SEC beefs up rules to protect consumers whose data is breached

The US Securities and Exchange Commission (SEC) announced Thursday it is amending a more than two-decade-old rule to modernize and enhance how certain financial institutions treat the personal data of consumers.

The SEC’s Regulation S-P, also known as the ‘safeguards rule,’ was originally passed by the Commission back in 2000.

It requires covered institutions, such as broker-dealers, investment companies, registered investment advisers, and transfer agents, to have official policies and procedures in regards to how its customer’s personal information is handled by the entity.

The SEC says the amendments will cover an “expanded use of technology and corresponding risks,” that have emerged since the evolution of online data compared to when the rule was first adopted.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler.

“These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors,” Gensler said.

The newly written policies and procedures will have to include details on how to develop, implement, and maintain a proper incident response plan, the SEC said.

The plan would also require the steps taken to “detect, respond to, and recover from an unauthorized access to or use of customer information.”

Additionally, the response program would include set procedures for alerting customers in the event of such unauthorized access.

The 'consumer notice' would have to be sent “as soon as practicable, but not later than 30 days” from the discovery, or the likelihood, that a breach has occurred.

The SEC states the notice of unauthorized access sent to consumers must include the following:

  • details about the incident,
  • details about the breached data,
  • how affected individuals can respond to the breach to protect themselves.

For most companies, the amended Regulation S-P takes effect 60 days after publication in the Federal Register. Larger institutions will have 18 months to incorporate the changes, while smaller entities will get 24 months.

The federal register is a daily recording of any new, proposed, or amended rules, notices, presidential documents, and executive orders, for all federal agencies and organizations, and is part of the National Archives and Records Administration (NARA).

Last year, the SEC passed new rules, to protect investors, requiring publicly traded companies to file a disclosure notice with the agency, within four days of a cybersecurity event. That rule took effect in December 2023.