Guide the design, implementation, and operation of privacy and data security programs for SEC-registered investment advisers, broker-dealers, investment companies, and other financial services firms. This skill covers Regulation S-P (privacy of consumer financial information), Regulation S-ID (identity theft prevention), SEC cybersecurity rules and examination expectations, incident response requirements, state privacy law intersections, vendor and third-party risk management, data governance, and employee training obligations.

9 — Compliance & Regulatory Guidance

prospective

Regulation S-P (17 CFR Part 248, Subparts A and B) implements Title V of the Gramm-Leach-Bliley Act (GLBA) for entities registered with the SEC. It applies to SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. The regulation has three core components:

Privacy Notice Requirements. Firms must provide an initial privacy notice to each customer at the time of establishing the customer relationship (17 CFR 248.4). The notice must describe: (a) categories of nonpublic personal information (NPI) collected, (b) categories of NPI disclosed to third parties, (c) categories of affiliates and nonaffiliated third parties to whom NPI is disclosed, (d) the customer's right to opt out of certain disclosures, (e) the firm's policies and practices for protecting confidentiality and security of NPI, and (f) any disclosures required under the Fair Credit Reporting Act. Annual privacy notices must be delivered once during each 12-month period for the duration of the customer relationship (17 CFR 248.5). The FAST Act of 2015 (Pub. L. 114-94, Section 75001) created an exception to the annual notice requirement: firms that (i) share NPI only under the exceptions in 17 CFR 248.14 and 248.15, and (ii) have not changed their privacy policies and practices since the most recent notice, may satisfy the annual requirement by posting the privacy notice continuously on their website in a clear and conspicuous manner rather than mailing it to each customer.

Opt-Out Requirements. Before sharing NPI with nonaffiliated third parties, firms must provide customers with a reasonable opportunity to opt out (17 CFR 248.7 and 248.10). The opt-out notice must be clear, conspicuous, and delivered along with or as part of the privacy notice. Exceptions to the opt-out requirement include: (a) disclosures necessary to effect, administer, or enforce a transaction requested by the customer, (b) disclosures to service providers and joint marketing partners under written contractual agreements that restrict the third party's use of NPI, (c) disclosures with customer consent, (d) disclosures to protect against fraud, and (e) disclosures required by law (17 CFR 248.14 and 248.15). Joint marketing agreements must include written contracts specifying that the third party will maintain the confidentiality of NPI and will use it only for the purposes for which it was disclosed.

Safeguards Rule. Section 248.30 requires every covered institution to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Administrative safeguards include designating a responsible employee or officer, conducting risk assessments, implementing employee training, and establishing oversight of service providers. Technical safeguards include access controls, encryption, intrusion detection systems, and monitoring of information systems. Physical safeguards include secure storage of records, controlled access to facilities, and proper disposal of documents. The policies must be reasonably designed to: (a) ensure the security and confidentiality of customer records and information, (b) protect against anticipated threats or hazards to the security or integrity of such records, and (c) protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to the customer.

Disposal Rule. Section 248.30(b) requires proper destruction of consumer report information derived from consumer reports. Reasonable measures for disposal include shredding physical documents, erasing or destroying electronic media, and entering into contracts with third-party disposal services that require proper destruction.

Regulation S-ID (17 CFR 248.201-202) implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) for SEC-regulated entities. It requires financial institutions and creditors that hold "covered accounts" to develop and implement a written Identity Theft Prevention Program (ITPP) designed to detect, prevent, and mitigate identity theft.

Covered Accounts. Two categories of accounts are covered: (a) accounts primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions (e.g., brokerage accounts, margin accounts, advisory accounts with ongoing services), and (b) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Identity Theft Prevention Program Requirements. The ITPP must include reasonable policies and procedures to: (1) identify relevant red flags applicable to the firm's covered accounts, drawing from five categories of red flags — alerts, notifications, or warnings from consumer reporting agencies; suspicious documents; suspicious personal identifying information; unusual use of or suspicious activity related to a covered account; and notices from customers, victims of identity theft, law enforcement, or other persons regarding possible identity theft — (2) detect red flags that have been incorporated into the program, (3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft, and (4) ensure the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the firm.

Administration. The ITPP must be approved by the board of directors, a committee of the board, or senior management (17 CFR 248.201(d)). Ongoing administration includes: assigning specific responsibility for the program's implementation, training staff to carry out the program, exercising appropriate and effective oversight of service provider arrangements (ensuring that service providers' activities in connection with covered accounts are conducted in accordance with reasonable policies and procedures to detect, prevent, and mitigate identity theft), and ensuring the program is updated as necessary.

The SEC has addressed cybersecurity through a combination of rulemaking, interpretive guidance, and enforcement.

Public Company Disclosure Rules (2023). In July 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents on Form 8-K (Item 1.05) within four business days of determining that an incident is material. Companies must also disclose their cybersecurity risk management, strategy, and governance on Form 10-K (Item 1C of Regulation S-K). Required disclosures include: processes for assessing, identifying, and managing cybersecurity risks; whether cybersecurity risks have materially affected or are reasonably likely to materially affect the company's business strategy, results of operations, or financial condition; the board of directors' oversight of cybersecurity risk; and management's role in assessing and managing cybersecurity risks.

Registered Entity Cybersecurity Expectations. For SEC-registered investment advisers and broker-dealers, the SEC has not adopted a standalone cybersecurity rule as of this skill's compilation. However, the SEC enforces cybersecurity obligations through existing authority, principally the Reg S-P Safeguards Rule (17 CFR 248.30), the books-and-records rules (SEC Rule 17a-4, IA Act Rule 204-2), and the general antifraud provisions. The SEC proposed rules in February 2022 (Release Nos. 33-11028, 34-94382, IA-5956) that would require registered investment advisers and funds to adopt and implement written cybersecurity policies, report significant cybersecurity incidents to the SEC on a new confidential form, and disclose cybersecurity risks and incidents to clients and investors. While these proposals had not been adopted in final form as of the current law, they signal the direction of SEC rulemaking, and firms should evaluate their programs against the proposed requirements.

SEC EXAMS (formerly OCIE) Examination Priorities. Cybersecurity has been a top SEC examination priority since 2014. Key areas examined include: governance and risk assessment (board or senior management oversight, CISO or equivalent role, documented risk assessments), access rights and controls (least privilege, multi-factor authentication, access logging, prompt deprovisioning of terminated employees), data loss prevention (monitoring for unauthorized data transfers, encryption at rest and in transit, endpoint protection), vendor management (due diligence on third-party service providers, contractual security requirements, ongoing monitoring), incident response (written plans, testing and tabletop exercises, escalation procedures), and training (frequency, content, phishing simulation results).

SEC Enforcement. The SEC has brought enforcement actions against registered firms for cybersecurity failures under Reg S-P's Safeguards Rule and under the Identity Theft Red Flags Rule. Notable enforcement themes include: failure to implement written policies and procedures for protecting customer information, insufficient access controls (e.g., allowing shared credentials, failing to implement multi-factor authentication), failure to detect and respond to known vulnerabilities, and misleading disclosures about cybersecurity practices following a breach.

Regulatory expectations require financial firms to maintain comprehensive incident response capabilities.

Written Incident Response Plan. The SEC expects registered firms to maintain a written incident response plan that includes: designation of an incident response team with clear roles and escalation authority; procedures for detecting and classifying incidents by severity; containment procedures to limit the scope and impact of an incident; evidence preservation protocols (forensic imaging, log retention, chain of custody documentation); eradication and recovery procedures; internal escalation and reporting timelines (to senior management, the board, legal counsel, and the compliance department); external notification procedures (to customers, regulators, and law enforcement as required); and a post-incident review process to identify root causes and remediation actions.

Customer Notification. There is no general federal SEC breach notification requirement for investment advisers or broker-dealers as of current law. However, state breach notification laws apply in all 50 states, the District of Columbia, and U.S. territories, and they impose varying notification obligations depending on the types of data compromised, the number of individuals affected, and the state in which the affected individual resides. Most states require notification within 30 to 60 days of discovery; some states, such as Florida (30 days under Fla. Stat. 501.171) and Colorado (30 days under C.R.S. 6-1-716), impose shorter deadlines. Firms operating in multiple states must comply with the notification requirements of each state where affected individuals reside, which often means complying with the most restrictive standard.

Regulatory Notification. While there is no general SEC breach reporting rule for advisers and broker-dealers, certain circumstances may trigger reporting obligations: (a) if the breach involves potential financial crime, SAR filing obligations under BSA/AML rules may apply; (b) FINRA expects member firms to notify FINRA of significant cybersecurity incidents; (c) New York DFS-regulated entities must notify DFS within 72 hours of a cybersecurity event that has a reasonable likelihood of materially harming normal operations (23 NYCRR 500.17); and (d) the SEC's proposed cybersecurity rules would, if adopted, require significant incident reporting to the SEC.

Law Enforcement Coordination. Firms should establish relationships with relevant law enforcement agencies (FBI, Secret Service, state attorneys general) before an incident occurs. In the event of a breach, law enforcement may request a delay in public notification to avoid compromising an investigation; firms should work with counsel to balance this request against state breach notification deadlines.

SAR Filing. If a cybersecurity incident involves or is connected to potential financial crime — for example, unauthorized access leading to theft of funds, account takeovers, or identity theft used to facilitate fraudulent transactions — the firm must evaluate whether a Suspicious Activity Report should be filed under its BSA/AML obligations. The SAR should describe the cybersecurity incident, the nature of the suspected criminal activity, and the impact on customer accounts.

Financial firms face a layered regulatory environment where federal securities privacy rules intersect with state privacy and cybersecurity legislation.

California (CCPA/CPRA). The California Consumer Privacy Act (Cal. Civ. Code 1798.100 et seq.), as amended by the California Privacy Rights Act (effective January 1, 2023), grants California residents broad rights over their personal information, including rights to know, delete, correct, and opt out of the sale or sharing of personal information. Financial institutions are partially exempt from the CCPA/CPRA to the extent they are subject to the GLBA and collect, process, sell, or disclose personal information pursuant to GLBA. However, the exemption applies only to information collected, processed, sold, or disclosed subject to GLBA — information outside the GLBA's scope (e.g., employee data, website tracking data, marketing data) may still be subject to CCPA/CPRA. Firms must carefully analyze which data falls within the GLBA exemption and which does not.

New York (DFS 23 NYCRR 500). The New York Department of Financial Services cybersecurity regulation applies to all entities operating under or required to operate under a DFS license, registration, or charter, or that are otherwise DFS-regulated. This includes many broker-dealers and investment advisers operating in New York. Key requirements include: designation of a Chief Information Security Officer (CISO); establishment and maintenance of a cybersecurity program based on a risk assessment; written cybersecurity policies covering 14 specified areas (information security, data governance and classification, asset inventory, access controls, business continuity, systems and network security, monitoring, incident response, vendor management, encryption, and others); annual penetration testing and bi-annual vulnerability assessments; multi-factor authentication for accessing internal networks from an external network; encryption of NPI both in transit and at rest; 72-hour notification to DFS of material cybersecurity events (23 NYCRR 500.17); annual written certification of compliance by the board or senior officer (23 NYCRR 500.17(b)); and a requirement that CISOs report in writing at least annually to the board or senior governing body. DFS has actively enforced 23 NYCRR 500 through consent orders and civil penalties.

Massachusetts (201 CMR 17.00). Massachusetts Standards for the Protection of Personal Information require every entity that owns, licenses, stores, or maintains personal information of Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP). Required elements include: designation of a responsible employee, risk assessment, employee training, monitoring of the program, discipline for violations, prevention of terminated employees from accessing records, service provider oversight, restrictions on physical access, monitoring of systems for unauthorized access, encryption of transmitted records containing personal information, encryption of all personal information stored on laptops and portable devices, use of reasonably up-to-date firewall and operating system security patches, and use of up-to-date malware protection.

Multi-State Compliance. Firms with customers in multiple states must track and comply with each state's privacy and data breach notification laws. Key variations include: the definition of "personal information" triggering notification obligations (some states include broader categories such as biometric data, health information, or online account credentials); notification deadlines (ranging from 30 days to "reasonable" without a specified limit); notification content requirements; requirements to notify the state attorney general or other state agency; and requirements to provide credit monitoring or identity theft protection services. Maintaining a breach notification matrix that maps state-by-state requirements is a best practice for multi-state firms.

SEC and FINRA expect registered firms to exercise diligent oversight of service providers with access to customer data, information systems, or critical business functions. The principle that outsourcing does not outsource compliance responsibility is fundamental — the firm remains accountable for the security of customer data regardless of where the data is processed or stored.

Due Diligence Before Engagement. Before engaging a vendor with access to customer NPI or critical systems, firms should assess the vendor's information security posture, including: the vendor's written information security policies and procedures, SOC 2 Type II audit reports (or equivalent), business continuity and disaster recovery capabilities, incident response procedures and history, use of subcontractors and sub-processors, data center security (physical and logical), encryption practices, access control mechanisms, employee screening and training, and financial stability.

Contractual Protections. Contracts with service providers should include: confidentiality obligations covering all customer NPI and proprietary data; minimum information security standards (referencing recognized frameworks such as NIST CSF, ISO 27001, or SOC 2 criteria); breach notification requirements (specifying the vendor must notify the firm within a defined period, typically 24 to 72 hours, of discovering a security incident affecting the firm's data); the firm's right to audit the vendor's security practices and to receive audit reports; requirements for prompt return or destruction of data upon contract termination; restrictions on the vendor's use of the firm's data for purposes beyond the contracted services; provisions addressing the vendor's use of subcontractors, including the firm's right to approve or be notified of material subcontracting; indemnification for losses arising from the vendor's security failures; and the firm's right to terminate the contract for material security deficiencies.

Ongoing Monitoring. Due diligence is not a one-time exercise. Firms should: review updated SOC reports or equivalent assessments annually, conduct periodic security questionnaires or assessments, monitor the vendor for reported security incidents or regulatory actions, review the vendor's business continuity and disaster recovery testing results, and reassess the vendor's risk profile if there are material changes to the services provided, the data accessed, or the vendor's ownership or financial condition.

Cloud Service Provider Considerations. The SEC has issued risk alerts specifically addressing cloud security (SEC EXAMS Risk Alert, January 2020). Key expectations include: understanding the shared responsibility model (the cloud provider secures the infrastructure; the firm secures its data and configurations within the cloud); proper configuration of cloud storage to prevent unauthorized public access; strong identity and access management for cloud environments; encryption of data at rest and in transit within cloud services; logging and monitoring of cloud environment activity; and understanding the cloud provider's data residency, backup, and disaster recovery practices.

Concentration Risk. Regulators have expressed concern about concentration risk when multiple firms rely on the same critical service providers. Firms should assess whether the failure of a key vendor would create systemic risk, maintain business continuity plans that address vendor failure scenarios, and consider diversification of critical services where practicable.

Effective data governance provides the operational framework for meeting privacy and security regulatory requirements.

Data Classification. Firms should classify data based on sensitivity and regulatory requirements. A common taxonomy includes: (a) Public — information intended for public distribution (marketing materials, publicly filed regulatory documents), (b) Internal — information for internal use that would not cause significant harm if disclosed (general correspondence, internal procedures), (c) Confidential — information whose unauthorized disclosure could cause harm to the firm or its clients (customer account information, trade data, financial projections), and (d) Restricted — the most sensitive information requiring the highest level of protection (Social Security numbers, account credentials, consumer report information, material nonpublic information). Classification drives the application of access controls, encryption, monitoring, and disposal requirements.

Access Controls. The principle of least privilege requires that employees, systems, and service providers receive only the minimum access necessary to perform their functions. Role-based access control (RBAC) assigns permissions based on job function rather than individual identity, facilitating consistent enforcement and efficient provisioning and deprovisioning. Segregation of duties prevents any single individual from having end-to-end control over a process that could facilitate fraud or unauthorized access. Access reviews should be conducted at least annually, and more frequently for privileged accounts.

Encryption. Data encryption should be applied both at rest (stored data) and in transit (data moving across networks). At rest, full-disk encryption, database encryption, and file-level encryption are common approaches. In transit, TLS 1.2 or higher should be used for all communications containing NPI. Encryption key management — including key generation, storage, rotation, and destruction — must be addressed in the firm's security policies.

Data Retention and Destruction. Financial firms must balance data minimization principles with books-and-records retention requirements. SEC Rule 17a-4 (broker-dealers) and IA Act Rule 204-2 (investment advisers) impose specific retention periods for various categories of records, typically ranging from 3 to 6 years depending on the record type. Data should be retained for the longest applicable retention period and securely destroyed when the retention period expires. Destruction methods must render data unrecoverable: shredding for physical media, cryptographic erasure or physical destruction for electronic media.

Data Loss Prevention (DLP). DLP systems monitor and control the movement of sensitive data within and outside the firm. Common DLP controls include: monitoring email and web traffic for NPI patterns (e.g., Social Security numbers, account numbers), blocking unauthorized transfers of sensitive files to external destinations (USB drives, personal email, cloud storage), monitoring print activity for sensitive documents, and generating alerts for anomalous data movement patterns. DLP controls should be calibrated to the firm's data classification scheme.

Monitoring and Logging. Firms should maintain comprehensive logs of access to sensitive systems and data, including: user authentication events (successful and failed), access to customer account records, changes to access permissions, data exports and transfers, and system administrator activities. Logs must be retained for a sufficient period to support incident investigation and regulatory examination (SEC examiners frequently request 12 to 24 months of access logs). Automated alerting should be configured for anomalous activity patterns, such as after-hours access, access from unusual locations, or bulk data downloads.

Regulators expect all employees to receive privacy and security training, with the scope and depth tailored to the employee's role and access level.

Regulatory Foundation. The Reg S-P Safeguards Rule requires firms to include employee training as part of their written information security policies. FINRA Regulatory Notice 21-18 emphasizes cybersecurity practices for member firms, including the importance of employee awareness and training. New York DFS 23 NYCRR 500.14 specifically requires regular cybersecurity awareness training for all personnel.

Training Content. Effective training programs should cover: the firm's privacy and information security policies and procedures; the types of NPI the firm collects and the regulatory requirements for protecting it; recognizing and reporting social engineering attacks, including phishing, spear-phishing, vishing (voice phishing), smishing (SMS phishing), pretexting, and business email compromise (BEC); physical security practices, including visitor management, secure areas, and clean desk policies; proper use of email, internet, and removable media; mobile device security and bring-your-own-device (BYOD) policies; password management and multi-factor authentication; procedures for reporting suspected security incidents, including whom to contact and what information to provide; and consequences of policy violations, including disciplinary action and potential regulatory liability.

Phishing Simulation. Firms should conduct periodic phishing simulation exercises to test employee awareness. Results should be tracked, and employees who fail simulations should receive additional targeted training. SEC examiners have requested phishing simulation results and click-through rates during cybersecurity examinations.

Training Frequency and Documentation. Training should be conducted at least annually, with supplemental training when significant new threats emerge or when the firm's policies change materially. New employees should receive training during onboarding before receiving access to customer NPI. All training must be documented, including the date, attendees, topics covered, and materials used. Documentation should be retained for a minimum of 5 years to satisfy examination and audit requirements.

Role-Specific Training. Employees with elevated access or specific security responsibilities — including IT staff, compliance personnel, executive management, and employees with administrative system privileges — should receive additional training tailored to their roles, covering advanced threat detection, incident response procedures, and regulatory expectations for their specific functions.

Scenario: An SEC-registered investment adviser discovers during a routine access review that a recently departed portfolio manager downloaded a file containing client NPI — including names, Social Security numbers, dates of birth, and account values for 850 clients — to a personal USB drive on the employee's last day of employment. The firm's IT team identifies the transfer through endpoint monitoring logs. The employee has already left the firm and started at a competing RIA. Compliance Issues:

Scenario: A mid-sized broker-dealer uses a third-party portfolio accounting vendor to process and store customer account data for approximately 15,000 accounts. The vendor notifies the firm that it has experienced a ransomware attack in which threat actors exfiltrated data before encrypting systems. The vendor's initial assessment indicates that the exfiltrated data may include customer names, addresses, account numbers, Social Security numbers, and account holdings. The firm's customers reside in 38 states. The vendor's notification arrives 10 days after the vendor discovered the incident. Compliance Issues:

Scenario: An SEC-registered investment adviser with $5 billion in AUM receives an examination notification letter from the SEC Division of Examinations. The document request list includes cybersecurity as a focus area, requesting production of the firm's written information security policies, incident response plan, vendor assessments, access control documentation, employee training records, and board or management reporting on cybersecurity. Compliance Issues: