SEC Proposes New Cyber Rules for RIAs, BDs

News March 15, 2023 at 12:13 PM
Share & Print

The Securities and Exchange Commission on Wednesday proposed new cybersecurity rules for broker-dealers, investment advisors and asset managers that require them to notify individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm.

"Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches," SEC Chair Gary Gensler said Wednesday during the open meeting.

"I think we should close this gap," he continued. "Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves."

Gensler said last May that the proposals were coming.

Wednesday's proposal, if adopted, would update the rule's requirements to address the expanded use of technology and corresponding risks since the Commission originally adopted Reg S-P in 2000, the agency said.

As the SEC explained, Reg S-P currently requires broker-dealers, investment companies and registered investment advisors to adopt written policies and procedures for the protection of customer records and information under the safeguards rule.

Reg S-P also requires the proper disposal of consumer report information, the SEC said.

The Commission's proposal would require these entities to adopt written policies and procedures "for an incident response program to address unauthorized access to or use of customer information," the SEC said.

The proposed amendments would also require, with certain limited exceptions, these covered institutions "to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization" not later than 30 days after the firm becomes aware of an incident.

The SEC also reopened the comment period on new rules requiring RIAs and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the Commission about certain cybersecurity incidents, and maintain related records.

The initial comment period ended on April 11, 2022. The new comment period will remain open until 60 days after publication of the reopening release in the Federal Register.

(Photo: Diego M. Radzinschi/ALM)

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center