New federal regulations have created stricter deadlines for some financial institutions (FIs) to report security breaches.
of securities and exchange commission (SEC) Changes adopted Last week, it required agencies to notify people whose data has been compromised “as soon as practicable and no later than 30 days” after learning of a data breach.
The SEC's new amendments to Regulation SP apply to broker-dealers, investment companies, registered investment advisers, and transfer agents, including funding portals, the commission said.
“Over the past 24 years, the nature, scale and Impact of a data breach That has changed significantly,” SEC Chairman Gary Gensler said in a news release.
“These amendments to Regulation SP make important updates to the rules first adopted in 2000 and help protect the privacy of customers' financial data. That means you need to be notified if there is. That's good for investors.”
According to the SEC, financial institutions must include details about the compromised information and steps affected consumers can take to protect themselves.
This requirement also expands the scope of nonpublic personal information covered beyond that collected by companies themselves. The new rules also cover personal information the company receives from other financial institutions.
The new rules were noted in a report this weekend from Ars Technica, which also included comments from the SEC commissioner. Hester M. Peircewho suggested that there may be too many rules.
“I have reservations because of the broad scope of this rule and the potential for a lot of consumer notification that is not helpful,” she said.
The Ars Technica report also points out the following requirements: There is an obvious loopholethat is, financial institutions do not have to issue a notice if they can demonstrate that personal information has not been, or is unlikely to be, used in a way that results in “substantial harm or inconvenience.”
As Gensler noted, the changes at the SEC come as companies grapple with the growing threat of cyberattacks. 90% of companies A recent report found that people say their cyber risks have increased in the last year.
This follows a wave of recent cybersecurity incidents, including: Last summer's violation in MGM Resorts Hotel and Casino Systems and the February Attacks United Health Group change health care business, that is inconvenient part About the American medical system.
These incidents, and recent data breaches, Dell — shines a spotlight on the cost of lax cybersecurity standards, PYMNTS wrote earlier this month.
“To alleviate that, Cyber attack risk, companies need to develop robust cybersecurity frameworks that focus not only on modern technological defenses, but also on the human factor,” the report states. “Regular training programs, strict security protocols, and a culture of vigilance among employees can strengthen an organization's ability to defend against cyber threats.”
