Mind SEC’s new data breach rules, says Finra

investmentnews.com:

Finra is calling on all its member firms to take heed and take action as new SEC rules that stiffen expectations around data breaches takes effect.

In an announcement Thursday, the industry self-regulator highlighted the SEC’s recent amendments to Regulation S-P, aimed at modernizing and enhancing the protection of consumer financial information.

Announced in mid-May, the changes, which Finra says will impact all member firms, require covered institutions to adopt an incident response program and notify individuals if their sensitive customer information is accessed or used without authorization.

“These amendments apply to broker-dealers (including funding portals), investment companies, registered investment advisers and transfer agents (‘covered institutions’),” Finra said Thursday.

Under the retooled regulation, the SEC expects covered institutions to include an incident response program in their written policies, which should be reasonably designed to detect, respond to, and recover from unauthorized access to customer information.

Additionally, institutions are required to establish and enforce policies for oversight of service providers, including due diligence and monitoring processes.

The SEC also expects firms to notify affected individuals whose sensitive information was, or is likely to have been, accessed without authorization. Those notifications must be sent as soon as practicable, but no later than 30 days after discovering the incident, except in certain limited circumstances.

The amendments to regulation S-P, which have been entered into the Federal Register, also expand the safeguards and disposal rules. Now, those rules cover nonpublic information collected about an institution’s own customers as well