The SEC has released adopted amendments to Regulation S-P and formalized them in a final rule to address cybersecurity risks. They also released a companion fact sheet, which helps outline the impacts of the final rule and it’s requirements that covered institutions (including broker-dealers, investment companies, and certain other financial entities) implement written policies and an incident response to address cybersecurity risks.
The mandated policies and procedures must be effectively designed. to identify, address, and recover from any unauthorized access to or use of customer data, and include required timely (i.e., within 30 days) disclosures to any individuals whose sensitive personal information was, or is likely to have been, accessed without permission. The final rule also introduces additional modifications to the safeguards and data disposal protocols, and it is important that SEC regulated entities familiarize themselves with the Regulation S-P enhancements included therein.
Compliance deadlines vary by entity size, with larger entities having 18 months from the regulation’s publication in the Federal Register to adhere to the requirements, and smaller entities having 24 months from the rule’s publication in the Federal Register to comply.
These amendments are intended to modernize the approach to data security in the financial sector, reflecting changes in technology and the increasing risks of data breaches, and FoxPointe Solutions is happy to answer any questions you may have on the final rule.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.