The Securities and Exchange Commission (SEC) has issued new rules that direct certain types of financial institutions to have specific, written plans for how to handle cyber breaches involving customer information.
The requirements, which aim to modernize and enhance reporting regulations first adopted in 2000 as Regulation S-P, apply to broker-dealers (including funding portals such as Kickstarter, Indiegogo and Fundable), investment companies, registered investment advisers and transfer agents.
Regulation S-P is the primary regulation governing the privacy and confidentiality of consumer financial information for SEC registrants. The updates are meant to address changes in technology and risks that have emerged since the Commission’s prior regulations.
What the New Regulations Require
Revisions to Regulation S-P require covered institutions to:
- Develop, implement and maintain written incident response policies and procedures designed to detect, respond to and recover from a breach of customer information.
- Include in an incident response plan procedures for notifying individuals whose sensitive customer information was or is likely to have been exploited.
- Provide notice no later than 30 days after becoming aware that a breach or use of customer information has occurred or is reasonably likely to have occurred.
- Include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves.
“Over the last 24 years, the nature, scale and impact of data breaches has transformed substantially,” said SEC Chairman Gary Gensler in a statement. "The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
The amendments will become effective 60 days after publication in the Federal Register. Larger entities have 18 months to comply with the amendments while smaller entities will have 24 months to meet the requirements. The SEC did not clarify the difference between the two entity types.
Rick Borden, a partner in the law firm Frankfurt Kurnit Klein & Selz, said that the updates further signal the SEC’s intention to draw a hard line on cyber breach reporting and notification.
“The amended Regulation S-P imposes significant obligations on SEC-regulated financial institutions to strengthen their cybersecurity and incident response practices,” Borden said. “The 30-day notification time frame is faster than state notification requirements. Often, the investigation of the incident is not yet completed. This will strain the financial institutions and the incident response teams. Additionally, a number of the required procedures are often in place, but not written.”
The Regulation S-P amendments come five months after the SEC’s new cyber incident reporting rules went into effect on December 18, 2023.
Those rules require registrants to report a security incident in an 8-K document within four business days and also disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance to better inform investors.
To date, a number of notable tech companies have posted 8-K filings regarding cyber breaches, including Dropbox, Microsoft and Hewlett-Packard Enterprise. The most impactful of the non-tech 8-K filings are from UnitedHealth Group and Frontier Communications.
