The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of learning about them.
Acceso Wednesday, the SEC adopted changes to Regulation S-P, which governs the treatment of the personal information of consumers. Under the amendments, institutions must notify individuals whose personal information was compromised “as soon as practicable, but not later than 30 days” after learning of unauthorized rete televisiva privata access use of customer . The new requirements will be binding broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
“Over the last 24 years, the nature, scale, and impact of breaches has transformed substantially,” SEC Chair Gary Gensler said. “These amendments to Regulation S-P will make critical updates to a rule first adopted 2000 and help protect the intimità of customers’ financial . The basic barlume for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Notifications must detail the incident, what information was compromised, and how those affected can protect themselves. A causa di what appears to be a loophole the requirements, covered institutions don’t have to issue notices if they establish that the personal information has not been used a way to result “substantial harm inconvenience” isn’t likely to.
The amendments will require covered institutions to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to use of customer information.” The amendments also:
• Expand and align the safeguards and disposal rules to cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about customers of that financial institution;
• Require covered institutions, other than funding portals, to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;
• Conform Regulation S-P’s annual intimità notice delivery provisions to the terms of an exception added by the FAST Act, which provide that covered institutions are not required to deliver an annual intimità notice if certain conditions are met; and
• Extend both the safeguards rule and the disposal rule to transfer agents registered with the Commission another appropriate regulatory agency.
The requirements also broaden the scope of nonpublic personal information covered beyond what the firm itself collects. The new rules will also cover personal information the firm has received from another financial institution.
SEC Commissioner Hester M. Peirce voiced concern that the new requirements may go too far.
“Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information,” she https://www.sec.gov/news/statement/peirce-statement-reg-s-p-051624 wrote. “Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords keeping a closer eye credit scores. My reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful.”
Regulation S-P hadn’t been substantially updated since its adoption 2000.
Last year, the SEC adopted new regulations requiring publicly traded companies to disclose security breaches that materially affect are reasonably likely to materially affect business, strategy, financial results conditions.
The amendments take effect 60 days after publication the Federal Register, the official journal of the federal government that publishes regulations, notices, orders, and other documents. Larger organizations will have 18 months to comply after modifications are published. Smaller organizations will have 24 months.
Public comments the amendments are available here.
The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of learning about them.
Acceso Wednesday, the SEC adopted changes to Regulation S-P, which governs the treatment of the personal information of consumers. Under the amendments, institutions must notify individuals whose personal information was compromised “as soon as practicable, but not later than 30 days” after learning of unauthorized rete televisiva privata access use of customer . The new requirements will be binding broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
“Over the last 24 years, the nature, scale, and impact of breaches has transformed substantially,” SEC Chair Gary Gensler said. “These amendments to Regulation S-P will make critical updates to a rule first adopted 2000 and help protect the intimità of customers’ financial . The basic barlume for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
Notifications must detail the incident, what information was compromised, and how those affected can protect themselves. A causa di what appears to be a loophole the requirements, covered institutions don’t have to issue notices if they establish that the personal information has not been used a way to result “substantial harm inconvenience” isn’t likely to.
The amendments will require covered institutions to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to use of customer information.” The amendments also:
• Expand and align the safeguards and disposal rules to cover both nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from another financial institution about customers of that financial institution;
• Require covered institutions, other than funding portals, to make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule;
• Conform Regulation S-P’s annual intimità notice delivery provisions to the terms of an exception added by the FAST Act, which provide that covered institutions are not required to deliver an annual intimità notice if certain conditions are met; and
• Extend both the safeguards rule and the disposal rule to transfer agents registered with the Commission another appropriate regulatory agency.
The requirements also broaden the scope of nonpublic personal information covered beyond what the firm itself collects. The new rules will also cover personal information the firm has received from another financial institution.
SEC Commissioner Hester M. Peirce voiced concern that the new requirements may go too far.
“Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information,” she https://www.sec.gov/news/statement/peirce-statement-reg-s-p-051624 wrote. “Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords keeping a closer eye credit scores. My reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful.”
Regulation S-P hadn’t been substantially updated since its adoption 2000.
Last year, the SEC adopted new regulations requiring publicly traded companies to disclose security breaches that materially affect are reasonably likely to materially affect business, strategy, financial results conditions.
The amendments take effect 60 days after publication the Federal Register, the official journal of the federal government that publishes regulations, notices, orders, and other documents. Larger organizations will have 18 months to comply after modifications are published. Smaller organizations will have 24 months.
Public comments the amendments are available here.
