Governance, Risk and Compliance, Security Strategy, Plan, Budget, Government Regulations

Financial companies must have data breach incident plans, SEC says

A digital warning sign with "SYSTEM HACKED" in bright red, overlaying a complex background of computer code and digital interfaces, with a deep blue and black color scheme, creating a sense of urgency and alarm.

The Securities and Exchange Commission announced amendments to a 24-year regulation that will require certain financial firms, including broker-dealers, funding portals, registered investment advisers, transfer agents, and investment companies, to create well-defined response plans for data breach incidents, reports The Record, a news site by cybersecurity firm Recorded Future.

Click for more special coverage

Under the revised rules, institutions will be mandated to “develop, implement, and maintain written policies and procedures” for identifying and addressing data breach incidents involving customer data. The rules will also require financial firms to have procedures in place for notifying customers whose sensitive information was leaked or accessed.

The notice must be delivered to victims no later than 30 days or as soon as possible after the discovery of the incident, and the notice must provide details about the data breach incident, what information was leaked and how victims can protect themselves.

The amendments are necessary because the “nature, scale, and impact of data breaches has transformed substantially” since the original regulations took effect more than 20 years ago, SEC Chair Gary Gensler said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.