Now that the comment period for the Securities and Exchange Commission's (SEC) proposed amendments to Regulation S-P has ended, financial advisors are left wondering how much time and money they'll have to spend to meet the required privacy standards for their clients.
Regulation S-P covers privacy practices pertaining to safeguarding client information and handling security breaches. The SEC's proposed amendments aim to bolster information protection in a number of ways, from requiring more specific standards under the safeguard rule-including those pertaining to data security breaches-to amending the scope of information covered and the types of institutions and persons covered by the rule.
Among other things, the proposed amendments would also require written records of privacy procedures and compliance, and would facilitate information flow to make it easier for investors to follow an advisor who moves from one firm to another.
The comment period ended in May, and the SEC is expected to finalize the rule sometime this summer.
If the amendments go through as proposed, advisors would need to create an information security program customized to the advisory practice's size and to the complexity and sensitivity of the personal information. They'll also have to designate a staffer to be the information security officer, or ISO, that reviews, maintains and enforces the program.
"I think people are troubled by the details and by the anticipated costs," says Patrick Burns, president of Advanced Regulatory Compliance, Inc., a compliance consulting company in Beverly Hills, Calf.
"Smaller firms are more alarmed about this," Burns says. "This could be quite costly for two- to three-person shops already burdened by high cost structures and large administrative responsibilities. Larger firms will be better able to absorb the costs, but even for them the capital outlays could potentially be large."
An SEC spokesman said the agency won't speculate on what the final rule will entail.