On May 16, 2024, the Securities
and Exchange Commission (“SEC”) unanimously voted to adopt amendments to
Regulation S-P (“Amended Regulation S-P”), which were proposed last year.
Adopted in 2000, Regulation S-P governs the way SEC registered investment
advisers (“RIAs”) (and certain other financial institutions) protect
sensitive customer information such as social security numbers, names, phone
numbers, and addresses. For an RIA that manages private funds this would
include the protected information of the fund’s investors. Amended Regulation
S-P expands protection of customer information and establishes standards for
data breach notification and recordkeeping. 17 CFR § 248.30. Below, we outline a
few key takeaways from Amended Regulation S-P as they apply to RIAs. The SEC’s
Adopting Release can be viewed here.
Incident Response Program
Amended Regulation S-P requires RIAs
to develop, implement, and maintain written policies and procedures that
address administrative, technical, and physical safeguards for the protection
of customer information. These written policies and procedures must include a
program reasonably designed to detect, respond to, and recover from
unauthorized access to or use of customer information, including customer
notification procedures. At a minimum, an incident response program must
include the following procedures:
Containment and Control
Take appropriate steps to contain
and control the incident to prevent further unauthorized access to or use of
customer information.
Notice to Affected
Individuals
Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The notice must be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing.
Generally, an RIA must provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.
The contents of the notice must include, among other things, the nature and date of the incident, the data involved, and means for the affected individuals to contact the RIA. Further, the notice must recommend that the affected individual periodically obtain credit reports from each nationwide credit reporting company and that the individual have information relating to fraudulent transactions deleted.
Oversight of Service
Providers
An RIA’s incident response
program must also include written policies and procedures designed to provide
oversight, including through due diligence and monitoring, of its service
providers (broadly defined to include any third party that receives, maintains,
processes, or otherwise is permitted to access customer information through its
provision of services directly to an RIA). Specifically, the policies and procedures must
be reasonably designed to ensure that service providers (1) protect against
unauthorized access to or use of customer information; and (2) notify the RIA
as soon as possible, but no later than 72 hours after becoming aware of a
security breach so that the RIA can timely notify affected clients and
investors.
Although an RIA may require service providers to notify affected individuals on the RIA’s behalf regarding data breaches, the obligation to ensure that affected individuals are notified rests with the RIA.
Recordkeeping
Amended Regulation S-P also includes new recordkeeping requirements, which include creating and maintaining:
- written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
- written documentation of any investigation and determination made regarding whether notification to customers is required;
- written policies and procedures required as part of service provider oversight; and
- written documentation of any contract entered into pursuant to the service provider oversight requirements.
Updates to Annual Privacy Notice
Current Regulation S-P requires
that a “clear and conspicuous” notice of the RIAs privacy practices be provided
to customers annually. Amended
Regulation S-P clarifies that this means at least once in every consecutive 12-month
period. Nevertheless, the current exceptions to the annual notice requirement
(including an exception if the RIA has not changed its policies and practices
with respect to disclosing protected information since it last provided a
privacy notice to its customers) remain in effect.
Compliance Period
Per the SEC’s Press Release, Amended Regulation S-P will become effective 60 days after publication in the Federal Register. Larger entities (RIAs with $1.5 billion or more in assets under management) will have 18 months after the date of publication in the Federal Register to comply with Amended Regulation S-P, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.
Going Forward
To the extent RIAs do not currently maintain an incident response program, they should work on creating policies and procedures consistent with Amended Regulation S-P. Many RIAs will already have policies and procedures addressing data breach events. For example, many RIAs in Texas must already report data breaches to the Office of Texas Attorney General, if a data breach affects 250 or more Texans. In these cases, RIAs should review and update those existing policies and procedures to meet the compliance deadlines.
Covered institutions should also review their contracts with service providers and update those contracts as necessary to ensure service providers provide notice to the RIA as soon as possible after a data breach event, but no later than 72 hours after a service provider becomes aware of a data breach event.
Finally, RIAs should revisit
their recordkeeping protocols surrounding data breach events to ensure those
protocols record, maintain, and regularly update compliance efforts regarding
amended Regulation S-P.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.