FINRA to Member Firms: “You Heard the SEC, Create Plans for Data Breaches Now!”

On May 15, 2024, the SEC announced it would make amendments to Regulation S-P (Reg S-P). This will be the first amendment to the regulation since its adoption 24 years ago in 2000. The regulation focuses on how institutions handle customers’ private personal information. The amendment comes in response to the ever-evolving technologies that expose individuals’ sensitive data to potential security breaches. SEC Chair Gary Gensler stated “Over the last 24 years, the nature, scale and impact of data breached has transformed substantially” and that “amendments to regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

The new amendments to Reg S-P require firms to (1) have an incident response program, including written policies and procedures, (2) provide notice to customers in the event of a breach no later than 30 days of its discovery, and (3) provide oversight through due diligence and monitoring of service providers, though firms ultimately retain the burden of ensuring that notice of any breach is provided to affected customers per Reg S-P’s requirements.

On June 6, 2024, FINRA’s Cybersecurity Advisory sent out a reminder to its member firms that the new amendments apply to all of FINRA’s “covered institutions”: broker-dealers, investment companies, registered investment advisers and transfer agents and urged them to “review the amendments to ensure their cybersecurity programs are modified, as needed to come into compliance by the applicable compliance date for their firms.” The amendment was recently published in the Federal Register on June 3, 2024, and those amendments become effective 60 days afterward.  Larger entities1 have 18 months and smaller entities 24 months from the June 3, 2024, date to become compliant with the new amendments.

The amendments arrive at a crucial moment in the financial services industry. Recently, there have been several high-profile data breaches, affecting tens of thousands of customers. FINRA has also been focused on cybersecurity, making it a priority for the last several years and pursuing enforcement actions.

With the rapid pace of technology advances and reliance on tech for customer interface comes the need to secure personal data from cybersecurity attacks. The amendments to Reg S-P recognize the possibility of such breaches and require Member Firms to plan for rapid responses and disclosures to customers in the event such breaches occur.


[1] The SEC defines larger entities as investment companies with net assets of more than $1 billion; registered investment advisors with $1.5 billion assets under management; and broker-dealers and transfer agents that are not considered “small entities” under the Securities and Exchange Act for purposes of the Regulatory Flexibility Act.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Sandra D. Grannum

Sandra Dawn Grannum concentrates her practice on securities, broker/dealer arbitration, litigation, mediation and regulatory defense. She is co-chair of the Commercial Litigation Team.

Sandy has tried complex multimillion-dollar arbitrations before FINRA, AAA and JAMS across the country. She has represented brokerage firms, banks, clearing firms, and associated persons in over 60 arbitrations before the NASD and FINRA which have been tried through award. In addition, she has successfully pursued cases in state and federal courts and in adversarial proceedings before bankruptcy courts.

About the Author: Jamie L. Helman

Jamie L. Helman concentrates her practice on securities, broker-dealer arbitration, litigation, mediation, employment matters, and regulatory defense. She has experience first-chairing FINRA arbitrations, defended on-the-record testimony of broker-dealer employees before FINRA, and is presently involved in the representation of broker-dealers in several pending FINRA cases as well as regulatory matters.

About the Author: Emmanuel L. Brown

Emmanuel L. Brown represents a range of clients involved in litigation. He assists at various stages of legal proceedings and trial preparation, including legal research, writing motions, and drafting other memoranda. Prior to joining the litigation group, Manny worked in the firm’s corporate and securities group for two years on matters related to finance, securities and mergers and acquisitions.

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy