SEC Updates 24-Yr-Old Rule To Better Protect Financial Data

Main focus is on having a distinct incident response playbook that contains exact steps to follow in case of a data breach that compromised customer information

by Mihir Bagwe May 17, 2024 in Governance, Compliance, Policy Updates, Regulations Reading Time: 3 mins read 0

594 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

The is tightening its focus on breach response mechanisms of very specific set of financial institutions, with an update to a 24-year-old rule.

The amendments announced on Thursday mandate that broker-dealers, funding portals, investment companies, registered investment advisers and transfer agents develop comprehensive plans for detecting and addressing data breaches involving customers' financial information.

Under the new rules, covered institutions are required to formulate, implement, and uphold written policies and procedures specifically tailored to identifying and mitigating breaches affecting customer data. Additionally, firms must establish protocols for promptly notifying affected customers in the event of a breach, ensuring transparency and facilitating swift remedial actions.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data. The basic idea for covered firms is if you've got a breach, then you've got to notify. That's good for investors.”

According to the amendments, organizations subject to the regulations must notify affected individuals expeditiously with a deadline of no later than 30 days following the discovery of a data breach.

The notification must include comprehensive details regarding the incident, the compromised data and actionable steps for affected parties to safeguard their information.

While the amendments are set to take effect two months after publication in the Federal Register, larger entities will have an 18-month grace period to achieve compliance, whereas smaller organizations will be granted a two-year window. However, the SEC has not provided explicit criteria for distinguishing between large and small entities, leaving room for further clarification.

The Debate on SEC's Tight Guidelines

The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, compelling timely disclosure of “material“ cybersecurity incidents to the SEC. Public companies in the U.S. now have four days to disclose cybersecurity breaches that could impact their financial standing.

SEC's interest in the matter stems from a major concern: breach information leads to a stock market activity called informed trading, currently a grey area in the eyes of law.

Several prominent companies including Hewlett Packard and Frontier, have already submitted requisite filings under these regulations, highlighting the increasing scrutiny on cybersecurity disclosures.

Despite pushback from some quarters, including efforts by Rep. Andrew Garbarino to

The SEC's incident reporting rule has however received pushback from close quarters including Congressman Andrew Garbarino, Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee. Garbarino in November introduced a joint resolution with Senator Thom Tillis to disapprove SEC's new rules.

“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland,” Garbarino said, at the time.

Senator Tillis added to it saying the SEC was doing its “best to hurt market participants by overregulating firms into oblivion.” Businesses and industry leaders across the spectrum have expressed intense opposition to the new rules but the White House has signaled its commitment to upholding the regulatory framework.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button