SEC tightens rules around data breach disclosures

investmentnews.com:

The SEC is sharpening its focus on cybersecurity breaches at broker dealers and RIAs, among other financial institutions, with an update to a 24-year-old rule.

In a move to modernize regulation around how certain institutions handle customers’ nonpublic personal information, the federal agency announced Thursday that it has adopted critical amendments to Regulation S-P.

This move is intended to address the growing risks associated with technological advancements since the rule’s initial adoption in 2000. Under the amendments, broker-dealers, investment companies, registered investment advisers, and transfer agents will have to meet new requirements to safeguard customer data.

 “Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” SEC Chair Gary Gensler said in a statement. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data.”

Among the updates to Regulation S-P, covered institutions are mandated to establish written policies and procedures for an incident response program. This program must include measures to detect, respond to, and recover from unauthorized access to or use of customer information.

With certain limited exceptions, the new rules also require firms to notify affected individuals, or those reasonably likely to have been affected, as soon as practicable, but no later than 30 days after the institution becomes aware of a breach.

In providing notice to impacted customers, institutions must detail the incident, the compromised data, and steps individuals can take to protect themselves, the SEC said.

“The basic idea for covered firms is if you’ve got a breach,