Updated Reg S-P: New SEC Cybersecurity Expectations for RIAs

If somebody were to ask you what has changed since the year 2000, where would you start?

How about if they narrowed the question down to changes in technology, cybersecurity, and consumer protection?

There are tons of changes and a move to a wider-reaching protection of Personally Identifiable Information (PII) through the General Data Protection Regulation (GDPR) and state privacy laws. How about changes affecting the handling of your nonpublic personal information by your Registered Investment Advisors (RIAs) and other financial institutions?

Recent updates to SEC cybersecurity requirements signal a significant shift in how RIAs must manage and report data protection practices.

What is the Securities and Exchange Commission Doing to Keep Up and Enforce these Safeguard Rules?

In May 2024, an SEC announcement related to updates was made to Regulation S-P (Reg S-P), which covers requirements related to how certain financial institutions manage customers’ information.

How does this affect you?

If you are, or you are currently working with, a Registered Investment Advisor (RIA), broker-dealer, or other regulated institutions like Transfer Agents, this will provide protection and safeguards, and proper disposal of nonpublic customer records. These firms have plenty of financial information, and cybercriminals are increasingly targeting them. Like most of us, we have received more than a few letters in the mail explaining to us that a data breach happened and that our information may have been compromised.

What are the Major SEC Cybersecurity Rule Changes to Regulation S-P, and How Does This Affect RIAs?

The SEC Regulation S-P is extremely comprehensive (over 300 pages) and details how covered institutions must update their current policies and processes to meet the amendments. These include safeguarding customer records and information, preventing unauthorized access to information, disposing of customer information, and providing annual privacy notices to customers.

Here are the other highlights and key points of the framework for safeguarding customer information, including cybersecurity practices:

Written Information Security Policies (WISP): RIAs must develop and maintain a documented policy outlining their cybersecurity practices. RIAs must adopt policies and procedures to assess and mitigate incidents involving unauthorized access to customer information. WISP also includes recordkeeping and maintaining written records to document compliance.
Risk Assessment: Regularly evaluating potential cyber threats and vulnerabilities within the RIA’s systems.
Access Controls: Implementing strong password policies, user authentication methods, and restrictions on data access based on roles.
Recordkeeping: RIAs must have a process for recordkeeping and maintaining written records to document compliance.
Incident Response Plan: Having a defined process to detect, respond to, and recover from cybersecurity incidents.
Vendor Due Diligence: Assessing the cybersecurity practices of any third-party vendors with access to client data.

The amendments also cover Customer Notification requirements to help ensure notices are provided to affected individuals in a timely manner, and no longer than 30 days after learning of unauthorized access or use of customer data.

In addition, incident disclosures are required by the RIAs in Form 8-K, as well as a description of their overall risk management process annually in Form 10-K related to their processes for assessing and managing cybersecurity risks.

How Can Assurance Dimension Assist RIAs and Other Affected Institutions?

RIAs are required to have IT security requirements under regulations set by the SEC’s Regulation S-P, which mandates written policies and procedures to protect customer information, including robust cybersecurity measures to defend against cyber threats and manage incidents effectively; this includes performing risk assessments, implementing access controls, and developing incident response plans.

These amendments were released in May 2024 and must be implemented within 18 months for larger entities and 24 months for smaller entities. Assurance Dimensions provides review and assessments of the RIAs cyber risk and privacy programs to help meet the requirements of Regulation S-P. The assessments will provide strategic insights and actionable activities to help develop and manage a company’s compliance and security assessment needs.

Does your RIA need help navigating the new SEC cybersecurity requirements? Our IT advisory team stays current on SEC cybersecurity developments to help RIAs stay compliant and reduce risk exposure.