On May 15, 2024, the SEC adopted amendments to Regulation S-P, enhancing rules for handling consumers’ nonpublic personal information by certain financial institutions. These updates, targeting broker-dealers, investment companies, registered investment advisers, and transfer agents, address the increased use of technology and new risks since Regulation S-P’s initial adoption in 2000.
“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
So, what exactly does this mean for your firm? In this blog, we’ll highlight key takeaways from the new rule and how your firm can ensure ongoing compliance with these new requirements.
Understanding the Adopted Amendments to Regulation S-P
According to the SEC’s fact sheet, the amendments update the existing Regulation S-P now:
- Requiring covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information;
- Requiring that the response program include procedures for covered institutions to provide timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization; and
- Broadening the scope of information covered by Regulation S-P’s requirements.
Implementing Cybersecurity Policies and Procedures to Meet Regulatory Requirements
Creating and implementing effective cybersecurity policies and procedures is the cornerstone of a strong cybersecurity program. It serves as the foundation for protecting your firm and its clients from cyber threats.
Your firm’s compliance team can use these strategies to create thorough cyber policies and procedures:
- Ensure regulatory alignment: Regularly review and update your firm’s cybersecurity policies and procedures to align with evolving regulatory requirements, such as those set forth by the SEC and FINRA. This ongoing compliance strategy ensures that your cybersecurity measures remain current and in accordance with industry standards. By staying ahead of regulatory changes, your firm can proactively address emerging cyber threats while maintaining a strong commitment to client data protection
- Perform an assessment and risk analysis: Before crafting cyber policies and procedures, conduct a comprehensive risk assessment tailored to your firm’s unique circumstances. Identify critical assets, assess potential threats and analyze vulnerabilities specific to your organization. Engaging cybersecurity experts or consultants may be necessary to perform a thorough risk analysis.
- Align with your firm’s business goals: Develop cybersecurity policies aligned with your firm’s business goals and risk tolerance. Key policies may include data protection, access control, incident response and employee training. Ensure these policies are regularly reviewed and updated to address emerging threats and regulatory changes.
- Document procedures: Translate policies into actionable procedures. Document in detail how specific cybersecurity processes should be executed, such as network monitoring, user authentication and patch management. Comprehensive procedure documentation guides employees in implementing security measures effectively.
- Incorporate vendor and third-party risk management: If your firm consults third-party vendors, it’s important to consider the cybersecurity practices that they implement, too. Implement a robust vendor risk management program to assess and monitor the cybersecurity practices of third-party vendors. Require vendors to adhere to cybersecurity standards and include security controls in contracts.
Cybersecurity Compliance with COMPLY
In today’s interconnected digital business environment, robust cybersecurity measures are more critical than ever. The financial sector, with its sensitive data and fiduciary responsibilities, faces a particularly high level of cyber risk. In response, regulators like the SEC continue to introduce amendments to cybersecurity rules aimed at strengthening the defenses of financial firms.
While navigating these new rules may seem onerous for firms already struggling to maintain compliance with existing requirements, leaning into the right resources can help ensure programs continue to meet heightening regulatory scrutiny.
COMPLY’s cybersecurity solution follows the National Institute of Standards and Technology (NIST) cybersecurity framework and is designed for your firm’s unique cybersecurity risks and regulatory requirements.
- Email phishing attack simulation
- Technology inventory and risk assessment
- Security awareness training
- Information security policy built upon the five pillars of the NIST cybersecurity framework
Have questions about how new regulations and amendments impact your firm? Navigate new rules with ease by leveraging COMPLY’s expert compliance consultants to back your firm with decades of regulatory experience.
Ready to power up your cyber program? Let’s talk!