Compliance and Regulatory Alerts | 05-29-24
SEC Finalizes its Data Privacy (Reg S-P) Rule: What you need to know
The SEC has finalized its revisions to Regulation S-P (Reg S-P), the rule governing data security for clients’ non-public personal information (PII). While the final version offers some relief compared to the initial proposal, there are still compliance actions to take. Here's a breakdown of what you need to know:
Key Changes to Reg S-P for Investment Advisers:
- Delayed Breach Notification: The final rule allows advisers to delay notifying clients for up to 30 days with written approval from the Attorney General in cases of national security or public safety threats.
- Service Provider Notification: The final rule extends the notification deadline for service providers to inform advisers of a data breach from 48 hours to 72 hours. However, advisers remain responsible for notifying clients.
- Compliance Deadlines: The final rule provides an 18-month compliance period for larger entities, and a 24-month compliance period for smaller entities (less than $1.5 billion in assets under management).
- Incident Response Plan: The final rule requires advisers to develop, implement, and maintain written policies and procedures for an incident response program to effectively detect, respond to, and recover from unauthorized access to or use of customer information.
- Expanded Data Scope: The final rule expands the scope of protected information to include PII from both an adviser's own clients and that received from other financial institutions about their clients.
- Notification Requirements: The final rule requires advisers to provide notification as soon as reasonably practicable, but no later than 30 days, after becoming aware of a breach impacting sensitive information. Importantly, notification is not required if an adviser determines the information poses no risk of harm.
- Recordkeeping: The final rule adds requirements for advisers to make and maintain written records documenting compliance with the new regulations.
- Annual Privacy Notices: The final rule may necessitate reviewing and updating your client privacy notices to reflect the changes in Reg S-P.
Remember, while the extended compliance timeline provides some breathing room, it's crucial to begin preparing now. Contact Bates Group today for help ensuring a smooth transition and maintain strong data security for your clients.