Regulation S-P (Privacy of Consumer Financial Information)
Regulation S-P (Reg S-P) was enacted by the SEC in response to the privacy provisions of the Gramm-Leach-Bliley Act. It requires Broker Dealers, Registered Investment Advisors, Investment Companies, Hedge Funds and entities that trade futures, which are registered with the SEC, to adopt security measures to protect customers' nonpublic personalinformation and to inform customers about the applicable firms' privacypolicies and practices. Reg S-P also limits when firms may disclosenonpublic personal information to any nonaffiliated third party withoutfirst giving the customer an opportunity to opt out of the disclosure. The SEC believes that due to the increasing number of security breaches, a review of these rules is warranted. The proposed amendments are designed to strengthen the safeguards and disposal rules.
In short, the SEC is expanding the rule to include additional types of information that must be protected, as well as applying the rules to individuals rather than just organizations. Additionally they are defining more detailed standards for how to safeguard this information as well as standards for responding to a data security breach.
The Proposed Regulation S-P Changes Include:
- Develop and execute a comprehensive security program
- Require staff training
- Conduct regular vulnerability testing
- Develop written procedures for responding to and communicating information on a data security breach
- Employ increased record keeping for policies and procedures
Because each organization is different, it is impossible to outline a comprehensive list of security controls that apply to all organizations. This is why a complete risk assessment is so valuable. A risk assessment can identify areas of exposures and gaps in the organizations current security infrastructure.
Recommended Minimum Regulation S-P Compliance Solutions
