This move comes as companies are adapting to new SEC regulations requiring public companies to report “material” incidents to the agency, Already, companies like Microsoft, Hewlett Packard, and Frontier have had to submit 8-K filings about cybersecurity incidents
The Securities and Exchange Commission (SEC) announced new rules on Thursday requiring specific financial institutions to establish clear plans for handling data breaches involving customer information. These rules amend previous regulations from 2000 and apply to broker-dealers, crowdfunding platforms like Kickstarter and GoFundMe, investment companies, registered investment advisers, and transfer agents.
Institutions must now “develop, implement, and maintain written policies and procedures” for detecting and addressing breaches involving customer information. Additionally, the amendments mandate that firms have procedures for notifying customers whose sensitive information has been accessed or leaked.
SEC Chair Gary Gensler emphasised the necessity of these amendments, stating that the “nature, scale, and impact of data breaches have transformed substantially” since the original regulation took effect over two decades ago. “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” Gensler said. “That’s good for investors.”
Organizations covered by these rules must notify victims as soon as possible, and no later than 30 days after discovering an incident involving customer information. The notification must include details about the incident, the data leaked, and what victims can do to protect themselves.
The amendment will take effect two months after it is published in the Federal Register. Large companies will have 18 months to comply, while smaller entities will have two years. However, the SEC has not yet specified how it will distinguish between large and small entities.
This move comes as companies are adapting to new SEC regulations requiring public companies to report “material” incidents to the agency. Already, companies like Microsoft, Hewlett Packard, and Frontier have had to submit 8-K filings about cybersecurity incidents.
Earlier this month, Rep. Andrew Garbarino (R-NY) renewed efforts to rescind the SEC’s incident reporting rule. Garbarino has argued that the SEC is not equipped to handle cybersecurity issues and that these reports could expose companies to further attacks. The White House has stated it will veto any legislative attempt to overturn the SEC rule.
Cybersecurity experts have praised the SEC for these new amendments. Many believe that years of voluntary cybersecurity guidelines have led to a lax attitude towards cyberattacks and breaches. Bugcrowd CEO Dave Gerry commented, “The SEC continuing to modernize their policies and requirements to bring cybersecurity requirements is a major step towards protecting consumer data. Providing timely notification allows consumers to take the steps necessary to protect their financial and personal data before it can be further exploited.”
Zendata CEO Narayana Pappu added that the SEC is clearly enhancing its efforts to protect consumer information. He noted that this announcement, along with the cybersecurity disclosure requirements for Chief Information Security Officers (CISOs) that began in January, puts a greater focus on proactive monitoring and reporting, areas that have been lacking in the past.
These changes reflect the SEC’s commitment to improving cybersecurity measures and ensuring that consumers are promptly informed about breaches that could affect their personal information.