SEC Adopts Important Rule Amendments to Regulation S-P

 

SEC Adopts Important Rule Amendments to Regulation S-P

Contributed By - Thomas Yates: Managing Partner and Director, AdvisorAssist, LLC

Philip Coniglio : President & CEO, AdvisorDefense, LLC

                          

                            

On May 15th, the U.S. Securities and Exchange Commission adopted amendments to Regulation S-P, which requires registered investment Advisors (RIAs) to adopt written policies and procedures to safeguard customer records and information (the “safeguards rule”). These amendments aim to enhance the policies and procedures of RIA’s regarding the protection of client sensitive information, especially policies on incident response, client notification, disposal of client sensitive information, and service provider due diligence.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

While AdvisorAssist, LLC and AdvisorDefense, LLC are closely monitoring how this rule will be further interpreted, we anticipate more clarity from the SEC. As feedback comes in, we will continue to analyze and formulate guidance to help ensure adherence to amendments to the Safeguards Rule. That said, here is our current synopsis:

Compliance Date 

Mandatory compliance, 60 days after posting on the federal registrar, Advisors have the following timeline to comply with the amendment:

• Advisors with at least $1.5 billion or more in assets under management (AUM): 18 Months
• Advisors with less than $1.5 billion in AUM: 24 Months

Enhancements to Regulation S-P

Incident Response Program - The amendment requires that Advisors adopt policies and procedures that are reasonably designed to detect, respond to, and recover from unauthorized access to, or use of, client data. Further, these policies must include the following:

• Assessment: Advisors will evaluate the nature and scope of the breach and/or incident;
• Containment: Implement remedial measures to prevent further incidents and/or unauthorized access; and
• Notification: Policies must be in place to notify affected clients as soon as possible, but no later than 30 days after detection of the incident and/or breach, and ensure proper information is disclosed to the client.

Service Provider Oversight - As a component of the Incident Response Program, RIAs must implement policies and procedures designed to oversee Service Providers, through due diligence on and ongoing monitoring. The amendment defines “Service Provider” as any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution. RIAs must ensure that Service Providers have controls in place to protect against unauthorized access to, or use of, client information. Service Providers must provide notification to Advisors regarding unauthorized access to client information, as soon as possible, but no later than 72 hours after becoming aware of the breach. Customer Notification Requirement - RIAs must notify affected individuals promptly when sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notices must include:

• Comprehensive details about the incident.
• Specifics on the type of data that was breached.
• Instructions for affected individuals on how to address the breach and protect themselves.

An exception to the customer notification requirements exists when an RIA can evidence that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Privacy Policy Delivery Requirements - RIAs are no longer required to deliver an annual privacy policy to clients, provided:

• The RIA does not share nonpublic personal information with non-affiliated third parties (other than as permitted under certain enumerated exceptions, e.g., to service providers who perform services on behalf of the RIA, or as necessary to administer a transaction requested or authorized by an individual).
• The RIA has not changed its privacy policies and practices from the policies and practices that were disclosed in the most recent privacy notice sent to individuals.

Books and Records - Maintenance of written records documenting compliance with the requirements of the Safeguards Rule and Disposal Rule.

• Safeguards Rule: Policies and procedures to safeguard client records and information
• Disposal Rule: Policies and procedures for the proper disposal of consumer report information in a manner that protects against unauthorized access to or use of such information

How AdvisorDefense, LLC Can Help! AdvisorDefense’s service is to provide Cybersecurity Consulting and managed security services, specifically for Registered Investment Advisors. AdvisorDefense’s CEO, Philip Coniglio, is an experienced in-house Chief Information Security Officer for multiple RIAs, and led security at one of the largest RIAs in the nation. Driven to provide cybersecurity guidance to RIAs of all sizes, AdvisorDefense can assist in the readiness for compliance with these amendments. We are currently working to further our guidance and communications on Regulation S-P and its impact on RIAs, which will include a full breakdown of requirements and guidance to adhere to the regulation, but should you have any questions, please reach out to your Consultant!

Posted in: