless an exception applies. See below for a more thorough discussion of the notification requirement and exceptions. Unlike the assessment and containment requirements in (i) and (ii) above which apply to the broader “customer information,” the notification requirement applies only to “sensitive customer information.”

A covered institution’s notification procedures must be reasonably designed to notify each affected individual whose sensitive customer information was reasonably likely to have been compromised. The SEC Adopting release suggests a covered institution’s policies and procedures should be designed to include steps to assess notification obligations and then revisit any notification determinations whenever the covered institution becomes aware of new facts that are potentially relevant to that determination. For example, if at the time of the incident, a covered institution determines that risk of use in a manner that would result in substantial harm or inconvenience is not reasonably likely based on the use of encryption in accordance with industry standards, but subsequently the encryption is compromised or it is discovered that the decryption key was also obtained by the threat actor, the covered institution should revisit its determination.

The SEC acknowledged that there is no one-size-fits-all approach to incident response and clarified that the Amendments do not prescribe specific steps a covered institution must undertake when carrying out incident response activities. Rather, the Amendments provide minimum elements that covered institutions should use to create policies and procedures best suited to their particular circumstances.

Vendor risk management

The Amendments require that a covered institution’s incident response program include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence on, and monitoring of, service providers. The Amendments define “service provider” as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” The adopting release clarified that this definition was intended to include affiliates of a covered institution.

Rather than explicitly mandating that covered institutions enter into written contracts requiring service providers to take certain appropriate measures as initially proposed, the Amendments require policies and procedures that are reasonably designed to ensure service providers take appropriate measures to (A) protect against unauthorized access to or use of customer information and (B) provide notification to the covered institution as soon as possible, but no later than 72 hours, after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider. Upon receipt of such notification, a covered institution must initiate its incident response program.

The Amendments permit a covered institution to enter into a written agreement with its service providers to notify affected individuals on the covered institution’s behalf in the event of an incident. However, the covered institution’s obligation to ensure that affected individuals are notified in accordance with the Amendments ultimately rests with the covered institution.

30-day incident reporting requirement

Subject to certain national security and public safety exceptions, covered institutions will be required to provide notice to all affected individuals[6] as soon as practicable, but not later than 30 days after becoming aware that unauthorized access to or use of sensitive customer information has occurred or is reasonably likely to have occurred, unless the covered institution has determined, after a reasonable investigation, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

What constitutes a “reasonable investigation” will depend on the particular facts and circumstances of the incident. However, the SEC adopting release states that “unauthorized access or use that is the result of intentional intrusion by a threat actor may warrant more extensive investigation than inadvertent unauthorized access or use by an employee.”

Pursuant to the Amendments, covered institutions (other than funding portals) that determine that notice is not required will be required to maintain a record of the investigation and basis for such determination for a period of time set by the Amendments, which varies by type of covered institution.[7]

If notice is required, it must include the following:

• A general description of the incident and the type of sensitive customer information that was or is reasonably believed to have been accessed or used without authorization
• The date of the incident, the estimated date of the incident, or the date range within which the incident occurred, to the extent this information is reasonably possible to determine at the time the notice is provided
• Contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including the following: a telephone number (which should be a toll-free number if available), an email address or equivalent method, a postal address, and the name of a specific office to contact for further information and assistance
• If the individual has an account with the covered institution, a recommendation that the customer review account statements and immediately report any suspicious activity to the covered institution
• An explanation of what a fraud alert is and how an individual may place a fraud alert in the individual’s credit reports to put the individual’s creditors on notice that the individual may be a victim of fraud, including identity theft
• A recommendation that the individual periodically obtain credit reports from each nationwide credit reporting company and that the individual have information relating to fraudulent transactions if any deleted
• An explanation of how the individual may obtain a credit report free of charge, and
• Information about the availability of online guidance from the Federal Trade Commission and usa.gov regarding steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the Federal Trade Commission, and the Federal Trade Commission’s website address where individuals may obtain government information about identity theft and report suspected incidents of identity theft.

“Sensitive customer information” is a new subset of customer information. The Amendments define “sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” The Amendments include a non-exhaustive list of examples, such as Social Security numbers; driver's license or identification number; alien registration number; government passport number; employer or taxpayer identification number; biometric records; a unique electronic identification number, address, or routing code; or telecommunication identifying information or access device.

This 30-day reporting requirement is in addition to existing state law notification obligations.[8] In response to commentators who opposed potentially conflicting notification requirements, the SEC clarified that to the extent a covered institution has a notification obligation under both the Amendments and a similar state law, a covered institution may be able to provide one notice to satisfy both notification obligations, provided that the notice includes all information required under both the Amendments and the state law.

No regulatory notice requirement

The Amendments do not include a requirement for notification to the Commission. In its adopting release, the SEC clarified that the primary reason for the Regulation S-P amendments was to require that institutions have a reasonably designed incident response program to mitigate the potential harm to individuals whose sensitive information is exposed or compromised in a data breach and that they provide notices to affected individuals.

Other changes to the safeguards and disposal rules

The Amendments also include changes to expand the scope of the existing safeguards and disposal rules under Regulation S-P, including:

• Adoption of a new definition of “customer information” defining the scope of information covered by both the safeguards and disposal rules
• Creating recordkeeping requirements for covered institutions other than funding portals[9]
• Extending the scope of the safeguards and disposal rules to cover transfer agents, and
• Maintaining continuation of the same regulatory treatment for notice-registered broker-dealers as was required under the existing safeguards rule and disposal rule.

Changes to annual privacy notice requirement

In addition to the changes to the safeguards and disposal rules, the Amendments also revise requirements related to the delivery of privacy notices to provide an exception to the annual privacy notice requirement. The exception applies if the covered institution (1) only provides non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies and (2) the institution has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers.

Compliance dates

The Amendments will become effective 60 days after publication in the Federal Register (by August 2, 2024). Larger entities[10] will have 18 months after the date of publication in the Federal Register to comply with the Amendments (by December 2025), and smaller entities will have 24 months after the date of publication in the Federal Register to comply (by June 2026).

Next steps

The Amendments are complex and require careful evaluation. Some steps covered institutions should consider are:

• Examination of existing information security policies and procedures to determine whether and how those policies and procedures will need to be revised to reflect the new requirements.
• Evaluation of whether and how to align any existing policies and procedures governing security incident reporting requirements under other state and federal laws, with the requirements imposed by the Amendments.
• Evaluation of existing tools used to detect and investigate security incidents (for example, to monitor endpoints and collect access logs) to assess what, if any adjustments are needed to comply with the Amendments.
• Assessment of current information security governance policies and procedures to confirm that covered entities have adequate controls in place to appropriately report information regarding security incidents to individuals who have responsibility for assessing relevant security incidents and making determinations regarding notification requirements.
• Evaluation of contracts and other mechanisms used to manage third party service providers to determine whether any modifications are needed to comply with new requirements related to due diligence and monitoring of those service providers as well as requirements related to customer information shared with those third-party service providers. In addition, covered institutions are encouraged to evaluate what information received from third parties is viewed as protected information under the Amendments and consider whether that information is adequately protected under existing policies and procedures.
• Review of document retention schedules to determine what updates are necessary to comply with the Amendments.

For more information contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.


^{[1] The SEC announced its adoption of the amendments on its website on May 16, 2024, available at https://www.sec.gov/news/press-release/2024-58. The amendments were initially proposed last year on March 15, 2023, followed by a public comment period. The public comment file is available on the SEC website at https://www.sec.gov/comments/s7-05-23/s70523.htm.
[2] The Amendments expand the scope of the Regulation S-P requirements to apply to transfer agents registered with the Commission or another appropriate regulatory agency.
[3] While funding portals are not defined as ‘covered institutions’ under the Amendments, pursuant to Regulation Crowdfunding (17 C.F.R. §§ 227 et. seq.), as the Amendments note, funding portals must comply with the requirements of Regulation S-P as they apply to brokers.
[4] Under the rule, a customer is an individual (or the individual’s legal representative) who obtains or has obtained a financial product or services that is used primarily for personal, family or household purposes.
[5] As relates to transfer agents, a customer is any natural person who is a shareholder of an issuer for which the transfer agent acts or has acted.
[6] The Amendments define a broad scope of “affected individuals,” to include any person whose sensitive customer information is reasonably likely to have been accessed or used without authorization. For example, if a covered institution is unable to identify which specific individuals’ sensitive customer information has been accessed or used, the Amendments would require the covered institution to provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed. Note, a covered institution will not need to provide notice in connection with data residing on a system if it knows that information was not used or accessed.
[7] For more information about the applicable retention period see the SEC Adopting Release at Section II.C., available at https://www.federalregister.gov/d/2024-11116/p-611.
[8] All 50 states; Washington, DC; and most US territories (including Puerto Rico, Guam, and the Virgin Islands) have data breach statutes that require notification to affected individuals, government regulators, and/or national credit reporting agencies if there is a breach of certain categories of personal information. The state data breach statutes generally define a “breach” as the “unauthorized access to” or “unauthorized acquisition” of personal information. “Personal Information,” in turn, varies by state, but generally includes an individual’s first and last name, in combination with other specified data elements, which may include, a social security number or other government identifier; date of birth; credit card number and CVV; financial account number and PIN or access code; medical or health insurance information; or biometric information.
[9] The Adopting Release states that the recordkeeping requirements in the Amendments do not apply to funding portals as funding portals are already subject to recordkeeping requirements with regard to documenting their compliance with Regulation S-P.
[10] The SEC provided a table outlining which entities are considered to be “larger entities” for determining applicable compliance periods, which is available at https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information#footnote-122-p47698. For example, investment companies or groups of related investment companies with net assets of $1billion or more at the end of the most recent fiscal year, registered investment advisers with $1.5 billion or more in assets under management, and all broker-dealers and transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act will be considered “larger entities” for these purposes.}