Regulation and Compliance Cybersecurity

RIAs, BDs Must Tell Clients About Data Breaches: SEC

News May 17, 2024 at 01:09 PM
Share & Print
Leaked data breach

The Securities and Exchange Commission has updated its rules governing the way financial institutions treat consumers' private personal information, adopting amendments reqiring firms to notify investors after data breaches.

The SEC announced Thursday that it modernized and enhanced Regulation S-P, which requires certain firms to notify customers about how the institutions use their nonpublic personal information.

The new amendments update the rules' requirements for broker-dealers, investment companies, registered investment advisors and transfer agents and others, addressing the expanded use of technology and corresponding risks that have emerged since the SEC adopted Regulation S-P in 2000.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," SEC Chair Gary Gensler said.

"These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data. The basic idea for covered firms is if you've got a breach, then you've got to notify. That's good for investors."

The amendments require financial institutions to develop, implement and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to and recover from hacks into client data.

They also stipulate that these response programs provide notice to individuals whose sensitive customer information was or was reasonably likely to have been accessed or used without authorization.

The amendments require a covered institution to provide notice as soon as possible and no later than 30 days after becoming aware that an incident involving a customer-data hack has occurred. The notice must include details about the incident, the breached data and how affected individuals can respond to protect themselves.

The amendments will become effective 60 days after publication in the Federal Register. Larger institutions will have 18 months after the publication date to comply with the amendments, while smaller entities will have 24 months.

Credit: Adobe Stock

SEC
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Lawsuit: Schwab, BofA Failed to Protect Older Couple Scammed Out of $18.5M Globe Life Reports Extortion Threat Involving Customer Data Banks Brace for Era of Consumer Data Sharing Fidelity Reports Data Breach Hitting 77,000 Clients Wells Fargo Client Sues Over Data Breach How Advisors Plan to Use Tech to Boost Growth: Schwab

Resource Center

Can Systematic Risk Be Reduced? link

Guide

Can Systematic Risk Be Reduced?

The Business Model Playbook: Mastering Technology for Firm Success link

Playbook

The Business Model Playbook: Mastering Technology for Firm Success

Harnessing AI to Power Advisor-Client Relationships link

White Paper

Harnessing AI to Power Advisor-Client Relationships