On May 16, 2024, the SEC adopted amendments to Regulation S-P to enhance and modernize consumer privacy protections in light of technological developments in how individuals’ personal information is collected, shared and maintained.  Regulation S-P applies to broker-dealers (including funding portals), investment companies, registered investment advisers and transfer agents (“covered institutions”) and currently requires (1) covered institutions (excluding transfer agents) to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information (the “safeguards rule”), and (2) covered institutions (including transfer agents) to properly dispose of consumer report information (the “disposal rule”).  The amendments are described below.

Scope. The amendments broaden and align the scope of information protected under the safeguards rule and the disposal rule by creating the newly defined term “customer information” to which the protections of both rules apply.  The new term provides greater specificity as to the information covered and expands the scope of the disposal rule, which currently only applies to consumer report information.  Additionally, transfer agents will now be required to comply with the safeguards rule.

Incident Response Program and Notification Requirements. The amendments enhance the safeguards rule to require covered institutions to adopt a written incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information, including procedures to assess an incident and take appropriate steps to contain and control the incident as well as customer notification procedures.  A covered institution will be required to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization as soon as reasonably practicable, but not later than 30 days after becoming aware of such actual or likely unauthorized access or use, unless the covered institution determines, after a reasonable investigation, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience to the affected individual.

Oversight of Service Providers. The amendments to the safeguards rule will also require covered institutions to adopt written policies and procedures reasonably designed to ensure service providers take appropriate measures to protect against unauthorized access to or use of customer information and provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to customer information.

Recordkeeping and Annual Notice Amendments. The amendments will require covered institutions (excluding funding portals) to maintain written records documenting compliance with the requirements of the safeguards rule and the disposal rule.  Additionally, covered institutions (excluding transfer agents) are currently required to provide customers with annual notices informing them of the institutions’ privacy practices.  The amendments codify an exception to this annual privacy notice requirement, consistent with the exemption in the Fixing America’s Surface Transportation Act (FAST Act).

Compliance Dates. The amendments to Regulation S-P take effect August 2, 2024. Compliance with the amendments is required by February 2, 2026 for larger entities and by August 2, 2026 for smaller entities.  

The adopting release is available here, a related fact sheet is available here and a related press release is available here.