June 27, 2024
On May 16, 2024, the Securities and Exchange Commission (SEC) announced amendments to Regulation S-P, which was first adopted in 2000. The changes are designed to keep pace with how financial institutions use technology to manage the personal information of their consumers and the corresponding digital risks that have increased since the original regulation.
This includes incidents caused by cyber attacks and the need for rules to keep pace with how threats have evolved. “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. [1]
According to the SEC, impacted entities that will need to comply with the amendments consist of “broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.”[2]
It is worth noting that these amendments are changes to Regulation S-P, which is an existing rule and separate from other SEC rules related to cybersecurity.
What Has Changed:
Incident Response – Covered institutions are required to have an incident response program that is capable of detecting, responding, and recovering from unauthorized access involving customer information. This includes corresponding written policies and procedures that guide the program.
Further, the incident response program must also contain requirements regarding notifying individuals whose sensitive information may have been compromised.
Customer Notification Requirements – Once a covered institution learns that customer information was accessed by an unauthorized user, it is required under the amendments to give notice of this incident as soon as possible, but no later than 30 days.
The notification must provide specifics about the incident, what type of data was involved, and what impacted individuals can do to protect themselves in the aftermath of the incident.
Timing:
Once the amendments are published in the Federal Register, they will go into effect 60 days later. Larger entities will have 18 months to reach compliance with amendments, and smaller entities will have 24 months.
This is a fairly tight window to meet the SEC’s obligations, especially for financial institutions that lack a robust cybersecurity program.
Key Takeaways:
Covered institutions should start assessing their existing cybersecurity program to determine incident response and notification capabilities, as well as their compliance readiness status. This will allow for gaps to be identified and addressed, helping meet requirements included in the amendments. Preparations should include:
- Conducting a compliance readiness assessment to determine preparedness status with Regulation S-P
- Building or enhancing a robust incident response plan
- Collaborating regularly with internal legal teams and establishing relationships with regulators
- Assessing cybersecurity programs and policies and updating based on the evolving threat and regulatory landscape
- Performing employee training to teach the criticality of each individual in protecting the organization and helping achieve compliance
Financial institutions should also evaluate how customer information is currently being stored, managed, distributed, protected, etc. With added scrutiny regarding how sensitive customer data is being handled, covered institutions should work to ensure it is properly safeguarded.
Even if compliant with the amendments, an incident involving customer information can harm corporate reputation, damage customer trust, and cause investors to look elsewhere. Covered institutions should dedicate resources and proactively take steps ahead of the amendments being finalized to properly secure sensitive customer information.
A forward-thinking and dedicated approach to meeting the amended rules in Regulation S-P may potentially be viewed as a mitigating factor by the SEC should an incident occur. Conversely, willingly choosing to be negligent regarding cybersecurity, specifically when it comes to protecting customer information, may result in more severe consequences.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2024 FTI Consulting, Inc.
All rights reserved. fticonsulting.com
[1] https://www.sec.gov/news/press-release/2024-58
[2] Ibid