The Securities and Exchange Commission (SEC) has announced new data-breach reporting regulations for financial firms, requiring the establishment of clear response and communication plans for customer data breaches. These regulations aim to update and enhance rules concerning nonpublic personal information treatment by specific financial institutions, with a focus on addressing technological advancements and associated risks. Entities like broker-dealers, investment companies, investment advisers, and transfer agents are mandated to develop incident response programs to respond to unauthorized access to customer information, including notifying affected individuals within 30 days of a breach
The updates to Regulation S-P, first adopted over 24 years ago, emphasize the evolving landscape of data breaches and aim to safeguard the privacy of customers' financial data. The amendments will have staggered compliance deadlines, with larger entities given 18 months and smaller entities 24 months to adhere to the new regulations after publication in the Federal Register. https://www.darkreading.com/cyber-risk/sec-adds-new-incident-response-rules-for-financial-sector