SEC Requires Notification of Data Breaches
The SEC adopted a final rule mandating that covered institutions develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information.
The final rule amends Regulation S-P ("Privacy of Consumer Financial Information and Safeguarding Personal Information") and applies to broker-dealers, investment companies, investment advisers and transfer agents. Under the new rule, a response program must include procedures for, with certain limited exceptions, "covered institutions to provide notice" to individuals whose "sensitive customer information [was or] is reasonably likely to have been subject to unauthorized access or use." The amendments require a covered institution to provide notice as soon as practicable, but not later than 30 days, after becoming aware that an incident involving "unauthorized access to, or use of customer information has occurred or is reasonably likely to have occurred." The SEC said such a notice must include details about the incident, the breached data and how affected individuals can respond to the breach to protect themselves.
The final rule will become effective 60 days after publication in the Federal Register. (The SEC stated that larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.)
Related Articles
-
The Financial Information Forum, Nasdaq, CME and Investment Company Institute recommended changes to the SEC's proposed rules on cybersecurity risk management practices.
-
SIFMA, the Bank Policy Institute, the Institute of International Bankers and the American Bankers Association urged the SEC to revise its proposals on cybersecurity related regulations, emphasizing the need for clear guidance across government agencies and collaboration with the securities industry.
-
SIFMA, the Bank Policy Institute, the Institute of International Bankers and the American Bankers Association urged the SEC to revise its proposals on cybersecurity related regulations, emphasizing the need for clear guidance across government agencies and collaboration with the securities industry.
-
The SEC proposed amendments to regulations on consumer financial privacy and information safeguards that would, among other things, require firms to implement written incident response plans and provide data breach notifications to customers.
