SEC Enhances Cybersecurity Rules to Better Protect Customer Data

The Securities and Exchange Commission has adopted amendments to Regulation S-P aimed at strengthening protections for consumers' personal financial information held by broker-dealers, investment companies, registered investment advisers, and transfer agents. The amendments, which update rules that were first implemented in 2000, require these "covered institutions" to establish written policies and procedures for responding to data breaches involving unauthorized access to customer information.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," said SEC Chair Gary Gensler. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data."

Under the new rules, covered firms must develop an incident response program reasonably designed to detect, respond to, and recover from data breaches. They will also be required to notify affected individuals of any unauthorized access or use of their sensitive personal information, with some limited exceptions. Notifications must be sent "as soon as practicable" but no later than 30 days after the firm becomes aware of the breach. The notice must describe the incident, the type of data accessed, and steps individuals can take to protect themselves.

"The basic idea for covered firms is if you've got a breach, then you've got to notify. That's good for investors," Gensler stated.

The new cybersecurity requirements will take effect 60 days after being published in the Federal Register. Larger financial firms will have 18 months to comply, while smaller entities will have 24 months. The amendments are intended to modernize protections around customer data privacy and security as cyber threats have rapidly evolved since the original Regulation S-P rules were enacted over two decades ago.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.