SEC Unveils New Look for Regulation S-P: What Your Organization Needs to Know

Thrive is continuously monitoring changes in the regulatory environment to ensure we are prepared to help our clients achieve and maintain compliance. The U.S. Securities and Exchange Commission (SEC) adopted updates to Regulation S-P (Reg S-P) on May 15, 2024, and set the effective compliance deadlines at 18 and 24 months depending on organization size (see Table 3 under Section II.F of the final rule for size definitions). Regulation S-P specifies how covered institutions are required to protect consumer financial and personal information under the Safeguards Rule, and how covered entities should securely dispose of covered information under the Disposal Rule (collectively “Rule(s)” herein). This post provides a synopsis of the key rule elements and corresponding practices and technologies that can enable compliance. The changes are “designed to modernize and enhance the protection of consumer financial information” via three primary updates including:  

• Requiring Incident Response Plan (IRP) policies and procedures. 
• Mandating “timely” notification to affected individuals after a sensitive information breach.  
• Expanding the scope of information and entities covered under the Rule.¹

Many covered entities have already begun adjusting their information security and compliance strategies over the past few years in light of elevated regulatory activity from the SEC which includes multiple proposals specifically focused on addressing information technology and cybersecurity risks. While there aren’t any surprises in the Regulation S-P updates, organizations subject to the rule should now evaluate their current practices to ensure alignment from a policy, technical capability, and operational perspective.  

Incident Response Plan (IRP) Requirements 

The adopted changes require implementation of an “incident response program for unauthorized access to or use of customer information, including customer notification procedures” that are reasonably designed to “detect, respond to, and recover from” unauthorized access and use of consumer financial information.² A comprehensive incident response program is rooted in an accurately scoped policy, enabled by appropriate technology implementation(s), and maintained by complementary operational processes.  

Policy

An IRP is a written document formally approved by management that outlines the types of cyber threats the business is likely to face and what controls are in place for detecting, responding, and recovering from these events. A risk-based approach is important when designing an IRP and organizations should first perform activities such as data classification and business impact analysis to ensure the policy is appropriately scoped.  

With respect to Reg S-P specifically, covered entities should identify what type(s) of covered information they collect, where this data is stored, and what data protection and access controls are in place. The updated rules explicitly require a scope that enables assessment of “the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of information that may have been accessed or used without authorization”.² Of course, the IRP should include the entire business entity, but understanding where the critical data and information assets reside is an important precursor to designing an appropriate layered defense model and establishing compliance with the updated regulation.  

Technical Implementation  

Technical controls supporting the IRP should include detective, preventative, and security measures applied and configured specifically to the organization’s environment. There is no “one size fits all” approach which is why having an accurately defined policy is fundamental to appropriately selecting and deploying technical safeguards. Common deployments include (but aren’t limited to):  

• Data Security: encryption (at rest and in transit), access controls, network segmentation, data governance monitoring, and data loss prevention (DLP) mechanisms such as blocking removable media and monitoring outbound communications for unprotected sensitive data. Organizations should also ensure secure data disposal and destruction mechanisms are in place to ensure discarded media does not result in unauthorized access exposure.   

• Asset Security: Next-generation asset-based solutions such as Endpoint Detection and Response (EDR) software provide live monitoring on user assets across the environment and proactively detecting, preventing, and alerting on malicious threat vectors. Additionally, hard drive encryption is natively built into many modern operating systems, while agent-based applications can ensure devices remain up to date (e.g., RMM) and restrict the types of connections or applications permitted on managed devices (e.g., URL filtering, restricting local administrative rights, hardening configurations to disable unused ports/protocols).  
• Network Security: Networks (including the office(s), data centers, and/or cloud/SaaS environments) must be protected via appropriate threat detection and capabilities. Solutions include Managed Detection and Response (MDR), Extended Detection and Response (XDR), conditional access, Identity and Access Management (IAM), enterprise firewalls, and zero trust architecture (ZTA). Log aggregation and secure storage is also important to enable forensic examination and accurate reporting if a material incident occurs.  
• Availability / Recovery: Incidents still can (and will) happen even with best-of-breed security solutions in place and it’s important that the business can efficiently recover when they do. Solutions that enable system availability include backups, geographically diverse disaster recovery (DR) environments, and high availability cloud configurations.  

Operational Considerations  

Having the right skilled resources in place to design and implement appropriate controls and write policy is where compliance with Reg S-P begins, but ongoing monitoring and response is where the value is continually delivered. Organizations should ensure that resources receiving and monitoring the output of technical detective and preventative systems – whether in house or outsourced – are suitably trained to interpret the data and take corresponding actions when anomalous or malicious activity is detected. Many organizations choose to work with an outsourcing partner (e.g. MSSP) that provides 24×7 Security Operations Center (SOC) monitoring and incident response services.  

Breach Notification  

The updated regulation also mandates that the incident response programs include mechanisms to notify affected individuals “whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization”.² Prominently, the same clause also states that notification is not required if “after a reasonable investigation…the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience”.²  

Meeting this requirement requires careful analysis from multiple stakeholders, including legal, operations, and information technology; however, organizations must have foundational elements referenced above – specifically mechanisms/products such as data classification, data governance, data protections, and security monitoring/logging/reporting – in place to analyze in the first place. A gap or weakness in any of these areas may preclude an organization from justifying a reporting exemption or providing an accurate disclosure of events. If an organization cannot validate which system and data assets were impacted by a cyber incident, they may need to provide a breach notification to all (current and former) customers.  

Breach Notification Timeline

The updated regulation will also require a “clear and conspicuous notice to affected individuals” by means “designed to ensure that the individual can reasonably be expected to receive actual notice in writing”.² Importantly, there is now a 30-day shot clock on providing the notification with exceptions only if the U.S. Attorney General has determined that providing such a notice would “pose a substantial risk to national security or public safety”.² There are also specific notice standards (Section II.A.3a in the Final Rule) that organizations should be aware of with regard to determining if a notice is required and methods for complying with the notification mandate under various circumstances. Sections II.A.3b&c also provide additional clarity with respect to defining “sensitive customer information” and “substantial harm or inconvenience” respectively that should be reviewed when developing mechanisms for analyzing if a notification is required under the organization’s IRP.  

Scope Adjustments 

The final Rule also includes adjustments that broaden both the scope of entities covered under required activities and the scope of data assets.  

Service Providers

Of course, service providers are not brought under the SEC’s regulatory jurisdiction via the updated Rules (with respect to those that are not already covered entities). However, the Reg S-P update does incorporate requirements with respect to the covered organization’s IRP development to include:  

a. appropriate measures for ensuring service providers are protecting covered information,  

b. and for covered organizations to establish mechanisms for receiving notifications from service providers if the service provider experiences a breach impacting covered information.  

The maximum allowable timeframe for service providers to provide notification is defined as 72-hours in the updated final text. Covered organizations should work with service providers to determine appropriate mechanisms designed to ensure receipt of such notifications within the compliance time limit. This mandate again highlights the critical importance of conducting thorough data classification and related analysis which enable organizations to easily map which third parties are in scope when it comes to covered information. Additionally, receipt of a service provider notification should automatically trigger the covered organization’s IRP including analysis of whether client notification is required.  

Definitions of Covered Information and Covered Entities

The updated regulation broadens the scope of protected information to include a new term of “customer information” (replacing the term “customer records and information”) which is defined as “any record containing nonpublic personal information as defined in Section 248.3I3 about a customer of a financial institution, whether in paper, electronic, or other form”.² These records apply to any “information that a covered institution maintains or otherwise possesses for a business purpose” – businesses subject to the regulation should ensure the scope of their data classification exercises is appropriately adjusted to include all such information that may fit into this category. The broadened scope now applies to information the organization may have obtained about customers and non-customers that the organization may have been provided through the course of other business relationships. This change is intended to provide additional consistency with the Gramm-Leach-Bliley Act (GLBA) which imposes similar and overlapping requirements in some situations. Importantly, the SEC notes that these obligations of protection extend throughout the lifecycle of the information and include secure disposal, further underscoring the importance of a well-defined secure destruction and disposal process.  

In addition to the information scope changes, the update extends applicability of Regulation S-P to include transfer agents since they maintain detailed covered information related to securities holders.  

A Note on Recordkeeping  

Reg S-P updates also incorporate new recordkeeping requirements pertaining to “written records documenting compliance with the requirements of the safeguards rule and of the disposal rule”.² The timeframes vary for different entity types, and covered organizations should review Table 1 under Section II.C of the final rule for information relevant to their entity designation.  

How Can Thrive Help?  

Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com. 

Disclaimer: Nothing herein shall constitute legal advice, compliance directives, or otherwise. Covered entities should consult an attorney and/or other compliance professional regarding their organizations’ compliance obligations, including, without limitation, the regulations described herein.  

Source Information:  

1 –  https://www.sec.gov/files/34-100155-fact-sheet.pdf 

2 –  https://www.sec.gov/files/rules/final/2024/34-100155.pdf