The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs.
The rules - pushed through as an amendment to previous regulations from 2000 - apply to broker-dealers, funding portals like Kickstarter or GoFundMe, investment companies, registered investment advisers, and transfer agents.
The amendments also add rules mandating firms have procedures in place for providing notice to customers who had sensitive information accessed or leaked.
Covered organizations have to provide notice to victims as soon as possible and no later than 30 days after becoming aware of an incident involving the leak of customer information.
The notice must include details about the incident, the data leaked and what victims can do to protect themselves.
The amendment will take effect two months after the rule is published to the Federal Register but large companies will have 18 months to comply, while smaller entities will have two years.
The SEC did not say how it is distinguishing between large and small entities.
Several large companies - including Microsoft, Hewlett Packard, Frontier and others - have already had to submit 8-K filings about cybersecurity incidents.
Earlier this month, Rep. Andrew Garbarino revived an effort to rescind the SEC incident reporting rule.
Garbarino has repeatedly argued in hearings and in speeches that the SEC is ill-equipped to handle issues around cybersecurity and that the incident reports expose victimized companies to further attacks.
The White House has said it will veto any legislative attempt to rescind the SEC rule.
Cybersecurity experts lauded the SEC for the amendment unveiled on Thursday, with several arguing that the years of voluntary cybersecurity rules have contributed to the current lackadaisical attitude many organizations have when it comes to cyberattacks and breaches.
Zendata CEO Narayana Pappu added that the SEC is clearly doubling down to enhance cybersecurity and consumer information protection.
This latest announcement, along with the cyber disclosure requirements for CISOs that went into effect in January, put an increased emphasis on proactive monitoring and reporting, which to date has for the most part been lacking, Pappu said.
This Cyber News was published on therecord.media. Publication date: Fri, 17 May 2024 00:44:05 +0000