The Securities and Exchange Commission (SEC) today announced the approval of amendments to Regulation SP to modernize and strengthen the rules governing the treatment of non-public personal information of consumers by certain financial institutions.
The amendments update the rule requirements for broker-dealers (including funding gateways), investment firms, registered investment advisers and transfer agents to address the expanded use of technology and related risks that have arisen since the Commission originally adopted the SP Regulation in 2000.
The amendments require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.
The amendments also require that the response program include procedures for, with certain limited exceptions, covered institutions to provide notification to individuals whose sensitive customer information has been or is reasonably likely to have been accessed or used without authorization.
The amendments require a covered institution to provide notice as soon as possible, but no later than 30 days, after it becomes aware that an incident involving unauthorized access or use of customer information has occurred or is reasonably likely to have occurred. The notification must include details about the incident, the data breach, and how affected individuals can react to the breach to protect themselves.
The amendments will take effect 60 days after they are published in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.