The Securities and Exchange Commission (SEC) will require broker-dealers and registered investment advisers to adopt written policies and procedures for handling data breaches of customer data and notify affected customers within 30 days.

CW Event Spotlight

Financial Crimes Summit 390x260

Compliance Week’s Financial Crimes and Regulatory Compliance Summit will take place June 10-11 at Fordham Law School in Manhattan, New York. The event agenda includes 40+ speakers, including representatives from the SEC, CFTC, FINRA, FBI, OFAC, BIS, and more.


View the agenda below. For inquiries regarding registration, contact Donna O’Neill.


LIMITED TIME OFFER: Use code DONNA15 at checkout for a discounted rate.


View Agenda

On Thursday, the SEC approved amendments to Regulation S-P, known as the safeguards rule. The rule requires covered entities to have policies and procedures in place to safeguard and dispose of sensitive customer data, as well as provide privacy notices and opt out procedures.

The amendments widen obligations for broker-dealers, funding portals, registered investment advisers, investment companies, and transfer agents to create and implement a data breach incident response program.

Firms that experience data breaches must inform affected customers “as soon as practicable” but at least within 30 days after becoming aware a breach occurred, according to an SEC fact sheet. The notices must include details about the incident, the data breached, and how affected individuals can protect themselves. Firms that determine sensitive customer information “has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience” are exempt.

The amendments also expand the type of nonpublic personal information covered, beyond what the firm itself collects, to include personal information the firm has received from another financial institution.

Regulation S-P had not been significantly updated since it was adopted in 2000. The agency proposed amendments in March 2023.

“I believe that these amendments will help customers maintain their privacy and protect themselves. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors,” SEC Chair Gary Gensler said in a statement.

SEC Commissioner Hester Peirce, who supported the amendments, expressed concern the breadth of the new rules would force firms to send so many breach notices that customers would simply ignore them.

“How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?” she asked in a statement.

The amendments take effect 60 days after publication in the Federal Register, with a compliance date of 18 months after the effective date for larger firms and two years for smaller firms.