Financial institutions have 30 days to disclose breaches under new rules

🌈 Abstract

The article discusses new SEC regulations that will require some financial institutions to disclose security breaches within 30 days of learning about them. The key points are:

• The SEC has adopted changes to Regulation S-P, which governs the treatment of personal information of consumers.
• Under the new amendments, institutions must notify individuals whose personal information was compromised "as soon as practicable, but not later than 30 days" after learning of unauthorized network access or use of customer data.
• The new requirements will apply to broker-dealers, investment companies, registered investment advisers, and transfer agents.
• Covered institutions must also develop, implement, and maintain written policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information.
• There are some exceptions where institutions don't have to issue notices if they establish that the personal information has not been used in a way to result in "substantial harm or inconvenience" or isn't likely to.
• The amendments aim to modernize regulations that had not been substantially updated since 2000.

🙋 Q&A

[01] Overview of the new SEC regulations

1. What are the key changes to Regulation S-P that the SEC has adopted?

• The SEC has adopted amendments to Regulation S-P that require financial institutions to disclose security breaches within 30 days of learning about them.
• The new requirements apply to broker-dealers, investment companies, registered investment advisers, and transfer agents.
• Covered institutions must develop, implement, and maintain written policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information.
• There are some exceptions where institutions don't have to issue notices if they establish that the personal information has not been used in a way to result in "substantial harm or inconvenience" or isn't likely to.

2. What is the rationale behind these new regulations?

• The SEC Chair stated that the amendments are intended to "help protect the privacy of customers' financial data" and that "if you've got a breach, then you've got to notify. That's good for investors."
• The regulations aim to modernize rules that had not been substantially updated since 2000, as "the nature, scale, and impact of data breaches has transformed substantially" over the past 24 years.

3. What are the key compliance requirements for the covered institutions?

• Covered institutions must notify individuals whose personal information was compromised "as soon as practicable, but not later than 30 days" after learning of unauthorized network access or use of customer data.
• Covered institutions must develop, implement, and maintain written policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information.
• Covered institutions, other than funding portals, must make and maintain written records documenting compliance with the requirements of the safeguards rule and disposal rule.

[02] Concerns and Criticisms

1. What are the concerns raised by SEC Commissioner Hester M. Peirce?

• Commissioner Peirce voiced concern that the new requirements may go too far, stating that her "reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful."
• She believes the new regulations will "help covered institutions appropriately prioritize safeguarding customer information" and that "customers will be notified promptly when their information has been compromised so they can take steps to protect themselves," but she is concerned about the potential for excessive consumer notifications.

2. What is the timeline for implementation of the new regulations?

• The amendments will take effect 60 days after publication in the Federal Register.
• Larger organizations will have 18 months to comply after the modifications are published, while smaller organizations will have 24 months.