Overview of Amendments to Regulation S-P
On May 15, 2024, the SEC announced amendments to Regulation S-P. Generally, Reg S-P requires all firms to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. The amended rule requires all broker-dealers, registered investment advisors, investment companies, and transfer agents to have and maintain an incident response plan.
What is an Incident Response Plan?
An incident response plan is similar to a business continuity plan or a disaster recovery plan, in that your firm is reviewing business and technology processes and determining how to mitigate or prevent disruptions. An incident response plan is meant for network or security incidents that can result in unauthorized access, data compromise, or data egress (e.g., a phishing attack).
Modernizing Consumer Financial Information Protection
Simply stated, the new amendments are designed to modernize and enhance the protection of customer records and information by mandating that every firm have an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. In addition, these new amendments also require that the response program includes written policies and procedures for firms to provide timely notification to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed, or used without authorization.
In addition to these two broad amendments, the newly adopted amendments also cover several other key changes such as expanding procedures to safeguard customer records to include additional types of information; requiring documentation of compliance with the rules; and, modifying the exceptions for annual privacy notice delivery under the Gramm-Leach-Bliley Act.
Compliance Timeline and Deadlines
The updated rules were published in the Federal Register on April 6, 2023, with an effective date of 60 days later. Larger entities will have 18 months and smaller entities will have 24 months after the date of publication in the Federal Register to comply.
Regulation S-P Compliance Support
Oyster Consulting has extensive experience working with firms on their incident response plans and overall business resiliency. We will work with your incident response team in a collaborative way to establish the right plan, customized to your business. Our experts will also provide guidance so you know how to activate the plan at the right time. Together, these can make all the difference in having the ability to recover from a disruptive event at anytime, anywhere.
Oyster’s process can take you through exercises including, but not limited to:
- Current risk identification
- Impact analysis
- 3rd party exposure
- Key position/functional identification
- Geographic footprint considerations
- Work from home policies and connectivity requirements
- Adherence to regulatory mandates
- Data protections
- Recovery site, recovery time and recovery point identification
- Response scripts, mock event testing and tabletop exercises
- Internal and external communication template creation
- Employee education
Oyster’s regulatory compliance consultants provide advice, guidance and support. Our experts apply industry best practices to develop or review, and revise your firm’s current overall business continuity, disaster recovery programs, and include the newly amended requirements for your incident response plan.
