Financial establishments must reveal any data breaches they experience within a month, as mandated by the SEC.
The Securities and Exchange Commission (SEC) has adopted new rules aimed at enhancing data security and breach disclosure among financial institutions. The amendments to Regulation S-P, announced on May 16, 2024, require brokers, dealers, investment companies, and investment advisers registered with the SEC to adopt written policies and procedures addressing cybersecurity risks, including data breaches [1].
Under these amendments, covered financial institutions must promptly notify individuals about data breaches affecting their sensitive information. However, the rule has faced feedback from industry groups such as the American Bankers Association seeking revisions, particularly around the 72-hour notification requirement and the timeline for compliance [5].
The new rules mandate that financial institutions disclose security incidents to individuals within 30 days of determining their personal information was compromised in a breach [2]. Notices to customers impacted by breaches must include details about the incident, the compromised data, and how people can help protect themselves.
The SEC's amendments apply to broker-dealers, funding portals, investment companies, registered investment advisers, and transfer agents [3]. Larger entities will have 18 months to comply with the new rules, while smaller companies will have two years for enforcement to begin.
The rule change is part of a broader effort by the government to increase the pace of data breach disclosures and promptly alert individuals to potential exposure. Last week, the Federal Trade Commission (FTC) amended rules to require nonbanking financial institutions to notify the agency of a security breach impacting at least 500 customers' data within 30 days [4].
Financial institutions should prepare to comply with these new breach disclosure and cybersecurity policy requirements imminently while monitoring SEC guidance for possible clarifications or extensions. The SEC has not withdrawn or delayed this amendment but has withdrawn a separate proposed cybersecurity rule with similar notification elements [1][5].
The nature, scale, and impact of data breaches have transformed substantially over the last 24 years, as stated by the SEC Chair, Gary Gensler [2]. Multiple large enterprises, such as Microsoft, First American Financial, Hewlett Packard Enterprise, loanDepot, and UnitedHealth Group, have disclosed security incidents since the rules took effect [6].
In summary, the SEC's amendments to Regulation S-P require written cybersecurity policies, prompt notification to affected individuals of data breaches, and compliance timelines starting potentially in 2025 or 2026. Financial institutions should stay vigilant and prepared to comply with these new regulations.
References: 1. SEC Adopts Amendments to Regulation S-P to Strengthen Cybersecurity Protections and Breach Notification Requirements 2. SEC Adopts Amendments to Regulation S-P to Strengthen Cybersecurity Protections and Breach Notification Requirements 3. SEC Adopts Amendments to Regulation S-P to Strengthen Cybersecurity Protections and Breach Notification Requirements 4. FTC Amends Rule to Require Timely Notification of Security Breaches Affecting Consumers 5. SEC's Amendments to Regulation S-P: Industry Calls for Flexibility and Delay 6. Multiple Large Enterprises Disclose Security Incidents Since SEC Rule Change
- The Securities and Exchange Commission (SEC) has adopted new rules to heighten data security and breach disclosure in the banking-and-insurance industry.
- These amendments to Regulation S-P mandate that financial institutions adopt written cybersecurity policies and promptly inform individuals about data breaches affecting their sensitive information.
- The new SEC rules also require financial institutions to disclose security incidents to individuals within 30 days of determining their personal information was compromised.
- Regardless of delayed feedback from industry groups, financial institutions should prepare to comply with these breach disclosure and cybersecurity policy requirements imminently, as the SEC has not withdrawn or delayed this amendment.
