The United States Securities and Exchange Commission (SEC) enacted Regulation S-P (Reg S-P) in 2000 to safeguard the financial information of consumers. The regulation requires financial institutions to develop written policies to protect customer records and regulate their internal data disposal activities.
In March 2023, the SEC proposed amendments to Regulation S-P. If passed, the proposed rules would expand the regulatory scope of Reg S-P by requiring covered institutions to construct incident response programs and install protections to mitigate data breaches and other cybersecurity threats that may expose consumers to identity theft or other substantial harm.
Continue reading to learn more about the data security requirements of Reg S-P, discover what actions financial institutions must take to comply, and understand how the U.S. Securities Exchange Commission is looking to expand the law in the future.
SEC Regulation S-P: Privacy of Consumer Financial Information
SEC Regulation S-P requires all broker-dealers, investment companies, business development companies (Investment Company Act of 1940), and registered investment advisers (Investment Advisers Act of 1940) to follow its standards for protecting customer records and disposing of customer data.
The SEC primarily splits the regulation into two essential rules: the Safeguards Rule and the Disposal Rule.
- Safeguards Rule: Financial institutions must adopt written policies and procedures to protect customer records and information
- Disposal Rule: Covered institutions must adopt written policies and procedures to govern the disposal of customer data and prevent unauthorized access
Financial institutions can view a complete copy of Regulation S-P within the electronic Code of Federal Regulations (CFR) system.
Cybersecurity Requirements of Regulation S-P
The safeguards rule, disposal rule, and other provisions of the regulation require financial institutions to adhere to various data privacy standards.
Under SEC Regulation S-P, all applicable financial institutions must:
- Develop written policies to address the administrative, technical, and physical controls they have installed to continue safeguarding customer information
- Develop written policies to address unauthorized access and prevent the unauthorized use of information in connection with proper disposal
- Provide a clear and conspicuous initial privacy notice that reflects their privacy policies and data activities
- Provide an opt-out method that allows applicable consumers to defer their personal information from collection
- Take appropriate measures to limit the disclosure of nonpublic personal information and control the level of access third-party service providers possess
Privacy Notice Requirements
Regulation S-P requires financial institutions to provide an initial privacy notice to all consumers who will have their nonpublic personal information shared with a nonaffiliated third party. The financial institution must share this privacy notice with the consumer by the start of the customer relationship.
Institutions are not required to send a privacy notice to consumers if the use of customer information will not involve third-party disclosure or if the customer of a financial institution will not be involved in an ongoing consumer relationship.
The initial privacy notice and each subsequent annual privacy notice that a financial institution provides to its customers must obtain the following information:
- The categories of nonpublic personal information that the institution will collect
- The categories of nonpublic personal information that the institution will disclose
- The types of affiliates or nonaffiliated third parties who will receive sensitive customer information
- The categories of nonpublic personal information of former customers that the institution has intention to disclose
- An explanation of the consumer’s rights, including the right to opt out of the disclosure of nonpublic personal information
- Internal recordkeeping policies and controls that are in place to protect the confidentiality and security of personal information
- Any disclosure made under the Fair Credit Reporting Act (FCRA)
Data Disposal Requirements
Under Reg S-P, financial institutions must follow several guidelines when disposing of the personal information they collect from consumers. Given their broad scope, the data disposal requirements of Reg S-P are noticeably more general than the regulation’s other requirements.
To comply with Regulation S-P, financial institutions must:
- Ensure they protect the security and confidentiality of customer records throughout the data disposal process
- Take reasonable measures to protect customer records from anticipated cybersecurity threats
- Take reasonable measures to protect consumer report information from unauthorized access or use throughout the data disposal process
Disclosure of Information Requirements
SEC Regulation S-P limits how and when institutions can disclose consumer information. To comply with Reg S-P, the commission requires institutions to meet the following criteria before disclosing any information:
- The consumer has received an initial privacy notice,
- The initial privacy notice includes an opt-out notice,
- The consumer has had the reasonable opportunity to opt out of the disclosure, and
- The consumer has not opted out of the disclosure
Reasonable opt-out opportunities include mail or electronic processes that grant the consumer a 30-day response window. This window should start from the date the issuer mails the notice or the date the customer acknowledges receipt of an electronic notice.
Financial institutions that receive information from an affiliate are also subject to several provisions of Reg S-P. The redisclosure limits of Regulation S-P include:
- Institutions may redisclose the information to the affiliates they initially received the information from
- Institutions may disclose the information to other affiliates in their network, but those affiliates may only use the information to the extent the parent institution has permitted
Exceptions to SEC Regulation S-P
SEC Regulation S-P grants several exceptions to applicable institutions subject to the safeguards rule, disposal rule, and other law provisions. The most prominent exceptions of Regulation S-P make it easier for financial institutions to conduct business functions with their third-party partners.
These exceptions include:
- Subsequent opt-out notice requirements do not apply to financial institutions that provide nonpublic personal information to a new third party if the institution and the third party have entered a contractual agreement that prevents the service provider from disclosing consumer information
- Opt-out notice requirements do not apply to financial institutions that share consumer information to comply with federal or state laws.
Who Enforces Regulation S-P?
The SEC is the leading regulatory agency tasked with the law enforcement of Regulation S-P. The commission has the authority to carry out enforcement actions and the ongoing rulemaking power to propose amendments to the regulation.
Penalties for Non-Compliance
While the SEC has yet to standardize penalties for non-compliance, the commission has settled several lawsuits and enforced significant penalties.
In June 2016, the SEC settled with Morgan Stanley after an employee downloaded and exposed sensitive customer data. The lawsuit resulted in a $1 million fine. The SEC also reached a settlement with Voya Financial Advisors in September 2018. This lawsuit found Voya guilty of violating the safeguards rule and also resulted in a $1 million civil penalty.
Proposed Enhancements to Regulation S-P?
Since its publication in 2000, the SEC has only slightly modified Regulation S-P. However, the SEC’s 2023 proposal looks to expand the regulation’s scope aggressively.
If the proposal passes, financial institutions will be required to draft a written incident response plan that involves procedures for identifying, mitigating, and remediating cybersecurity risks.
In addition, the proposal also includes the following provisions:
- Require applicable institutions to develop incident response plans that address third-party risk, including the installation of contract provisions into third-party agreements,
- Require applicable institutions to notify all affected individuals about any relevant data breaches or other cybersecurity incidents that could put them at risk of identity theft
- Include transfer agents among the covered institutions that are subject to the safeguards rule and other regulation requirements
- Require covered institutions to maintain written records documenting compliance
- Modify Regulation S-P’s annual privacy notice delivery requirements to include an exception required by a 2015 Federal Trade Commission (FTC) amendment to the Gramm-Leach-Bliley Act (GLBA)
The SEC proposed these enhancements on March 15, 2023. Following publication, the SEC opened a public comment period, which was published in the Federal Register and commenced 60 days after the commission released the proposal.
On the same day the SEC proposed changes to Regulation S-P, it also suggested amendments to Regulation SCI.
Congress has yet to sign either proposal into law. There will be a 12-month transition period if a proposal is adopted.
Definitions of Key Terms (SEC Regulation S-P)
Regulation S-P is composed of a variety of key terms and definitions. The SEC defined all of its terms in section 248.3 of Title 17. Some of the more critical terms have been included below for convenience.
Nonpublic Personal Information
Under Regulation S-P, nonpublic personal information includes personally identifiable financial information and lists, descriptions, or other groupings of consumers that institutions derive from using such information.
Personally Identifiable Financial Information
The SEC defines personally identifiable financial information as any information a consumer provides to obtain a financial service, brokerage assistance, investment management service, or other financial product.
Examples of personally identifiable financial information include:
- Credit or loan applications,
- Account balances,
- Payment history, and
- Purchase history
Personally identifiable financial information does not include blind data, publicly available information, or other information void of personal identifiers (account numbers, names, addresses).
Publicly Available Information
Publicly available information includes any information that is lawfully made available to the general public. This information includes Federal, State, or local government records, widely distributed media, and public disclosures.
Nonaffiliated Third Parties
The SEC defines nonaffiliated third parties as any entity that is not controlled by or not under common control with a broker, dealer, or investment company.
What is the Securities and Exchange Commission (SEC)?
The United States Securities and Exchange Commission (SEC) is an agency of the federal government that protects the federal economy against national security threats and market manipulation. The agency’s headquarters is in Washington, D.C.
How Does UpGuard Help Organizations Comply with Regulation S-P?
UpGuard can help financial institutions achieve regulatory compliance and manage reputational risks across their supply chain.
Given that the scope of Regulation S-P will likely grow, financial institutions should prepare to comply with the law’s new requirements. UpGuard intuitive cybersecurity tools can help financial institutions form robust incident response programs that elevate their overall third-party risk management and vendor risk strategies.