Kirkland AIM

SEC Proposes Enhancements to Regulation S-P and Takes Other Steps Related to Cybersecurity

View PDF

The SEC recently proposed1 to enhance Regulation S-P’s provisions requiring investment advisers and investment companies to protect customer (e.g., fund limited partner and investment company shareholder) information, including a new requirement to notify individuals when their information was accessed or used without authorization.2 

Regulation S-P, adopted in 2000, broadly requires covered institutions like registered investment advisers, broker-dealers, investment companies and transfer agents to: (i) adopt written policies and procedures to safeguard customer records and information; (ii) properly dispose of customer information in a manner that protects against unauthorized access or use; and (iii) implement required privacy policy notice and opt-out provisions. 

Noting the evolution of the technological landscape and the ease with which individuals’ personal information can be shared, the SEC proposed to:

  • require covered institutions to adopt an incident response program reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information, and to make and maintain records documenting compliance;
  • generally require covered institutions to notify impacted customers as soon as practicable, but within 30 days of becoming aware that unauthorized access to or use of such customers’ information has occurred or is reasonably likely to have occurred; 
  • define and broaden the scope of information covered under Regulation S-P’s safeguards and disposal rules3; and
  • conform Regulation S-P’s annual privacy notice delivery provisions to the terms of an exception provided by a 2015 statutory amendment.

The public comment period for the proposals will remain open until 60 days after the date of publication of the proposing release in the Federal Register. 

The proposals are part of a rapidly evolving landscape of financial industry cybersecurity requirements from the SEC and other regulators, and this alert will be followed by a separate Kirkland AIM providing additional detail and commentary. Please contact the Kirkland regulatory attorneys with whom you regularly work if you have questions regarding these proposals. 

1. The SEC fact sheet summarizing the Regulation S-P Release is available through this link: https://www.sec.gov/files/34-97141-fact-sheet.pdf

2. Separately, the SEC also proposed a new rule that would require broker-dealers and certain other market participants to adopt written policies and procedures to address cybersecurity risk and provide the SEC with immediate notice of significant cybersecurity incidents , which follows and generally aligns with the SEC’s February 2022 investment adviser cybersecurity risk management proposal. The SEC Fact Sheet summarizing the Cybersecurity Proposal is available through this link: https://www.sec.gov/files/34-97142-fact-sheet.pdf

Concurrently, the SEC also reopened the public comment period for the February 2022 investment adviser cybersecurity proposal to allow commenters to consider effects of the Regulation S-P proposal and the newly proposed broker-dealer rule on the investment adviser proposal. See our prior Kirkland AIM on the subject, SEC Proposes Significant New Cybersecurity Rules for Investment Advisers, Kirkland AIM (March 14, 2022) https://www.kirkland.com/publications/kirkland-aim/2022/03/sec-new-cybersecurity-rules-investment-advisers

3. The proposal is intended to consolidate, and expand the scope, of customer information previously used in privacy regulations, and is intended to reach any record containing “nonpublic personal information” of any customer of a covered institution, whether in paper, electronic or other form. In the Proposal, the SEC is seeking industry comment regarding the information that should be included or excluded from the definition.

Related Professionals

Norm Champ, P.C.

Norm Champ, P.C.

Partner New York
Scott A. Moehrke, P.C.

Scott A. Moehrke, P.C.

Partner Chicago
Michael Chu

Michael Chu

Partner Chicago
Matthew Cohen, P.C.

Matthew Cohen, P.C.

Partner Bay Area – San Francisco Bay Area – Palo Alto
Melissa S. Gainor

Melissa S. Gainor

Partner Washington, D.C.
Phil Vincent Giglio

Phil Vincent Giglio

Partner Austin
Nicholas A. Hemmingsen

Nicholas A. Hemmingsen

Partner Chicago
Xiao-Hong Jing

Xiao-Hong Jing

Partner New York
Daniel Kahl

Daniel Kahl

Partner Washington, D.C.
Alpa Patel, P.C.

Alpa Patel, P.C.

Partner Washington, D.C.
Eric L. Perelman

Eric L. Perelman

Partner New York
Noah Qiao

Noah Qiao

Partner New York
John T. Reinert

John T. Reinert

Partner Chicago
Nabil Sabki, P.C.

Nabil Sabki, P.C.

Partner Chicago
Reed T. Schuster

Reed T. Schuster

Partner Austin Chicago
Josh Westerholm, P.C.

Josh Westerholm, P.C.

Partner Chicago
Jina K. Yun

Jina K. Yun

Partner Chicago

Practices

This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.