Financial Organizations Must Send Data Breach Notifications Within 30 Days: Urgent Compliance Update

Did you know that the Securities and Exchange Commission (SEC) recently updated its rules on how financial institutions handle data breaches? If you’re interested in cybersecurity, this is huge news! The new amendments to Regulation S-P now require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery. Pretty cool, right?

Regulation S-P: What’s changed?

Introduced in 2000, Regulation S-P controls how some financial entities must treat nonpublic personal information belonging to consumers. This includes developing and implementing data protection policies, confidentiality, and security assurances, and protecting against anticipated threats.

The new amendments adopted earlier this week impact financial firms, such as broker-dealers, investment firms, registered investment advisers, and transfer agents. These changes were proposed in March last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties.

Key changes in the amendments include:

• Notification within 30 days: Affected individuals must be notified within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization. Details of the incident, breached data, and protective measures taken should be included. An exemption applies if the information isn’t expected to cause substantial harm or inconvenience to the exposed individuals.
• Incident response program: Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information. This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers.
• Expanded safeguards and disposal rules: Extend these rules to cover all nonpublic personal information, including that received from other financial institutions.
• Documentation of compliance: Require documentation of compliance with safeguards and disposal rules, excluding funding portals.
• Annual privacy notice delivery alignment: Align this with the FAST Act, exempting certain conditions.
• Extension to transfer agents: Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.

These modifications represent an important update to a rule that was first adopted in 2000 and can no longer adequately protect customers’ financial data privacy in today’s cybersecurity landscape.

Why is this important?

As SEC Chair Gary Gensler said, “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially.” These amendments to Regulation S-P will help protect the privacy of customers’ financial data and ensure that financial institutions are held accountable for their cybersecurity practices.

These changes will take effect 60 days after publication in the Federal Register, the official journal of the U.S. federal government. Larger organizations have a compliance date of 18 months after the modifications are published in the Federal Register, while smaller entities have two years to comply.

In addition to these changes, the SEC also introduced new rules in December, requiring all public companies to disclose that they suffered a breach if it materially affected or is reasonably likely to materially affect their business strategy, results of operations, or financial condition.

Stay informed and protect your data

As cybersecurity threats continue to evolve, it’s essential to stay informed and take the necessary steps to protect your personal and financial information. We’re here to help you navigate the ever-changing world of cybersecurity. If you have any questions or concerns, please don’t hesitate to reach out to us. Together, we can ensure your data remains safe and secure. And remember, always come back for the latest news and updates on cybersecurity!