SEC Regulation S-P: New Amendments Centering Incident Planning, Response, and Disclosure

What is SEC Regulation S-P and What Does it Mean for Your Cybersecurity Team?

First introduced in 2000, SEC Regulation S-P now considers the massive changes that information technology and information security have undergone in the last 24 years. This article will explain what has changed, the impact on your business, and what we can learn from these changes.

Why has the SEC updated now?

SEC regulation S-P has been in place for almost a quarter of a century, and a lot of technological and cybersecurity water flowed under the bridge then.

Effective lawmaking allows for things like technological change and instead focuses on fairness, justice, and equity. This is particularly significant during periods of notable technological and economic progress, and the last 24 years have seen plenty of that. The update–which has been a matter of public knowledge for a year already–is intended to be just as resilient to change.

Even for organizations that don’t need to comply, it’s worthy of examination for examples of best practices and indications of wider future policy direction.

What is the SEC, and what does it regulate?

The SEC is responsible for regulating security markets and protecting investors in the USA. In plain English, it exists to make sure everyone gets a fair deal. Due to the scale of the US economy, when the SEC changes rules, there’s a worldwide impact.

The SEC regulates ‘covered institutions’ – in the context of this particular rule change, that’s (according to the Commission) “…broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.”

If your business doesn’t fall into the above categories, you may still be affected, either as an investor yourself – you’ll likely be a customer of more than one of these covered institutions – as a service provider, or as a business customer. It’s also worth understanding the changes as an indication of the general direction regulators are starting to take when it comes to cyber security and incident reporting.

What is SEC Regulation S-P, and what’s changed?

SEC Regulation S-P covers how the organizations affected by the rule protect customer information–those ‘covered institutions’ described earlier. In 2015, under the Fixing America’s Surface Transportation (FAST) Act, that definition expanded to crowdfunding organizations.

Under the update to Regulation S-P, covered institutions must adopt written policies to protect customer information during its entire lifecycle. That means covered institutions need to detail both what and how they will protect customer information, as well as how they will safely dispose of it once no longer required. Further, these organizations will need to implement privacy policy notices and opt-out provisions.

Here’s what’s changed with the 2024 update to SEC Regulation S-P:

1. Covered institutions must develop, implement, and maintain written policies and procedures for an incident response program. The program must be reasonably designed to detect and respond to unauthorized access to, or use of, customer information. The program must have a response capability, too.
2. The response program mentioned above must include procedures for covered institutions to provide timely notification to any individuals affected. That basically covers anyone whose sensitive customer information has been, or may have been, accessed or used without authorization.
3. The final addition: the scope of information covered by the Regulation’s requirements has also been broadened.
   

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

SEC.gov Press Release

Let’s Unpack This

Cybersecurity Impact on Your Organization

Every organization should have an incident response plan, and detection and response are also commonly regarded as good things to have in cybersecurity circles—to understate the matter. As we’ve seen lately, cyber risk has become a business issue for many boardrooms. Looking at the ever-widening delta between an IR retainer or capability and the impact of a cyber incident makes more and more sense for organizations that store a lot of customer data. Understanding the life cycle of that data is also critical, and simply good business.

Bear in mind that there may also be overlapping regulatory requirements on cyber security best practices for your business, so understanding what additional burden this will place on your cyber security team and detection, response, and remediation plan capabilities is critical.

Breach Notification

SEC regulation S-P requires that notification happen within 30 days of the covered institution becoming aware of the incident, and it has to contain very specific information and guidance.

There are a couple of other interesting aspects to this. Namely, notification is not required if the covered institution determines after investigation that “…sensitive customer information has not been, or is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.”

There is also a provision to defer notification in the interests of national security or public safety—but this is at the discretion of the authorities.

Customer Information

There’s now more focus on customer information—how and where it is shared, stored, and processed—and its life cycle.

The expanded scope of customer information now includes information received from third parties and what happens to a customer’s information after they cease to be a customer.

It’s worth noting that there are other rules for other institutions subject to SEC mandates, so if you’re uncertain, it’s worth double-checking.

For example, in February 2022, the SEC introduced cyber security risk management rules for Registered Investment Advisers (RIAs), registered investment companies, and business development companies (funds). Collectively, these are referred to in SEC jargon as “Covered IM Entities,” and these rules overlap with what’s laid out in the updates to SEC Regulation S-P (while also affecting different organizations).

SEC Regulation S-P doesn’t directly affect my organization. Should I care?

In a word–absolutely. And there are two reasons.

First, and most importantly, if you provide a service to a covered institution and have access to, or handle in any way, customer data, then you need to start talking to those institutions sooner rather than later about what they expect from you.

Second, as a set of rules to work by, the update contains both advice on best practices and an indication of where future lawmaking may be heading.

We’re a covered Institution. What do we need to do?

The good news is that the deadline for compliance is between 18 months and two years away. But, it’s wise to look at what work needs to start now, if your business hasn’t already heeded the initial discussion published last year.

Larger entities have 18 months to comply from the point at which the amendment is published in the Federal Register, while smaller organizations have two years to get their house in order.

And while this might not affect your own business, it may be a relevant indication of what to look for in your cyber defenses.

What Next?

Regulations and laws change slowly; this is a feature, not a bug.

The amendments to SEC Regulation S-P bring a quarter-century-old regulation up-to-date from an information security perspective. It’s also likely that this and other recent and pending regulatory updates give a pointer to the sort of compliance and reporting requirements cyber security teams will be expected to work under shortly.

A couple of excellent sources for insight into the material changes can be found at the Harvard Law School blog and a redline comparison of the amendments in PDF form.

That said, if you’d rather speak to someone and get plain, unfiltered advice on what you need to do next, then we can help!