Your Identity Theft Red Flags Program Is Probably a Dead Document

Of the four cybersecurity-adjacent rules that govern an SEC-registered investment adviser — Rule 206(4)-7, Regulation S-P, Rule 204-2, and Regulation S-ID — the one most firms understand least is Regulation S-ID. It is also the one most likely to be sitting in a binder, unchanged, since the day it was first drafted.

That is now a problem. The SEC has begun treating identity theft as a cyber-first risk, and a Red Flags program that does not reflect how identity theft actually happens today is, in the agency’s view, not a program at all.

The rest of this article is free to read with a BrainTrust membership — joining takes about a minute, and no credit card is required.

Join the BrainTrust   Already a member? Sign in