FINRA to Member Firms: “You Heard the SEC, Create Plans for Data Breaches Now!”

On May 15, 2024, the SEC announced it would make amendments to Regulation S-P (Reg S-P). This will be the first amendment to the regulation since its adoption 24 years ago in 2000. The regulation focuses on how institutions handle customers’ private personal information. The amendment comes in response to the ever-evolving technologies that expose individuals’ sensitive data to potential security breaches. SEC Chair Gary Gensler stated “Over the last 24 years, the nature, scale and impact of data breached has transformed substantially” and that “amendments to regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

The new amendments to Reg S-P require firms to (1) have an incident response program, including written policies and procedures, (2) provide notice to customers in the event of a breach no later than 30 days of its discovery, and (3) provide oversight through due diligence and monitoring of service providers, though firms ultimately retain the burden of ensuring that notice of any breach is provided to affected customers per Reg S-P’s requirements.