New rules for protecting customer information for financial institutions.
The U.S. Securities and Exchange Commission (SEC) has introduced new rules that require financial institutions to report data leaks within 30 days of their discovery.
On May 15, the SEC adopted amendments to the S-P Regulation regulating the handling of personal data of consumers. Now institutions are required to notify victims "as soon as possible, but no later than 30 days" after identifying unauthorized access to data. These requirements apply to investment companies, financial brokers, registered investment consultants, and transfer agents.
"Over the past 24 years, the nature, scale and impact of data breaches have changed significantly," said SEC Chairman Gary Gensler. "These amendments will update the rules adopted in 2000 and help protect the privacy of customers' financial data."
Notifications should contain detailed information about the incident, what data was compromised, and how victims can protect themselves. However, according to one of the provisions, institutions may not notify customers if they determine that personal information was not used in a way that could lead to "significant harm or inconvenience."
The amendments require institutions to develop, implement, and maintain written policies and procedures aimed at detecting, responding to, and recovering from unauthorized access to customer information. In addition, the amendments also include:
The new requirements also cover personal information obtained from other financial institutions.
Hester Pierce, the SEC commissioner, expressed concern that the new requirements may be excessive. "Today's update of the S-P Regulation will help institutions to properly prioritize the protection of customer information," the commissioner said.
"Customers will be notified in a timely manner if their data is compromised, so that they can take measures to protect themselves, such as changing passwords or monitoring their credit ratings more closely. However, I have concerns related to the breadth of the rules and the likelihood of an increase in the number of notifications that may be redundant," added Pearce.
The S-P Regulation has not been updated since its adoption in 2000. Last year, the SEC passed new rules requiring public companies to disclose data leaks that significantly affect or may affect business, strategy, or financial results.
The amendments will take effect 60 days after publication in the Federal Register. Large organizations will be required to comply with the new requirements 18 months after publication, while small organizations will be required to comply 24 months later.
The U.S. Securities and Exchange Commission (SEC) has introduced new rules that require financial institutions to report data leaks within 30 days of their discovery.
On May 15, the SEC adopted amendments to the S-P Regulation regulating the handling of personal data of consumers. Now institutions are required to notify victims "as soon as possible, but no later than 30 days" after identifying unauthorized access to data. These requirements apply to investment companies, financial brokers, registered investment consultants, and transfer agents.
"Over the past 24 years, the nature, scale and impact of data breaches have changed significantly," said SEC Chairman Gary Gensler. "These amendments will update the rules adopted in 2000 and help protect the privacy of customers' financial data."
Notifications should contain detailed information about the incident, what data was compromised, and how victims can protect themselves. However, according to one of the provisions, institutions may not notify customers if they determine that personal information was not used in a way that could lead to "significant harm or inconvenience."
The amendments require institutions to develop, implement, and maintain written policies and procedures aimed at detecting, responding to, and recovering from unauthorized access to customer information. In addition, the amendments also include:
- Expand and align data security and destruction policies to cover both information about the institution's own customers and information received from other financial institutions.
- They oblige institutions, in addition to funding portals, to maintain written documentation on compliance with security rules and data destruction.
- Bring the annual privacy notice provisions into line with the terms of the exception added by the FAST Act, according to which institutions are not required to deliver an annual notice if certain conditions are met.
- Extend data security and destruction regulations to transfer agents registered with the SEC or other relevant regulatory authority.
The new requirements also cover personal information obtained from other financial institutions.
Hester Pierce, the SEC commissioner, expressed concern that the new requirements may be excessive. "Today's update of the S-P Regulation will help institutions to properly prioritize the protection of customer information," the commissioner said.
"Customers will be notified in a timely manner if their data is compromised, so that they can take measures to protect themselves, such as changing passwords or monitoring their credit ratings more closely. However, I have concerns related to the breadth of the rules and the likelihood of an increase in the number of notifications that may be redundant," added Pearce.
The S-P Regulation has not been updated since its adoption in 2000. Last year, the SEC passed new rules requiring public companies to disclose data leaks that significantly affect or may affect business, strategy, or financial results.
The amendments will take effect 60 days after publication in the Federal Register. Large organizations will be required to comply with the new requirements 18 months after publication, while small organizations will be required to comply 24 months later.
