Joseph Swanson On Reg S-P Amendments – ‘Covered institutions should expect continued focus from the SEC in this area’

Foley & Lardner LLP partner Joseph Swanson assessed the U.S. Securities and Exchange Commission’s (SEC) amendments to Regulation S-P in the Traders Magazine article, “What Broker-Dealers Need to Know About Reg S-P Amendments.”

Swanson said that since its adoption, Regulation S-P has required broker-dealers to adopt written policies and procedures to safeguard customer records and information. The new amendments expand on the safeguards rule by also requiring the policies and procedures to include an incident response program, he explained. 

“We’re advising all of our clients to take advantage of the SEC’s implementation timeline—18 months for larger entities and 24 months for smaller entities—to evaluate existing frameworks relative to the new requirements and create a roadmap for compliance,” he commented.

Swanson said the specifics include developing an effective incident response program tailored to the organization’s operations, enhancing service provider oversight, and updating record-keeping practices. “But most importantly (and regardless of the amended regulation), an effective cybersecurity program should be tested and updated regularly to respond not just to compliance obligations but the evolving threat landscape, changes in personnel, and so forth,” he emphasized.

“Covered institutions should expect continued focus from the SEC in this area, including in enforcement actions,” he concluded. “While the amended regulation may impose additional compliance obligations and costs on covered institutions, many of those institutions may also leverage the opportunity to enhance their cybersecurity frameworks and seek to differentiate themselves from their competitors.”