On May 15, 2024, the US Securities and Exchange Commission (“SEC”) adopted amendments (the “Amendments”) to Regulation S-P under the Securities Exchange Act of 1934 (the “Exchange Act”), which governs the treatment of nonpublic personal information about consumers by certain financial institutions, to modernize and enhance the protections under the regulation.

The Amendments require broker-dealers, investment companies, SEC-registered investment advisers, funding portals, and transfer agents registered with the SEC or another appropriate regulatory agency as defined in Section 3(a)(34)(B) of the Exchange Act (“transfer agents) to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information. Notably, the Amendments create one of the first broad federal consumer notification requirements by mandating timely notification to individuals affected by an information security incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately.

The Amendments also extend the application of Regulation S-P’s requirements to safeguard customer records and information to transfer agents, broaden the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information, impose requirements to maintain written records documenting compliance with the Amendments, and conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act in December 2015.

In this Legal Update, we provide an overview of certain aspects of the Amendments and guidance in the Adopting Release thereto.

Resource Downloads

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.