The Securities and Exchange Commission (SEC) announced new regulations on Thursday, requiring specific financial institutions to establish comprehensive plans for managing data breaches involving customer information. These regulations, amendments to previous rules from 2000, apply to broker-dealers, investment companies, funding portals, registered investment advisers, and transfer agents. The institutions must develop, implement, and maintain written policies and procedures for detecting and addressing data breaches, as well as notifying affected customers promptly.
SEC Chair Gary Gensler emphasized the necessity of these amendments, citing the significant transformation in the nature, scale, and impact of data breaches over the past two decades. Covered firms are now obligated to provide prompt notice to victims, within 30 days of becoming aware of an incident involving the leak of customer information. This notice must contain detailed information about the breach, the compromised data, and guidance on protective measures for affected individuals.
While the amendments will take effect two months after publication in the Federal Register, larger companies will have 18 months to comply, while smaller entities will have two years. This announcement coincides with the implementation of new incident reporting regulations from the SEC, which require public companies to report “material” incidents. Despite efforts by Rep. Andrew Garbarino to rescind the SEC incident reporting rule, the White House has pledged to veto any legislative attempts to do so, emphasizing the importance of cybersecurity measures in protecting consumer data.
Cybersecurity experts praised the SEC’s initiative, noting that it signals a necessary step toward protecting consumer data and enhancing cybersecurity measures. The emphasis on timely notification enables consumers to take proactive steps to safeguard their financial and personal information, contributing to overall consumer protection. This latest announcement underscores the SEC’s commitment to modernizing policies and requirements to address cybersecurity threats effectively and protect consumer information in today’s digital landscape.
