The Securities and Exchange Commission (SEC) has recently announced amendments to Regulation S-P, a rule that was first adopted in 2000, in order to address the evolving landscape of data breaches. The new amendments specifically target broker-dealers, funding portals, investment companies, registered investment advisers, and transfer agents, requiring them to develop comprehensive plans for detecting and responding to data breaches involving customers’ financial information.
SEC Chair Gary Gensler emphasized the importance of updating the rule to protect the privacy of customers’ financial data in light of the significant changes in the nature, scale, and impact of data breaches over the past two decades. The key requirement for covered institutions under the new rules is to establish written policies and procedures tailored to identifying and mitigating breaches affecting customer data. This includes protocols for promptly notifying affected customers in the event of a breach to ensure transparency and facilitate swift remedial actions.
Furthermore, the amendments outline that organizations subject to the regulations must notify affected individuals within 30 days of discovering a data breach, providing comprehensive details about the incident, compromised data, and actionable steps for affected parties to safeguard their information. While the amendments will take effect two months after publication in the Federal Register, larger entities will have an 18-month grace period to comply, while smaller organizations will have a two-year window to achieve compliance.
The introduction of these amendments coincides with the implementation of new incident reporting regulations for public companies, which require timely disclosure of “material” cybersecurity incidents to the SEC. This heightened focus on cybersecurity disclosures is driven by concerns about informed trading in response to breach information, a grey area in terms of market activity and legal implications.
Despite the SEC’s efforts to strengthen cybersecurity disclosures, there has been pushback from various quarters, including Congressman Andrew Garbarino, who introduced a joint resolution with Senator Thom Tillis to disapprove of the SEC’s new rules. Garbarino argued that the SEC’s rule was an overreach and duplicated efforts already undertaken by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Senator Tillis echoed these sentiments, accusing the SEC of overregulating firms and creating unnecessary reporting requirements that could increase cybersecurity risks.
Businesses and industry leaders have expressed intense opposition to the new rules, citing concerns about regulatory burdens and potential negative impacts on market participants. However, the White House has signaled its commitment to upholding the regulatory framework, underscoring the importance of robust data breach response mechanisms in the financial sector.
In conclusion, the SEC’s amendments to Regulation S-P represent a significant effort to enhance data breach response mechanisms and protect customers’ financial information. While there is ongoing debate and opposition to the new rules, the broader goal of safeguarding sensitive data and maintaining transparency in the financial industry remains a key priority for regulatory authorities.