In case you thought that the SEC’s interest in cybersecurity breaches was limited to public companies, think again. On May 16, 2024, the SEC adopted amendments to Regulation S-P, which governs the treatment of nonpublic personal information about customers by certain financial institutions. The amendments apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents. Specifically, they:
- require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
- require response programs to include procedures for covered institutions to provide timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization; and
- broaden the scope of information covered by Regulation S-P's requirements.
The amendments also:
- expand and align the safeguards and disposal rules to cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about customers of that financial institution;
- require covered institutions, other than funding portals, to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;
- conform Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception added by the FAST Act, which provides that covered institutions are not required to deliver an annual privacy notice if certain conditions are met; and
- extend both the safeguards rule and the disposal rule to transfer agents registered with the Commission or another appropriate regulatory agency.
Larger entities will have 18 months following publication of the final rules in the Federal Register to comply with the amendments; smaller entities will have 24 months from the date of such publication to comply.
Please direct any questions or observations to Gunster securities law and corporate governance practice leader Bob Lamm or its banking and financial services practice leader, Greg Bader.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
About Gunster
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa Bayshore, Tampa Downtown, Vero Beach, and its headquarters in West Palm Beach. With more than 280 attorneys and consultants, and over 290 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com