The SEC introduced new amendments to Regulation S-P for financial companies, including broker-dealers, investment companies, registered investment advisers, and transfer agents, necessitating greater customer disclosures in case of security incidents involving their personal information. While this rule change is not expected to significantly impact larger financial enterprises already compliant with such requirements, the new regulations mandate incident response programs but offer no specific guidance on their structure. Critics like attorney Mark Rasch argue that the rule's focus on personal information neglects other vital financial data like insider trading evidence, and the omission of third-party disclosure requirements poses security weakness risks
Concerns are also raised about potential 'notification fatigue' and the rule's alignment with various state and federal disclosure standards, emphasizing the need for harmonization to enhance overall system security. https://www.csoonline.com/article/2112440/sec-rule-for-finance-firms-boosts-disclosure-requirements.html