New SEC Rules Mandate 30-Day Disclosure for Financial Institutions' Data Breaches

The U.S. Securities and Exchange Commission (SEC) has introduced new regulations requiring certain financial institutions to disclose security breaches within 30 days of their discovery. These amendments to Regulation S-P, which addresses the handling of consumer personal information, are designed to enhance the protection of financial data.

The updated rules stipulate that institutions must notify individuals whose personal data has been compromised "as soon as practicable, but not later than 30 days" after identifying unauthorized access or misuse of customer information. This requirement applies to broker-dealers, investment companies, registered investment advisers, and transfer agents.

"Over the last 24 years, the nature, scale, and impact of data breaches have transformed substantially," said SEC Chair Gary Gensler. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors."

Notifications must include details about the incident, the compromised information, and steps individuals can take to protect themselves. However, there is a potential loophole: institutions are not required to issue notices if they can prove the compromised information is unlikely to cause "substantial harm or inconvenience."

The amendments also require financial institutions to develop, implement, and maintain written policies and procedures designed to detect, respond to, and recover from unauthorized access to customer information. Additional provisions include:

- Expanding and aligning the safeguards and disposal rules to cover nonpublic personal information collected by the institution and received from other financial institutions.

- Mandating written records documenting compliance with safeguards and disposal rules, except for funding portals.

- Adjusting annual privacy notice delivery provisions in line with the FAST Act, which eliminates the need for annual notices under certain conditions.

- Extending safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.

The amendments broaden the definition of covered nonpublic personal information to include data received from other financial institutions.

SEC Commissioner Hester M. Peirce expressed concerns about the breadth of the new requirements. "Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information," she wrote. "Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords or keeping a closer eye on credit scores. My reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful."

Regulation S-P had not seen substantial updates since its initial adoption in 2000. Last year, the SEC enacted regulations requiring publicly traded companies to disclose breaches that materially impact business operations or financial conditions.

The new rules will take effect 60 days after being published in the Federal Register. Larger organizations will have 18 months to comply, while smaller organizations will have 24 months.

#SEC #DataBreach #FinancialSecurity #CyberSecurity #PrivacyProtection #RegulationSP #DataPrivacy #FinancialInstitutions #DataProtection #ConsumerRights #TechRegulation