New SEC Cybersecurity Rules Begin to Take Effect

On May 16, 2024, the Securities and Exchange Commission (SEC) unanimously approved amendments to Regulation S-P, which imposes new rules relating to cybersecurity breaches involving investment advisers and broker-dealers. Larger entities must comply with the new rules by December 3, 2025, while smaller entities must comply by June 3, 2026. The amendments to Regulation S-P added requirements compelling covered institutions to adopt written policies and procedures that are reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer nonpublic personal information. 

Recovery or response program procedures include: 

1. assess the nature and scope of any incident; 

2. take appropriate steps to contain and control the incident; and 

3. notify affected individuals whose Sensitive Customer Information was, or is reasonably likely to have been, accessed or used without authorization unless, after a reasonable investigation, the covered institution determines that the Sensitive Customer Information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. 

Under the amendments to Regulation S-P, financial institutions' incident response programs must include policies and procedures "reasonably designed to require oversight, including through due diligence on and monitoring, of service providers" to ensure the financial institution meets its customer notification requirements.

Although trade associations urged the SEC to delay the compliance date for these amendments, the SEC declined to do so. While larger firms must already comply with the new requirements, smaller firms are still expected to comply by June 3, 2026.