The SEC has announced that it has adopted enhancements to Regulation S-P, the regulation protecting the privacy of consumer financial information. Accepted on May 16th, the changes will require covered institutions (broker-dealers, investment companies, registered investment advisers, and transfer agents) to keep affected individuals apprised of certain types of data breaches that may put them at risk.
More specifically, the adopted amendments are designed to improve protections of customer information by:
- widening the range of information covered by Regulation S-P’s requirements, first adopted in 2000
- requiring covered institutions to establish written policies and procedures for an incident response program to address unauthorized access to or use of customer information
- requiring covered institutions to have written policies and procedures to provide timely notification within 30 days to affected individuals whose sensitive customer information may be or may have been accessed or used without authorization
- requiring the response program to include procedures for, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization
- requiring notice to include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves
For more information, please refer to the Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer final rule on the SEC’s website.
The new rules go into effect 60 days following publication in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, while smaller entities will have 24 months after the date of publication in the Federal Register to comply.
Source:
SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information (sec.gov)
