The Securities and Exchange Commission announced amendments to a 24-year regulation that will require certain financial firms, including broker-dealers, funding portals, registered investment advisers, transfer agents, and investment companies, to create well-defined response plans for data breach incidents, reports The Record, a news site by cybersecurity firm Recorded Future.
Click for more special coverage
Under the revised rules, institutions will be mandated to “develop, implement, and maintain written policies and procedures” for identifying and addressing data breach incidents involving customer data. The rules will also require financial firms to have procedures in place for notifying customers whose sensitive information was leaked or accessed.
The notice must be delivered to victims no later than 30 days or as soon as possible after the discovery of the incident, and the notice must provide details about the data breach incident, what information was leaked and how victims can protect themselves.
The amendments are necessary because the “nature, scale, and impact of data breaches has transformed substantially” since the original regulations took effect more than 20 years ago, SEC Chair Gary Gensler said.
