Newly Adopted Reg. S-P Amendments Modernize Consumer Data Protections

On May 15, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P (“Reg. S-P”) that are intended to modernize the protection of consumers’ personal financial information. In general, Reg. S-P governs how broker dealers, investment companies, registered investment advisers and transfer agents (together “Covered Institutions”) protect nonpublic personal information about consumers. The adopted amendments seek to decrease the risk of harm to individuals as Covered Institutions utilize new technologies to obtain, share, and maintain personal data, and as cybersecurity incidents unfortunately become increasingly common.   

Under the original Reg. S-P “safeguard” and “disposal” rules, Covered Institutions were required to adopt written policies and procedures related to safeguarding customer records, information and the disposal of consumer report information. Once effective, the adopted amendments (1) extend the safeguard rules by requiring Covered Institutions to update and adopt their incident response programs (the “IRPs”) into their written policies, (2) modernize customer notification requirements by requiring procedures that provide timely notification to customers, and (3) broaden the scope of information covered under Reg. S-P, including non-public personal information (i) collected from customers or (ii) received from other financial institutions.

The adopted amendments require Covered Institutions to integrate updated IRPs into their written policies. Updated IRPs should include procedures that:

  • are reasonably designed to detect and respond to unauthorized access to or use of customer information, and recover that information, if necessary.
  • asses the nature and scope of the incident and contain and control the incident to prevent further unauthorized access or use.
  • maintain and enforce IRPs that are reasonably designed to provide oversight through due diligence and monitoring of service providers.

Additionally, the adopted amendments create a federal minimum standard for data breach notifications. Under an exemption in the adopted amendments, Covered Institutions will not be required to notify customers of an incident if the breached customer information has not been or is not reasonably likely to be used in a manner that results in substantial harm or inconvenience to the customer. If notification is required under the adopted amendments, then the Covered Institution should:

  • provide notification as soon as practicable but no later than 30 days after becoming aware of a data breach.
  • include details about the breached data and information on how affected individuals can respond and protect themselves.

Once the amendments are effective later this summer, larger Covered Institutions and smaller Covered Institutions will have until February 20, 2026 and August 20, 2026, respectively, to comply with the amendments.

If you have any questions about Regulation S-P or protecting customer information of Covered Institutions, please contact a member of Harter Secrest & Emery’s Securities and Capital Markets group.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2024 Harter Secrest & Emery LLP