On Jun. 6, FINRA issued advisory to highlight recent SEC adoption.
FINRA issued Cybersecurity advisory - SEC amends Regulation S-P enhancing protection of customer information; SEC adopted amendments in May 2024, #212369.
Amendments apply to B/Ds, investment companies, registered IA and transfer agents.
FINRA recommended all member firms review amendments to ensure cyber programs are modified, as needed, to come into compliance by the applicable compliance date.
Highlights of Adopted Amendments
To adopt incident response program as part of firm's written policies and procedures.
Establish, maintain and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers.
Notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed without authorization in the time and manner prescribed.
Amendments expanded, aligned safeguards and disposal rules to cover both nonpublic information collected about its customers, nonpublic personal information it receives.
Requires institutions, other than funding portals, to make, maintain written records.
In addition, conformed Regulation S-P’s annual privacy notice delivery provisions to terms of an exception added by the 2015 Fixing America’s surface transportation act.
Extended both the safeguards rule and the disposal rule to transfer agents registered.
Compliance Dates
Noted that larger entities will have 18 months, and smaller entities will have 24 months, after Jun. 3, 2024, the date of publication in the federal register, to comply.
