SEC to require financial firms to have data breach incident plans

The Securities and Exchange Commission (SEC) announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. 

The rules — pushed through as an amendment to previous regulations from 2000 — apply to broker-dealers, funding portals like Kickstarter or GoFundMe, investment companies, registered investment advisers, and transfer agents.

Institutions will have to “develop, implement, and maintain written policies and procedures” for detecting and addressing a breach involving customer information. 

The amendments also add rules mandating firms have procedures in place for providing notice to customers who had sensitive information accessed or leaked. 

SEC Chair Gary Gensler said in a statement that the amendments are needed since the “nature, scale, and impact of data breaches has transformed substantially” in the more than two decades since the original regulation went into effect.

“The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify,” Gensler said. “That’s good for investors.”

Covered organizations have to provide notice to victims as soon as possible and no later than 30 days after becoming aware of an incident involving the leak of customer information. 

The notice must include details about the incident, the data leaked and what victims can do to protect themselves. 

The amendment will take effect two months after the rule is published to the Federal Register but large companies will have 18 months to comply, while smaller entities will have two years. The SEC did not say how it is distinguishing between large and small entities. 

The new amendments come right as companies are easing into new incident reporting regulations from the SEC that force public companies to notify the agency of “material” incidents. Several large companies — including Microsoft, Hewlett Packard, Frontier and others — have already had to submit 8-K filings about cybersecurity incidents. 

Earlier this month, Rep. Andrew Garbarino (R-NY) revived an effort to rescind the SEC incident reporting rule. Garbarino has repeatedly argued in hearings and in speeches that the SEC is ill-equipped to handle issues around cybersecurity and that the incident reports expose victimized companies to further attacks. The White House has said it will veto any legislative attempt to rescind the SEC rule. 

Cybersecurity experts lauded the SEC for the amendment unveiled on Thursday, with several arguing that the years of voluntary cybersecurity rules have contributed to the current lackadaisical attitude many organizations have when it comes to cyberattacks and breaches.  

“The SEC continuing to modernize their policies and requirements to bring cybersecurity requirements is a major step towards protecting consumer data. Providing timely notification allows consumers to take the steps necessary to protect their financial and personal data before it can be further exploited,” said Bugcrowd CEO Dave Gerry.

Zendata CEO Narayana Pappu added that the SEC is clearly doubling down to enhance cybersecurity and consumer information protection.

This latest announcement, along with the cyber disclosure requirements for CISOs that went into effect in January, put an increased emphasis on proactive monitoring and reporting, which to date has for the most part been lacking, Pappu said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.