The U.S. Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P which require investment adviser firms registered with the SEC to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information including procedures for providing timely notification to customers affected by an incident involving sensitive customer information.
Securities Regulator
U.S. Securities and Exchange Commission
Rule
Amended Regulation S-P is available at https://www.sec.gov/files/rules/final/2024/34-100155.pdf (starting at page 332).
Compliance Date
The SEC’s amendments to Regulation S-P become effective 60 days following publication (6/3/2024) in the Federal Register, and the compliance date for an investment adviser firm registered with the SEC is as follows:
For a Larger SEC Registered Investment Adviser (> $1.5 Billion of AuM):
- 18 Months Following Amended Rule’s Publication in Federal Register; and
For a Smaller SEC Registered Investment Adviser (< $1.5 Billion of AuM):
- 24 Months Following Amended Rule’s Publication in Federal Register.
Application
The requirements of Regulation S-P apply to investment adviser firms registered with the SEC.
Although Regulation S-P does not apply to an investment adviser firm which is only registered with a state securities regulator, the state may already require certain policies and procedures similar to these new requirements. If state registered, a firm should review the state’s applicable rule.
Urgency
If an investment adviser firm is registered with the SEC, this is a high priority.
Summary of Key Requirements
Incident Response Plan – An investment adviser firm must develop and maintain a written incident response program. This program should be designed to detect, respond to, and recover from unauthorized access to or use of customer information.
- Assessment – Must include procedures for assessing the nature and scope of any incident.
- Containment – There should be procedures for taking appropriate steps to contain and control a security incident.
Client Notification – An investment adviser firm must notify each affected customer whose sensitive information was (or was reasonably likely to have been) accessed or used without authorization.
- Deadline for Notice to Customers – An investment adviser firm must provide notices to affected clients as soon as practicable (but not later than 30 days) after becoming aware that unauthorized access to or use of sensitive customer information has occurred (or is reasonably likely to have occurred).
- Content of Notice – The notice to affected clients must include the following: description and date of incident; type of client information; contact information at investment adviser firm for additional assistance; recommendation that client review account statements and report immediately any suspicious activity; explanation of how to place a fraud alert with the credit bureaus; recommendation to obtain periodically a credit report; and recommendation to visit usa.gov website for guidance on how to avoid identity theft and report any identity theft incidents to the FTC.
Service Provider – An investment adviser firm is required to establish and maintain written policies and procedures requiring oversight (through due diligence and ongoing monitoring) of service providers (including affiliates) with access to sensitive client information.
- Service provider must protect against unauthorized access to or use of customer information.
- Service provider must notify investment adviser firm within 72 hours after becoming aware of a breach of a customer information system.
- Upon notification of unauthorized access, investment adviser must initiate its incident response plan.
- Investment adviser firm may enter a written agreement with the service provider to notify affected customers. Investment adviser firm must ensure that affected customers are properly notified by the service provider.
Annual Delivery of Privacy Notice – Under the amended rule, there is an exception from the annual delivery of the privacy notice if the investment adviser (a) only provides non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies and (b) has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosures sent to customers.
CCO Action Items
The following are possible action items that a CCO could take (subject to discussions with the firm’s executives and outside compliance professionals):
- Update the investment adviser compliance manual to include an incident response plan and new due diligence requirements for service providers with access to customer information.
- Update agreements with service providers to reflect obligation to protect customer information, notify (within 72 hours) the investment adviser firm of any cybersecurity incidents involving the customer information system and whether and how the service provider will notify (within 30 days) affected individuals (subject to unauthorized access or use of sensitive customer information).
- Update the initial and ongoing due diligence questionnaires of service providers with access to customer information as related to cybersecurity and breaches.
- Train applicable staff members of the new requirements.
Takeaways
To the extent a state registered investment adviser is not currently required by a state securities regulator to develop and maintain an incident response plan, it’s likely that this new requirement by the SEC will change the expectations of such state securities regulator.
Investment adviser firms registered with the SEC will need to monitor whether service vendors, who have experienced a cybersecurity incident, have properly notified affected customers; if the service provider has not properly notified the affected customers (subject to unauthorized access or use of sensitive customer information), the investment adviser firm will need to communicate directly with such customers.
Disclaimer
This regulatory alert is a brief summary which is general in nature and offered only for educational purposes. It should not be considered as a comprehensive review or analysis of this development. There are certain requirements and exceptions outlined in the rule which are not covered in this regulatory alert. This communication is not intended to constitute compliance consulting advice or apply to any particular investment adviser firm’s specific situation without further analysis. This regulatory alert is not a safe harbor or a legal opinion. The reader should study the actual guidance, rule or enforcement action in detail and consult with his or her compliance professionals. This information in this regulatory alert may become out of date.
Posted by RCC
Labels: Cybersecurity, Incident Response Plan, Privacy Policy, SEC
Tagged: Cybersecurity, SEC, Third Party Service Provider
