Advisory firms are subject to various regulations aimed at safeguarding client data, including the Red Flags Rule under the Fair Credit Reporting Act (FCRA), which requires firms to detect and prevent identity theft, and the Fiduciary Rule, which mandates firms to act in the best interest of their clients when managing assets. In addition, firms must implement a comprehensive Written Information Security Policy (WISP) to address the protection of client data, including administrative, technical, and physical safeguards. While these rules collectively enhance a firm's cybersecurity and client protection obligations, this article will focus solely on Regulation S-P (Rule 248.30) and its recent amendments, which provide specific guidance on the protection of customer information and the requirements for advisory firms to safeguard sensitive data.
Introduction
Regulation S-P, enacted under the Gramm-Leach-Bliley Act, is currently the SEC’s primary regulation for protecting client privacy. It explicitly focuses on safeguarding client information. With the recent amendments, advisory firms must adapt their policies and procedures to meet stricter requirements for data security and incident response by the appropriate comply by date. This article outlines key aspects of Regulation S-P, detailing what firms should already have in place, along with the new compliance mandates and deadlines.
Existing Regulation S-P Requirements
Before diving into the amendments, let’s summarize what advisory firms should already have in place under Regulation S-P. The rule requires firms to implement written policies and procedures that cover key areas related to client privacy and the safeguarding of sensitive information:
Privacy Notices: Firms must provide customers with initial and annual privacy notices detailing the types of non-public personal information collected and how it may be shared (Sections 248.4 and 248.5).
Opt-Out Provisions: Firms must give customers the right to opt out of the sharing of their personal information with non-affiliated third parties (Section 248.7).
Safeguarding Information:Â Policies must include administrative, technical, and physical safeguards designed to protect the confidentiality and security of customer records and information (Section 248.30).
While the original Regulation S-P, prior to the recent amendments, does not specifically mandate employee access controls or incident response plans, implementing these additional safeguards is considered a best practice for enhancing data security. These steps can further protect client information.
These measures should already be a part of every advisory firm’s compliance infrastructure. Now, let’s move to the recent amendments.
Amendments to Regulation S-P: What’s Changing?
The SEC has introduced significant amendments to Regulation S-P (Rule 248.30) aimed at enhancing the protection of client information in an increasingly digital environment. These changes reflect the SEC’s focus on data security and breach notification in light of growing cybersecurity threats. Here's a breakdown of the key amendments:
Expanded Scope of Safeguarding Policies: The amended rule expands the requirements beyond confidentiality, now addressing the integrity and availability of client records and information. Firms must ensure that their policies and procedures cover all aspects of safeguarding client data, including maintaining secure backups and ensuring data integrity.
Incident Response and Notification Requirements:Â One of the most critical changes is the mandatory requirement for firms to notify affected individuals when their sensitive information is compromised. Specifically, firms must inform affected individuals within 30 days of discovering the breach. This new requirement introduces a standardized notification process, providing more protection and transparency for clients.
Written Incident Response Plan (WIRP): The amendments now explicitly require firms to develop, implement, and maintain a written incident response plan. The WIRP must outline procedures for detecting, responding to, and recovering from data breaches, as well as remediation actions and steps to mitigate future risks. Additionally, the WIRP must include a process for promptly notifying affected individuals and regulators when applicable.
Annual Risk Assessments: Firms are required to conduct and document formal risk assessments at least annually. These assessments must evaluate potential vulnerabilities in their data security systems and assess the adequacy of their information security policies and procedures. Firms must also adjust their security measures based on the findings of these assessments.
Compliance Dates Based on Firm Size:
Â
The compliance timelines for the amended Regulation S-P (Rule 248.30) for advisory firms are as follows:
Larger RIA firms (those with at least $1.5 billion in AUM): Must comply by December 3, 2025 (18 months from the rule's publication in the Federal Register).
Smaller RIA firms (with less than $1.5 billion in AUM): Must comply by June 3, 2026 (24 months from the publication date)​(Practical Next Steps for Advisory Firms
Â
Given the SEC's updated rule, advisory firms should begin planning now to ensure they are ready. As we move into the fourth quarter of 2024 and approach 2025, firms need to evaluate their current policies and identify any gaps. Below are essential steps firms should start considering:
Review and Revise Existing Policies: Advisory firms should carefully review their current safeguarding policies to ensure they align with the new expanded scope, covering not only confidentiality but also integrity and availability of client data.
Develop a Written Incident Response Plan (WIRP): Firms must ensure that their Written Incident Response Plan (WIRP) is updated to comply with the amended Regulation S-P. The plan should clearly outline procedures for identifying, responding to, and notifying clients of any data breach within the required 30-day period. The WIRP should include strategies for detecting breaches, containing further damage, and documenting any incidents and actions taken. Firms must also ensure that any service providers are monitored for breaches and are required to notify the firm within 72 hours of any unauthorized access to client information. This may be more challenging with larger service providers, such as Microsoft or other companies not specific to the financial industry, which may not be willing to modify their contracts to accommodate the 72-hour breach notification requirement. Firms may lack the leverage to negotiate these terms, meaning they will need to consider alternative ways to oversee these providers or seek alternative service providers that are willing to comply with the rules that advisory firms must follow. This includes evaluating the provider’s response capabilities and developing internal protocols to ensure compliance with the rule, even if direct changes to contracts aren’t feasible.
Conduct a Data Inventory: Firms should conduct a comprehensive inventory of the personal information they collect, store, and share. Personal information, defined by the amended Regulation S-P, includes nonpublic personal information (NPI) such as social security numbers, account numbers, transaction histories, and any other data collected during the course of providing financial services. Firms must identify potential vulnerabilities in how this data is managed, ensuring that security controls are appropriate and robust to protect against unauthorized access or breaches.
Implement Regular Risk Assessments: Firms must establish a process for conducting risk assessments at least annually, as required by the amended Regulation S-P. These assessments should review the effectiveness of safeguards and identify any weaknesses in data security that require improvement. In addition, the risk assessments must evaluate new or emerging threats to customer information, ensuring that safeguards are updated to address evolving cybersecurity risks.
Train Employees: Employee training is a critical element of compliance. Staff should be educated on the firm's information security policies, their responsibilities in protecting client data, and the procedures to follow in the event of a data breach. The amended Regulation S-P emphasizes that employee training should also cover how to detect and respond to potential security incidents and ensure that all staff are aware of the firm's incident response plan. Regular training should be conducted to address emerging threats and updated policies, ensuring that employees remain vigilant and capable of effectively responding to evolving risks.​
Data Breach Notification Process:Â The breach notification process should be a key element of the firm's updated WIRP. Firms are required to notify affected individuals of any breach of sensitive customer information within 30 days of discovering the breach. Notifications must include details such as the type of information compromised, the date or date range of the incident, and steps individuals can take to protect themselves. In addition, notifications must be clear, conspicuous, and provided in a manner likely to reach all affected individuals. The firm must also document the breach, the investigation, and the reasons for notifying (or not notifying) individuals.
Checklist for Compliance
To assist firms in meeting the amended Regulation S-P requirements, here’s a simple checklist of what must be completed before their compliance deadlines:
Review and update all data privacy policies to address confidentiality, integrity, and availability of client data.
Implement a comprehensive Written Incident Response Plan (WIRP).
Ensure that systems are in place to issue data breach notifications within 30 days.
Review service provider contracts to ensure notification within 72 hours.
Conduct and document annual risk assessment: Review administrative, technical, and physical safeguards to ensure they effectively protect customer information. For firms with under $1.5 billion in AUM, the first documented assessment should be completed by December 31, 2026, and by June 3, 2027, for firms with $1.5 billion or more in AUM.
​
Regularly test and update technical, physical, and administrative safeguards.
Ensure that safeguards are regularly tested and updated to address evolving cybersecurity risks and newly identified vulnerabilities.
Train employees on the firm’s data protection protocols and incident response procedures.
Conduct regular employee training to ensure staff understand their roles in protecting client data and responding to potential breaches, as required by the amended rule. Training should also cover new threats and updates to internal policies and procedures.
Conclusion
While many of the new requirements align with existing best practices, the amendments introduce stricter obligations, particularly in breach notification and service provider oversight, which may pose significant challenges. The requirement to notify clients of a breach within 30 days could present logistical difficulties for firms, especially when coordinating with external service providers. Additionally, breach notifications could expose vulnerabilities to hackers or fraudsters, who may seek to exploit the breach further or create new breaches. Ensuring that service providers adhere to the firm’s security and breach notification requirements may also be difficult, particularly when working with large third-party vendors that may be unwilling to modify their standard agreements. Firms should begin working on the checklist items soon, including updating policies, formalizing incident response plans, and ensuring robust data security measures to mitigate risks, avoid penalties, and maintain the highest standards for protecting client information. The Executive Manager team, including the CCO and the firm's IT team, should all work on this together.
If you would like specific compliance education, training, and services to help with your compliance program or project, please get in touch with Coulter Strategic Services.Â
Check out Coulter Strategic Services' growing collection of training resources, including IARCE. Visit today and stay tuned for new training resources.
All information provided is for educational purposes and shall not be construed as specific advice. The information does not reflect the view of any regulatory body, State or Federal Agency or Association. All efforts have been made to report true and accurate information. However, the information could become materially inaccurate without warning. Not all information from third-party sources can be thoroughly vetted. Coulter Strategic Services and its staff do NOT provide legal opinions or legal recommendations. Nothing in this material should be considered as legal advice or opinion.Â
#Regulation #Compliance #InvestmentManagement #WealthManagement #RegulatoryEducation #ComplianceReview #AnnualReview #ConflictsOfInterest
Comments