On May 16th, the SEC announced its final rule relating to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information.
Reg S-P – which is a couple of decades old – already had a requirement for RIAs, investment companies and broker-dealers to have written policies and procedures relating to the disposing and safekeeping of customer records. This amended regulation, which becomes effective Aug 2, 2024, widens the scope significantly.
Now, covered institutions (and there are almost no exceptions for smaller registrants) have to have a defined incident response program, which includes oversight of service providers – most notably to ensure these service providers provide notification in the event of a data breach; they have to have a procedure in place to notify customers whose data was accessed as part of a breach as soon as reasonably possible, but no later than 30 days; and there are new requirements around recordkeeping; and the types of information covered by the existing safeguarding / disposal rule has been expanded.
This latest rule is an extension of a general trend of the SEC to expand cybersecurity breach reporting requirements on any firm or organization within its purview. Those who follow my blog will recall this one https://www.bwcyberservices.com/recent-sec-cybersecurity-legal-action-a-foreboding-sign-for-asset-managers/ from the back end of last year where I offered my thoughts on this trend.
Net/net – If through no fault of the covered entity, a covered entity’s service provider suffers a data breach and the covered doesn’t notify its investors in a timely manner – the SEC is going to make an example of the covered entity.
In response – Please make sure you have an Incident Response Plan (IRP) and ensure that this plan explicitly describes the notification process to meet the 30-day reporting requirement. Separately, ensure your vendor management program includes legal language with all your vendors to notify your organization within 72 hours of a data breach involving your firm’s data.
My final thought: I’m all for increased cybersecurity protections. And sadly, I do see many organizations who turn a blind eye to appropriately protecting themselves and their investors. I just wish the regulators would also focus on “Victim Response” in addition to victim punishment. With all this in mind, I will close by putting on my ‘common sense hat’ in conjunction with my extensive background conducting wire fraud investigations – by asking a simple question: “Has the SEC ever provided guidance for where and how covered victims can obtain immediate government assistance in the event of a wire fraud?” Now that would a helpful component to include in the newly amended Rule S-P.
