The SEC adopted amendments to enhance the protection of consumer financial information

Amendments to Regulation S-P will likely require modifications to cybersecurity programs

The SEC adopted amendments to enhance the protection of consumer financial information by broadening the scope of information covered by Regulation S-P's requirements for covered institutions (broker-dealers, investment advisers, and others), and requiring, inter alia:

1. Adoption of an incident response program as part of their written policies and procedures under the safeguards rule that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures to, among other things, assess the nature and scope of any such incident and take appropriate steps to contain and control such incidents to prevent further unauthorized access or use;
2. Establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including thorough due diligence and monitoring, of service providers; and
3. Notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in the time and manner prescribed by the amendments, including providing notice as soon as practicable, but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under certain limited circumstances.

"Larger entities will have 18 months, and smaller entities will have 24 months, after June 3, 2024, the date of publication in the Federal Register"

Larger entities will have 18 months, and smaller entities will have 24 months, after June 3, 2024, the date of publication in the Federal Register, to comply. Entities that are considered "larger entities" are (1) investment companies that, together with other investment companies in the same group of related investment companies, have net assets of $1 billion or more as of the end of the most recent fiscal year, (2) SEC-registered investment advisers that have $1.5 billion or more in assets under management, (3) all broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act, and (4) all transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act. "Smaller entities" are those covered institutions that do not meet these standards.