New SEC requirements give institutions 30 days to disclose security incidents

The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of becoming aware of them.

On Wednesday, the SEC adopted changes to Regulation SP, which regulates the processing of consumers’ personal information. Under the amendments, institutions must notify individuals whose personal information was compromised “as soon as possible, but no later than 30 days” after learning of unauthorized network access or use of customer data. The new requirements will be binding on stockbrokers (including funding portals), investment firms, registered investment advisors and transfer agents.

“Over the past 24 years, the nature, scale and impact of data breaches have been substantially transformed,” said SEC Chairman Gary Gensler. “These amendments to Regulation SP will make critical updates to a rule first adopted in 2000 and will help protect the privacy of customers’ financial data. The basic idea for covered businesses is that if they have a breach, they must notify. It It’s good for investors.”

Notifications should detail the incident, what information was compromised, and how those affected can protect themselves. In what appears to be a loophole in the requirements, covered institutions do not have to issue notices if they establish that personal information has not been used in a way that causes “substantial harm or inconvenience” or is not likely to do so.

The amendments will require covered institutions to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” The amendments also:

• Expand and align protection and deletion rules to cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about that financial institution’s customers;
• Require covered institutions, other than funding portals, to develop and maintain written records documenting compliance with the requirements of the Safeguards Rule and the Disposition Rule;
• Adjust the annual privacy notice delivery provisions of Regulation SP to the terms of an exception added by the FAST Act, which provides that covered institutions are not required to deliver an annual privacy notice if certain conditions are met; and
• Extend both the safeguards rule and the disposition rule to transfer agents registered with the Commission or other appropriate regulatory agency.

The requirements also expand the scope of covered nonpublic personal information beyond what the company itself collects. The new rules will also cover personal information that the company has received from another financial institution.

SEC Commissioner Hester M. Peirce expressed concern that the new requirements may go too far.

“Today’s modernization of Regulation SP will help covered institutions appropriately prioritize the protection of customer information,” wrote https://www.sec.gov/news/statement/peirce-statement-reg-sp-051624 . “Customers will be notified immediately when their information has been compromised so they can take steps to protect themselves, such as changing passwords or keeping a closer eye on their credit scores. My reservations stem from the breadth of the rule and the likelihood that generate more consumer notices that are useful.”

The SP Regulation had not been substantially updated since its adoption in 2000.

Last year, the SEC adopted new regulations requiring publicly traded companies to disclose security breaches that materially affect or are reasonably likely to materially affect business, strategy or financial results or conditions.

The amendments take effect 60 days after their publication in the Federal Register, the official journal of the federal government that publishes regulations, notices, orders and other documents. Larger organizations will have 18 months to comply after the amendments are published. Smaller organizations will have 24 months.

Public comments on the amendments are available here.

Leave a Comment