The Securities & Exchange Commission announced on 15 May 2024 amendments to Regulation S-P directing how financial institutions handle non-public personal information. These revisions modify the requirements applicable to registered investment advisors, broker dealers, investment companies and transfer agents known jointly as “covered institutions.” Since the initial implementation of Regulation S-P in 2000 the increased use of technology has resulted in amplified risk of customer financial data breaches which these new amendments aim to address and provide greater protection to consumers.

Key Revisions:

• Incident Response Programs

  • Covered institutions are now required to incorporate an incident response program into their established written policies and procedures under the safeguards rule.

  • It must be adequately designed to detect, respond to, and recover from any unauthorised access or utilisation of customer data.

  • It must outline the procedures for evaluating the nature and extent of such incidents, contain them and prevent further unauthorised access.

• Obligatory Notification to Customers

  • Covered institutions are required to inform individuals whose private information has been access or used without authorisation.

  • The notification must be provided promptly, within 30 days of discovering the breach, unless specific conditions apply.

  • The notification must include information about the incident, which data was breached and steps on how the individual can safeguard themselves.

Other revisions:

• Recordkeeping requirement of written records demonstrating adherence to the safeguards and disposal rule.

• Exception to Annual Privacy Notice Requirement.

• Expanded scope of the safeguards rule and disposal rule to cover all transfer agents registered with the Commission or another relevant regulatory agency.

Press Release: https://www.sec.gov/news/press-release/2024-58