Statement Summary
The SEC’s Division of Examinations has emphasized the critical role of information security in protecting investors’ personal data, particularly in light of heightened cyber threats. The recently updated Regulation S-P introduces several amendments to enhance customer information security, including the requirement for covered institutions to implement incident response programs, timely customer notification in case of unauthorized access, and due diligence regarding third-party service providers. These changes are necessary to adapt to the evolving technological landscape and growing cyberattack risk. The Division will host outreach events to aid firms in meeting these regulatory requirements, reflecting a commitment to strengthening compliance and investor protection within the financial sector.
Original Statement
Good afternoon, I’m pleased to join you today to discuss the importance of, and the financial sector’s role in, information security and the protection of investors’ nonpublic personal information. Specifically, I am here to lay out the Division of Examinations approach to operationalizing the Commission’s recently adopted enhancements to Regulation S-P. But before I begin, I must share the official statement that: This speech is provided in my official capacity as the Commission’s Acting Director of the Division of Examinations, but does not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff.
The Commission, and the Division of Examinations, has been focused on ensuring the security of customer information for over two decades. In 2000, acting under the authority of the Gramm-Leach-Bliley Act, the Commission adopted Regulation S-P to help safeguard such information. The standards established by Regulation S-P require, among other things, covered institutions to (i) ensure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Evolving Threat Landscape
Since its adoption in 2000, the Division of Examinations—and its predecessor, the Office of Compliance Inspections and Examinations (OCIE)—has examined registrants for compliance with the requirements of Regulation S-P. We have also been incredibly active in our efforts to promote awareness and strengthen compliance across the broader field of information technology controls, especially through our industry outreach and engagement, including issuing over a dozen risk alerts on information security topics.
However, the threat landscape has significantly changed in the last 25 years. In 2000, cyberattacks were just starting to become a growing threat in the U.S. Today, Microsoft reports that its customers face 600 million cyberattacks on a daily basis. The FBI reported in 2023 that its Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion.
Regulatory Response
In response to the evolving technology and increased threats posed to retail investors, the Commission completed a rulemaking process that revised and enhanced Regulation S-P. These amendments have expanded the applicability of Regulation S-P to cover additional financial institutions, modernized the rules relating to safeguards and disposal of customer information, and ensured customers receive timely and consistent notifications in the event of unauthorized access.
Among the key amendments to Regulation S-P, covered institutions are now required to:
- Establish incident response programs in their written policies and procedures under the Safeguards Rule.
- Notify affected individuals whose sensitive customer information was accessed or used without authorization
- Implement oversight measures for third-party service providers.
Implementation and Outreach
To assist firms in their preparedness to implement these new amendments, the Division of Examinations will host outreach events. These events will cover key topics, including what to expect during examinations related to Regulation S-P. As the compliance dates approach, registrants should be prepared for inquiries from examiners regarding their readiness to comply.
The SEC is committed to working collaboratively with registrants to ensure compliance and improve information security standards across the sector. Thank you for your dedication to safeguarding and protecting customers’ nonpublic personal information. Strong controls and safeguards benefit not only customers and investors but also financial institutions and markets.
This speech is provided in the author’s official capacity as the Commission’s Acting Director of the Division of Examinations, but does not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff.
