The Securities and Exchange Commission has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery.
Regulation S-P was introduced in 2000 and controls how some financial entities must treat nonpublic personal information belonging to consumers.
These rules include developing and implementing data protection policies, confidentiality and security assurances, and protecting against anticipated threats.
The new amendments adopted earlier this week impact financial firms, such as broker-dealers, investment firms, registered investment advisers, and transfer agents.
The modifications were initially proposed in March of last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties.
Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization, detailing the incident, breached data, and protective measures taken.
Exemption applies if the information isn't expected to cause substantial harm or inconvenience to the exposed individuals.
Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information.
This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers.
Expand safeguards and disposal rules to cover all nonpublic personal information, including that received from other financial institutions.
Require documentation of compliance with safeguards and disposal rules, excluding funding portals.
Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.
The modifications represent an important update to a rule initially adopted in 2000 that could no longer adequately protect customers' financial data privacy in today's cybersecurity landscape.
The amendments take effect 60 days after publication in the Federal Register, the official journal of the U.S. federal government, including agency rules, proposed rules, and public notices.
In December, the SEC also introduced new rules requiring all public companies to disclose that they suffered a breach if it materially affected or is reasonably likely to materially affect business strategy, results of operations, or financial condition.
WebTPA data breach impacts 2.4 million insurance policyholders.
Banco Santander warns of a data breach exposing customer info.
AT&T faces lawsuits over data breach affecting 73 million customers.
MediSecure e-script firm hit by 'large-scale' ransomware data breach.
Kaiser Permanente: Data breach may impact 13.4 million patients.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 18 May 2024 08:05:06 +0000