New rules from the SEC, 30-day data breach notification, Shadow AI on the rise
By John Bruggeman, virtual Chief Information Security Officer
New SEC rules, 30-day data breach notification
New rules?from the Security Exchange Commission are coming in hot.
The SEC has adopted amendments to Regulation S-P that will require certain financial institutions to notify customers within 30 days if they have a data breach.
The organizations impacted by this amendment are:
·?????? Broker-dealers (funding portals included).
·?????? Investment firms.
·?????? Registered investment advisers.
·?????? Transfer agents.
Here are the updates:
1) Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization; detail the incident, breached data, and protective measures taken. Exemption applies if the information is not expected to cause substantial harm or inconvenience to the exposed individuals.
2) Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information. This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers.
3) Expand safeguards and disposal rules to cover all nonpublic personal information, including that received from other financial institutions.
4) Require documentation of compliance with safeguards and disposal rules, excluding funding portals.
5) Align annual privacy notice delivery with the FAST Act, exempting certain conditions.
6) Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.
领英推荐
What to do
Do you know how secure your network is? Have you had a security assessment recently? Do you know if you are able to comply with these new SEC regulations?
If you don’t know, we can help. CBTS has security consultants who can help you improve your enterprise security. We have a zero-trust readiness assessment that can find the gaps in your security posture that we can then help address to improve your environment.
Read this article I wrote for Forbes on digital transformation.
Shadow AI on the rise
This short article from SC Magazine discusses the doubling of sensitive corporate data being input into Shadow AI.
I have talked about this before, about people who want the ease of use of AI but don't know the risks.
This report quantifies what I—and many, many others—knew would happen if organizations did not quickly adopt AI policies and procedures so that employees can use AI safely.
Here is a quote from the article that should get your attention.
?"Of the data submitted to chatbots by employees, 27.4% was sensitive data compared with 10.7% last year—a 156% rate increase. The most common type of sensitive data submitted was customer support data, which made up 16.3% of the offending inputs."
What to do?
Do you know where AI has been deployed or used in your environment? Do you have a policy on AI and how it can be used at your company?
CBTS has cybersecurity consultants who can help define your AI security policy and help you implement security controls.
Here is a blog I wrote about my conversations with AI specialists at IBM.
?About the author
John Bruggeman is a veteran technologist, CTO, and CISO with nearly 30 years of experience building and running enterprise IT and shepherding information security programs toward maturity. He helps companies, boards, and C-level committees improve and develop their cybersecurity programs, create risk registers, and implement compliance controls using industry-standard frameworks like CIS, NIST, and ISO
?
Sr. Business Development Executive at VKAPS IT Solutions Pvt. Ltd.
1 个月The advancements in AI are accelerating at a remarkable pace. This post perfectly captures the direction we’re heading. Exciting times ahead!
Marketing and communications leader who is dedicated to elevating enterprise brand status, lead generation, sales engagement, and effective corporate communications.
3 个月How is shadow AI spreading through your company?
This should be mandatory for all companies.
Commercial and Technology Counsel
3 个月Thanks John for the update! ??