The New Regulations S-P Requirements for Brokers-Dealers

Regulation S-P generally required broker-dealers, investment companies, and investment advisors to adopt and implement a variety of cybersecurity and privacy policies.  Some of the requirements include maintaining written cybersecurity policies, proper disposal of equipment that may contain sensitive information, and implementing privacy policies.  But the Commission proposed and subsequently adopted amendments which became effective on August 2, 2024 to update these requirements.  The new amendments require additional procedures, such as providing notice to affected individuals within thirty (30) days of a breach, adopting an incident response plan, and expanding the definition of nonpublic information.  The amendments also expand the types of institutions to which these regulations apply.

Timing of Notice Requirements

The timing of the notification was based a review of state data breach notification laws and specifically the timelines for notification under the state laws.  The Commission noted that the thirty (30) day notification is an enhanced requirement compared to the majority of state laws, which do not include a timing requirement for notice.  The Commission provided the following graph depicting the status of state law timing requirements[1]:

Although the timing requirement would be shorter than the majority of state laws, the Commission felt the shorter timeline was necessary given the sensitivity of information involved.

In addition to the discussion of the timing requirements, the Commission noted that the interpretation of the timing requirement will be different than states law.  Most state laws do not begin to toll the notice period until a determination is made as to whether a breach occurred, but the new regulations begin tolling the notice period at the time the entity becomes aware of unauthorized access.  The Commission noted that:

In the final amendments…the beginning of the 30-day outside timeframe is a covered institution “becoming aware” that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.[2] 

Under the new regulations the presumption will be that a covered institution will provide notice unless the covered institution determines that notice is not required after a reasonable investigation.  But if a covered institution:

[I]s unable to identify which specific individuals’ sensitive customer information has been accessed or used without authorization, the final amendments require the covered institution to provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed without authorization (“affected individuals”).[3]

Expanded Definition of Sensitive Data

The changes in the scope of the of the information under the amendments is also a major expansion of the regulations.  Under 248.30(a) the information covered includes:

[A]ll customer information in the possession of a covered entity, and all customer information that a covered entity maintains or otherwise possesses for business purpose, as applicable, regardless of whether such information pertains to individuals with whom the covered institution has a customer relationship, or pertains through customers of other financial institutions and has been provided to the covered institution. (emphasis added)

With the inclusion of all data, no matter how obtained, the regulations broaden the duty of care to individuals who are not customers and may not have any contractual relationship with the entity.

The new amendments provide a very broad definition of sensitive data.  Sensitive data is defined as:

Sensitive customer information means any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information. (emphasis added)[4]

Thus, the definition is very broad and can include any unique identifiers.  The regs do provide some examples such as Social Security number, biometric records, customer identification numbers, and telecommunications records.

Expansion of Covered Entities

Finally, the covered entities are defined in 248.30(d)(3) as:

Covered institution means any broker or dealer, any investment company, and any investment adviser or transfer agent registered with the Commission or another appropriate regulatory agency (“ARA”) as defined in section 3(a)(34)(B) of the Securities Exchange Act of 1934.

This definition includes small entities[5], but the Commission provides small entities twenty-four (24) months grace period before requiring compliance with these regulations.

The new amendments are expand the notification requirements and increase responsibility for small entities.  All entities should consult with their attorneys to ensure adherence to the new expanded requirements of Reg S-P.