On May 15, 2024, the Securities and Exchange Commission adopted amendments under Regulation S-P that mandate new requirements for registered investment advisers (RIAs) regarding incident response and cybersecurity incident disclosure.
Regulation S-P, established in 2000, includes provisions including the “safeguards rule” and the “disposal rule”, which require RIAs, broker-dealers and investment companies to adopt written policies and procedures to safeguard customer information as well as properly dispose of consumer report information.
New requirements under Regulation S-P include:
Covered entities will be required to establish and maintain a comprehensive incident response program designed to detect, respond to and recover from a security incident or breach of customer information. Written policies for incident response should include procedures for both assessing the nature and scope of the incident as well as containing and preventing further incidents or unauthorized access.
In the event that sensitive customer information is accessed or used by unauthorized parties, covered entities will be required to notify impacted individuals within 30 days of being made aware of the incident. RIAs and other covered parties will not be required to provide notification when a determination has been made that the incident has not or will not result in substantial harm or inconvenience.
As part of the incident response program, RIAs and investment companies will need to establish, maintain and enforce written policies and procedures focused on the monitoring, oversight and due diligence of third-party service providers. This includes requiring service providers to disclose security incidents within 72 hours after detection of a breach or compromise impacting customer information.
The amendments to Regulation S-P will take effect 60 days after publication in the Federal Register. Larger entities (defined as RIAs exceeding $1.5b AUM or investment companies with $1b+ in net assets) will have 18 months from the effective date to comply, while smaller entities will have 24 months.
Need help with your incident response plan?
Omega Systems is an award-winning MSP/MSSP and has significant expertise advising RIAs and other investment management firms regarding cybersecurity measures and SEC compliance. If you require assistance with creating or enhancing your incident response plan per the SEC’s new requirements, please contact our team.