Cybersecurity, Privacy, and Data Protection

Securities and Exchange Commission (SEC) Regulation S-P (Privacy)

Regulation S-P is the SEC's primary privacy rule for financial institutions, based on the Gramm-Leach-Bliley Act (GLBA). It applies to broker-dealers, investment advisers, and investment companies.

Privacy Notice Requirements

• Requires advisers to provide a privacy notice to clients describing what nonpublic personal information is collected and how it is shared
• Clients must be given the opportunity to opt out of sharing information with nonaffiliated third parties
• Advisers must adopt written policies and procedures (safeguards rule) to protect customer records and information from unauthorized access or use

Exam Tip: Gotchas

• Regulation S-P requires an opt-out mechanism, not opt-in. Clients must be told how their information may be shared and given a reasonable opportunity to prevent sharing with nonaffiliated third parties. Sharing with affiliates generally does not require opt-out.

Cybersecurity Obligations

• Advisers must adopt and implement written information security policies
• Must address risks of unauthorized access, data breaches, and cyber threats
• Must have incident response procedures for data breaches
• Must provide timely notice to affected individuals in the event of a breach (as amended in 2024)