SEC finalizes changes to customer data protection rule

The Securities and Exchange Commission (SEC) has updated its decades-old Regulation S-P rule governing customer data protection. 

Under the SEC’s amendments, RIAs, broker-dealers and investment companies must notify customers within 30 days after becoming aware that an unauthorized use of their information occurred. The SEC also said that the rule, which governs the safeguarding and disposal of client information, would require companies to maintain written procedures for responding to a data breach and for notifying customers. 

‘Over the last 24 years, the nature, scale and impact of data breaches has transformed substantially,’ stated SEC chair Gary Gensler. ‘These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify.’ 

The SEC proposed the amendments to Regulation S-P in March of 2023. 

The amendments, as the SEC laid out in a rule document, will impact hundreds of millions of customers nationwide, including about 51 million individuals who are clients of RIAs. However, about half of the roughly 15,500 RIAs registered with the Commission serve fewer than 62 clients each, the SEC also reported. 

The text of the rule published by the SEC states that the rule applies to the personal information of clients of other financial institutions, in line with the proposed version of the rule. 

‘For example, information that a registered investment advisor has received from the custodian of a former client’s assets would be covered under both the safeguard and disposal rules if the former client remains a customer of either the custodian or of another financial institution, even though the individual no longer has a customer relationship with the investment advisor,’ the text of the final rule states. 

The rule requires an incident response program that is designed to detect, address and recover from a data breach. That program should also take steps to contain a breach and prevent any further unauthorized access. 

Under the rule, RIAs would have to notify customers if there is a ‘reasonably likely’ risk of substantial customer harm from a data breach. Addressing this precedent, attorney Richard Chen of Brightstar Law Group said that RIAs would have to be ‘very careful’ when deciding not to notify customers. 

‘The other major concern is that if the advisor is unable to identify which client’s information was impacted ... notification would need to be made to all clients whose information was in the affected customer information system,’ Chen said. ‘That is obviously harmful from a reputation standpoint, if it involves a minor breach.’ 

Per the SEC, larger entities, which include RIAs with $1.5bn or more in AUM, will have 18 months after the rule’s publication in the Federal Register to comply. Smaller entities will have 24 months to comply with the rule.  SOURCE