SEC Amends Regulation S-P to Require Data Breach Notifications and Additional Written Policies

May 23, 2024

On May 16, 2024, the SEC amended Regulation S-P to impose new data privacy and security requirements on broker-dealers, registered investment advisers, investment companies (whether or not they are registered with the SEC), and transfer agents registered with the SEC or another regulatory agency (collectively, “Covered Entities”). The amendments require Covered Entities to:

  • Adopt written policies and procedures for an incident response program to detect, respond to, and recover from a breach of customer or client data;
  • Notify affected individuals within 30 days after the Covered Entity becomes aware that a data breach incident either occurred or is reasonably likely to have occurred;
  • Enhance their oversight of service providers with respect to data processing; and
  • Maintain written records documenting compliance with the amendments.

The new federal data breach notification obligation adds to the existing state data breach notification obligations of Covered Entities.

Broadly consistent with state data breach notification laws, under the amendments, only data breaches of “sensitive customer information” trigger the notification requirement. “Sensitive customer information” consists of either: (i) information identified with an individual that, without any other information, could create a substantial risk of harm or inconvenience to that individual (such as a Social Security number, driver’s license number, or alien registration number); or (ii) combinations of identifying and authenticating information that could create a risk to an individual identified with the information (such as the individual’s name and the individual’s mother’s maiden name).

The following Covered Entities must comply with the new requirements within 18 months of the amendments’ publication in the Federal Register:

  • Investment companies and investment company complexes with net assets of $1 billion or more;
  • Registered investment advisers with $1.5 billion or more in assets under management;
  • All broker-dealers that have total capital of $500,000 or more, or that are affiliated with a person that is not a small entity; and
  • All transfer agents that:
    • received at least 500 items for transfer or at least 500 items for processing during the last 6 months;
    • transferred items for at least one issuer that was not a small entity; maintained master shareholder files that in the aggregate contained at least 1,000 shareholder accounts; or were named transfer agents for at least 1,000 shareholder accounts at all times during the last fiscal year; or
    • are affiliated with any person that is not a small entity.

All other Covered Entities have 24 months from the date of publication in the Federal Register to comply.

I. Incident Response Programs

The amendments require a Covered Entity to adopt a written incident response program reasonably designed to detect, respond to, and recover from the unauthorized access to or use of customer or client data. This program must include written procedures to (i) evaluate the nature and scope of such an incident; (ii) identify the systems and types of customer or client information that may have been affected; (iii) contain and control such an incident to prevent further unauthorized access or use; and (iv) notify customers or clients whose sensitive data is, or is reasonably likely to have been, accessed or used without authorization.

A Covered Entity may adopt any number of strategies1 to contain and control an incident depending on the nature of an incident, but such strategies could include isolating compromised systems; monitoring intruder activities; looking for additional compromised systems; changing or disabling default user accounts and passwords; rotating private keys; and changing the passwords of system administrators.

II. Customer Notification

In addition, the amendments require a Covered Entity that has experienced a data breach to notify all affected customers or clients. Notices must describe the incident, the data that was breached, and how affected individuals can protect themselves. However, if a Covered Entity determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience, the Covered Entity does not have to notify the affected individual. The amendments do not define substantial harm or inconvenience. Any such determination should be thoroughly documented.

The amendments presume that notification is required, and a Covered Entity must rebut the presumption, after reasonable investigation, to avoid notifying affected individuals. What constitutes a reasonable investigation depends on the facts and circumstances of the data breach. For example, mis-addressed internal email is likely to warrant a less extensive investigation than an intentional breach by an outside hacker. If an investigation is inconclusive, the Covered Entity must provide notice to customers.

A Covered Entity must provide notice to affected individuals as “soon as is practicable” – and no later than 30 days – after discovering that a breach occurred or is reasonably likely to have occurred.

III. Service Provider Oversight

Each Covered Entity must create, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through monitoring and due diligence, of service providers. This may require a Covered Entity to enhance its service provider diligence process to include a more thorough review of the service provider’s data security policies and procedures. A Covered Entity may wish to require certain certifications provided by third parties (such as the International Organization for Standardization or “ISO”). A Covered Entity may also need to include contractual provisions providing for the Covered Entity’s ongoing monitoring of the service provider, which could include the right to directly audit the service provider’s data environment or review third-party audits. Finally, a Covered Entity should consider whether to require service providers to enter into a standardized data processing agreement to ensure adherence to the requirements of the amendments.

A Covered Entity may contract with service providers to deliver data breach notices, but if a service provider is contracted to deliver data breach notices, the Covered Entity remains liable for any errors or omissions committed by the service provider related to the notices.

IV. Recordkeeping

Covered Entities must create and maintain written records that show compliance with the requirements of the amendments, specifically:

  • Policies and procedures to safeguard customer records and information;
  • Documentation of any unauthorized access to or use of sensitive customer information that the Covered Entity detects, including any response to and recovery from such breach required by the incident response program;
  • Documentation of any investigation the Covered Entity undertakes in determining whether customer notification of a breach is required, including a copy of any customer notice distributed and any written documentation from federal law enforcement relating to a delay in notice for national security or public safety reasons;
  • Policies and procedures related to oversight of service providers, including contracts with service providers related to the service provider oversight requirements; and
  • Policies and procedures related to proper disposal of consumer report information.

V. Annual Privacy Notices

Finally, the amendments formally codify an exception already recognized by the SEC from the requirement that broker-dealers, investment companies, and registered investment advisers provide customers and clients with annual privacy notices. The exception applies to a Covered Entity that (i) does not share non-public personal information (“NPI”) with any non-affiliated third parties, (ii) only shares NPI with non-affiliated third parties pursuant to an exception that does not grant the customer or client the right to opt-out of such sharing (such as sharing of NPI with a Covered Entity’s fund administrator, accountant, or payment processor); and is available only when the Covered Entity has not changed its privacy policies and procedures since its last privacy notice.





1 If a Covered Entity engages a third-party service provider to aid in an incident response, we suggest using outside counsel to retain the service provider so that such services fall under the attorney-client privilege.