Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

Following the publication of a corresponding press release in March 2023, the U.S. Securities and Exchange Commission (SEC) has now published in the Federal Register its consultation on proposed revisions to Regulation S-P (17 CFR Part 248) which are aimed at enhancing (cyber) security management, customer information protection, and the disclosure of certain data breaches to customers. Among others, the Commission seeks to expand the current requirements under Regulation S-P to
(1) require covered institutions (brokers, dealers, investment companies, investment advisers, and transfer agents) to develop and maintain an Incident Response Program;
(2) require covered institutions that are relying on third-party service providers to demand of such providers the implementation of protective measures;
(3) require covered institutions to notify customers of any security breaches that may affect customers‘ personal data;
(4) expand the definition of „customer information“ to include any information of customers held at the institution irrespective of whether or not the information was gained by an institution itself or was received from another institution; and
(5) expand the applicability of Regulation S-P to also include transfer agents that are not registered with the Commission itself.
Please refer to EventID 20105 for a detailed description of the proposed modifications.