SEC Adopts Data Privacy Rule Amendments to Regulation S-P

Who may be interested: Investment Companies; Investment Advisers; Broker-Dealers; Transfer Agents

Quick Take: The SEC adopted amendments to Regulation S-P imposing new data privacy and security requirements on broker-dealers, registered investment advisers, investment companies, and transfer agents (collectively, Covered Entities). The amendments, among other things, require Covered Entities to adopt an incident response program to detect, respond to, and recover from a breach of customer information; notify affected individuals when a data breach has, or is reasonably likely to have, occurred; enhance their oversight of service providers; and maintain records documenting compliance with the amendments. The amendments become effective in 18-24 months (depending on the Covered Entity).

A Covered Entity’s incident response program must include procedures to (i) assess the nature and scope of any incidents involving the unauthorized access to or use of customer information and identify the systems and types of customer information that may have been accessed or used; (ii) contain and control such an incident to prevent further unauthorized access or use; and (iii) notify customers whose sensitive customer information is, or is reasonably likely to have been, accessed or used without authorization.

A Covered Entity is not required to provide notice to a customer if the Covered Entity determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. A Covered Entity must provide notice to affected individuals as soon as practicable but not later than 30 days after discovering a breach has occurred or is reasonably likely to have occurred. Notices must describe the incident, the data that was breached, and how affected individuals can protect themselves.

In addition, the amendments require incident response programs to include policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, including to ensure that affected individuals receive any required notices. These policies must be reasonably designed to ensure service providers take appropriate measures to (i) protect against unauthorized access to or use of customer information; and (ii) provide notification to the Covered Entity as soon as possible, but no later than 72 hours after becoming aware of a breach resulting in unauthorized access to a customer information system maintained by the service provider.

Other changes from the amendments include:

1. Expanding the scope of information covered by Regulation S-P’s requirements to safeguard customer records and information (Safeguards Rule) to cover the information of customers of other financial institutions where such information has been provided to the Covered Entity;
2. Expanding the scope of information covered by Regulation S-P’s requirements to properly dispose of consumer report information in a manner that protects against unauthorized access to or use of such information (Disposal Rule) to cover information of customers of other financial institutions where such information has been provided to the Covered Entity;
3. Subjecting transfer agents to the requirements of the Safeguards Rule and Disposal Rule;
4. Requiring Covered Entities (except funding portals) to create and maintain written records documenting compliance with the Safeguards Rule and the Disposal Rule; and
5. Creating an exception to the existing requirement to provide annual privacy notices when certain conditions are met.

Larger entities (which include fund complexes with net assets of $1 billion or more in assets under management (AUM) and registered investment advisers with $1.5 billion or more in AUM) have until December 3, 2025, to comply with the amendments, while smaller entities have until June 3, 2026 to comply.

For a more detailed discussion of the amendments to Regulation S-P, see S&K’s client alert here.

The SEC’s adopting release can be found here.