New Privacy and Cybersecurity Obligations for Private Fund Sponsors and Managers

May 21, 2024

Reading Time : 5 min

Last week, the Securities and Exchange Commission imposed expanded privacy and cybersecurity obligations on fund managers and sponsors registered with the SEC as investment advisers. While many registered investment advisers will conclude that their existing policies and procedures already address much of the new requirements, every adviser will need to assess what, if any, gaps exist between current practice and these new rulemakings.

Overview

On May 16, 2024, the SEC amended current Regulation S‑P to require RIAs (among others) to enhance their privacy policies. The amended Reg S-P requires RIAs to adopt policies and procedures:

  • To assess and mitigate incidents involving unauthorized access to or use of customer information;
  • To notify affected individuals; and
  • To make and maintain written records documenting compliance.

New Customer Information Definition

Amended Reg S‑P adopts a new definition of “customer information,” which includes any records containing “nonpublic personal information” (or “NPI”) about a “customer” of an RIA (i) that is in the possession of that adviser; or (ii) that is handled or maintained by the adviser or on its behalf. Although amended Reg S-P does not directly apply to private funds, information about private fund investors could be deemed “customer information” if constructively in the possession of an RIA or if it is covered by the Federal Trade Commission’s safeguards rule.

Policies and Procedures

Current Regulation S‑P requires RIAs to adopt policies and procedures (i) to address administrative, technical and physical safeguards; (ii) to protect, to ensure and guard against threats to the security and confidentiality of customer information; and (iii) to protect against unauthorized access to customer records and information. Amended Reg S‑P reformats those requirements and, in addition, now requires RIAs:

  • To assess the nature and scope of any incident involving unauthorized access to or use of customer information;
  • To identify the customer information systems and types of customer information that may have been accessed or used without authorization; and
  • To take appropriate steps to contain and control any incident to prevent further unauthorized access to or use of customer information.

Amended Reg S‑P also clarifies that an RIA’s privacy obligations generally extend to nonpublic personal information received from other financial institutions (e.g., custodians and nominees).

Service Providers

The new regulation extends beyond the RIA itself. An RIA’s incident response program must also include the establishment, maintenance and enforcement of written policies and procedures reasonably designed to oversee “service providers” (broadly defined to include any third party that “receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to [an RIA or other covered entity]”), including through due diligence and monitoring. Specifically, amended Reg S‑P requires that these policies and procedures be reasonably designed to ensure that service providers:

  • Protect against unauthorized access to or use of customer information; and
  • Notify the covered institution as soon as possible, but no later than 72 hours after becoming aware of a breach, that a security breach has occurred resulting in unauthorized access to a customer information system maintained by the service provider (at which point, the covered institution must initiate its own incident response program).

Customer Notification

Amended Reg S‑P requires that RIAs notify each affected individual whose “sensitive customer information” was, or is reasonably likely to have been, accessed or used without authorization in accordance with the notification requirements. (“Sensitive customer information” includes “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”)

An RIA, under amended Reg S‑P, must notify affected individuals as soon as practicable, but – subject to national security, public safety and other exceptions – generally not later than 30 days after becoming aware that unauthorized access to or use of sensitive customer information has occurred, or is reasonably likely to have occurred. The required notice must include:

  • A general description of the incident;
  • A general description of the type of the sensitive customer information;
  • If possible, information regarding the actual or estimated date of the incident;
  • Contact information for further information and assistance;
  • A recommendation that the customer review account statements and immediately report any suspicious activity; and
  • Detailed information on steps individuals can take to protect themselves (g., fraud alerts and credit monitoring).

If the RIA is unable to identify which specific individual’s sensitive customer information was accessed or used without authorization, the institution must provide notice to all individuals whose sensitive customer information resides in the applicable customer information system that was, or was reasonably likely to have been, accessed or used without authorization.

Document Retention and Disposal Requirements

Under amended Reg S‑P, RIAs are required to securely dispose of information in a way to protect against unauthorized access to or use of the information. They must also establish written policies and procedures to address proper disposal of consumer and customer information.

Updates to Annual Privacy Notice Requirements.

Current Regulation S‑P requires that a “clear and conspicuous” notice that accurately reflects privacy practices be provided to customers at least annually. Under amended Reg S‑P, “annually means at least once in any period of 12 consecutive months” during which the customer relationship exists. An adviser can define the 12‑month period but must apply it on a consistent basis.

In addition, amended Reg S‑P clarifies the exception to the annual notice requirement that was originally provided by the Fixing America’s Surface Transportation Act (the “FAST Act”) in 2015. Specifically, no annual notice is required if an RIA: (i) only shares NPI with nonaffiliated third-parties in a manner that does not require an opt-out right be provided to customers (e.g., if NPI is disclosed to a service provider or for fraud detection and prevention purposes); and (ii) has not changed its policies and practices with respect to disclosing NPI since it last provided a privacy notice to its customers. The FAST Act states that an RIA (or other financial institution) is excepted from providing an annual privacy notice “until such time” as the entity fails to comply with the exception’s conditions but does not specify a date by which the annual privacy notice delivery must resume. Amended Reg S‑P specifies that if a change in an RIA’s policies and practices would also result in it having to send a revised privacy notice under the current requirements, the revised notice will be treated as an initial notice for the purpose of the timing requirement, and the RIA will be required to resume notices at the same time it otherwise provides annual privacy notices. If a revised notice would not be required, the RIA must resume providing annual privacy notices within 100 days of the change. Amended Reg S‑P is also intended to be consistent with the existing privacy notice requirements of the CFTC, CFPB and FTC.

New Recordkeeping Requirements

Under companion amendments to Investment Advisers Act Rule 204‑2, RIAs are now required to retain the following written records:

  • Incident response policies and procedures.
  • Documentation of any detected unauthorized access to or use of customer information, as well as any response to, and recovery from, such unauthorized access to or use of customer information.
  • Documentation of any investigation and determination on whether notification is required, notice transmitted or United States Attorney General communications delayed.
  • Documentation of any contract or agreement with service providers.

Effective Date

Amended Reg S‑P and the Rule 204‑2 amendments will become effective 60 days after publication in the Federal Register. The amendments have tiered compliance dates, with a compliance deadline for “larger entities” (RIAs with $1.5 billion or more in assets under management) of 18 months after publication and a 24-month deadline for “smaller entities.” Given the unprecedented volume of other SEC rulemakings that are competing for internal compliance resources – in addition to other applicable new and amended state and international privacy laws – managers would be well-advised to begin their gap analyses sooner, rather than later.

Share This Insight

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.