by Mike Borgia and Andrew Lewis
Broker-dealers, registered investment advisors, and funds are now required to report breaches of “sensitive” nonpublic personal information (NPI) to affected individuals.
On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting “sensitive customer information,” which is “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”
The amendments were originally proposed on March 15, 2023 (covered in a previous post). The amendments will go into effect 60 days after they are published in the Federal Register.