SEC Proposes Changes to Reg S-P, Require Written Policies and Procedures for Cybersecurity Incidents

In March, the Securities and Exchange Commission proposed rules that would amend Regulation S-P and require broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals impacted by certain types of data breaches that may put them at risk of identity theft or other harm as well as require proper disposal of consumer information. If adopted as currently drafted, the proposal would require broker-dealers, investment companies, registered investment advisers, and transfer agents to adopt written policies and procedures for an incident response program. These entities would also need to provide notice to individuals whose sensitive customer information “was or is reasonably likely to have been accessed or used without authorization” as soon as practicable, but not later than 30 days after the entity becomes aware of a breach or that a breach was reasonably likely to have occurred. The public comment period will remain open until 60 days after the date of publication in the Federal Register.

Click here to read the proposed rules from the Commission.
Click here to read a Commission press release covering the proposed rules.
Click here to read a client alert from Ropes & Gray.