SEC Adds New Incident Response Rules for Financial Sector

Financial firms covered under new regulations will be required to establish a clear response and communications plan for customer data breaches.

Dark Reading Staff, Dark Reading

May 17, 2024

1 Min Read
SEC website homepage
Source: Louisa Svensson via Alamy Stock Photo

The Securities and Exchange Commission (SEC) announced it will adopt new data-breach reporting regulations for some financial firms.

These new requirements serve to "modernize and enhance the rules that govern the treatment of consumers' nonpublic personal information by certain financial institutions," according to the SEC.

These amendments have been updated to require several new standards since the commission first adopted Regulation S-P, more than 24 years ago:

  1. Broker-dealers, investment companies, registered investment advisers, and transfer agents must address the growing use of technology and the risks it imposes.

  2. Institutions must develop, implement, and maintain policies for an incident response program that can respond to and recover from unauthorized access to customer information.

  3. The incident response program must require institutions to notify individuals whose sensitive information was compromised.

  4. Covered institutions must give notice of a breach as soon as possible but no later than 30 days if customer information was accessed by an unauthorized user. This notice must provide details of the incident, the kind of data that was breached, and how affected customers can best protect themselves.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," said Gary Gensler, SEC chair. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data."

The amendments will go into effect 60 days after publication in the Federal Register, the SEC said. Once published, larger entities will have 18 months to comply with the amendments, whereas smaller entities will have 24 months.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights