The SEC’s Regulation S-P amendments: Financial institutions seeking to respond to tightened data security regulations must start by understanding their data

United States financial institutions must urgently improve their data governance and information security policies to respond to tightened data security regulations including notifying customers within 30 days of a data breach. But where do they start?

In May, the Securities and Exchange Commission (SEC) adopted a set of amendments to Regulation S-P, sometimes referred to as the “safeguards rule”, that means affected institutions need to re-think their information security policies and practices, starting with an incident response program.

Regulation S-P, which had not been updated since it was passed in 2000, regulates the treatment of personal information of consumers by certain financial institutions, and the amendments are designed to modernize and improve the protection of consumer financial information.

This is all happening in the context of increasing requirements on financial institutions and public organizations, with the Federal Trade Commission requiring non-banking financial institutions to report data breaches as of May 11, and the SEC last year requiring public companies to report on material cybersecurity incidents they experience.

Below we will focus on the major changes, but the full text of the amendment is available here.

Who is impacted?

The new obligations apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.

What are the changes?

Establishment of an incident response program

The most notable change for most institutions will be the development, implementation, and maintenance of an incident response program in the event of unauthorized access or use of customer information, including notifying affected customers as soon as practicable, but within 30 days. This notice must include details about the incident, the breached data, and advice for customers seeking to protect themselves. As well as these requirements, the incident response plan must consider their supply chain.

Oversight of service providers

As part of these incident response programs, financial institutions must include policies and procedures to require oversight of service providers, which are defined as, “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” Institutions’ policies and procedures must ensure service providers take appropriate measures to protect against unauthorized access to or use of customer information, and provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware of the breach, similar to regulations in the European Union and Australia.

What information is covered under the rules?

The amendments define “sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

How long do affected institutions have to come into compliance?

Larger entities will have 18 months, and smaller entities will have 24 months, from the date of publication in the Federal Register, to come into compliance.  

How should financial institutions prepare?

The above amendments are not exhaustive, but they represent a profound shift in the expectations placed on non-public financial institutions and will require most to overhaul their data governance and information security practices. They also require a comprehensive response that involves all aspects of an organization.

Understand the data lifecycle

The first step should be to map out the sensitive information lifecycle, paying attention to a few key aspects:

• When a service provider manages the data: Ensure your agreement with them meets the new obligations for notification.
• How sensitive information moves between systems: Ensure you keep track of how information flows and can identify when information is stored in “the wrong place”.

Ensure sensitive information is protected

Now that you know where your sensitive information is stored, you can ensure you are following the correct protection procedures. Does your organization consistently employ identity and access management tools like user management, privileged/admin users, deploying MFA, and so on? How about encryption at rest and in transit? These new rules mean it is time to start.

Manage retention policies

The more data you hold onto, the bigger the "blast radius” from a data breach. Ensure you are following rules for retention and deletion, so that sensitive data is removed as soon as it is no longer required. You may already be doing this to comply with other regulations, for example, if you are in one of the 18 US states with a modern privacy law.

Focus on the data, not the perimeter

Organizations must invest in cybersecurity tools and services, but they need to do so with a focus on their data. In 2023, 82% of data breaches involved data exposure held in cloud infrastructure. Your investment in encryption, or network or device security, may be insufficient if your users are storing data in insecure buckets, or poorly configured Software as a Service (SaaS) platforms. According to one study, 47% of companies have at least one exposed cloud-hosted database or storage bucket.  

To properly respond to this challenge, invest in a data security posture management (DSPM) solution, which focuses on understanding where your data is, who can access it, and whether it is secure.

There is still time—but not that much time…

While the scale of the challenge is great, impacted organizations have between 18 and 24 months to comply. There is still time, but remember the risk is not just about failure to meet these new regulations, but the much more immediate consequences of reputational damage and subsequent loss of market and customers. An immediate focus must be on understanding the data itself, throughout its lifecycle, and planning your response from there.

RecordPoint can enable a rapid response

RecordPoint offers next-generation data lifecycle management, allowing you to discover, understand, and protect your data, no matter where it lives. RecordPoint offers solutions throughout the data lifecycle:

Data discovery

RecordPoint integrates with all your essential business systems to help you discover and inventory your data, wherever it lives.

Data classification

Our machine learning (ML) models identify sensitive customer data, including Personally Identifiable Information (PII) and Payment Card Industry (PCI) data, across all your data sources, allowing you to defensibly dispose of data based on predefined criteria. With features like Intelligence Signaling and Classification Intelligence, we make it easy to automatically scan incoming data for PII and train ML models to auto-categorize based on content and context.

Compliance

Proactively manage compliance to reduce risk exposure over time. Our solution gives you a unified view of the entire data lifecycle, from ingestion, inventory, categorization, privacy, and minimization, allowing you to prioritize information management projects accordingly. Configure your own file structure and rules for categorization and disposal, and set up customizable rules to meet requirements like Regulation S-P. Automation enforces consistency and allows for compliance at scale.

Remediation

If a breach does occur, our platform will allow you to understand which data, and therefore which customers, have been affected so you can inform them in accordance with regulations like Regulation S-P. RecordPoint also empowers you with the information to take action to remediate and recover from the breach.

If you’re concerned about your ability to comply with the amended Regulation S-P, we can help. Reach out and schedule a demo today to learn more.

‍