Coincidentally, the SEC adopted the updated cybersecurity rules on the same day that international brokerage and custodian Interactive Brokers reported a customer data breach.
The company submitted a sample letter to the Massachusetts Attorney General on May 16 as an example of one to send to the roughly 600 customers whose personal information was exposed in the January data breach, InvestmentNews and CityWire first reported.
The long-awaited rule changes announced by the SEC on May 16 are a revision of Regulation SP, first adopted in 2000. These rules required broker-dealers, investment companies and RIAs to adopt written policies and procedures to safeguard client records and information, as well as requiring disposal of consumer information, privacy policy notices and opt-out provisions.
The newly adopted amendments require financial institutions to document and maintain procedures for a cyber breach incident response program and to promptly notify affected customers. The program must outline procedures for detecting the scope of a breach and preventing further exposure. Customers must be notified of such an occurrence as soon as possible after the firm becomes aware of the breach, but no later than 30 days after the firm becomes aware of the breach.
“The nature, scale and impact of data breaches have changed significantly over the past 24 years,” SEC Chairman Gary Gensler said in a statement. “This amendment to the SP rule provides important updates to rules first adopted in 2000 and helps protect the privacy of customers' financial data. The basic idea for covered companies is that they must notify you if there's a breach, which is a good thing for investors.”
Michael Kocanower, founder and CEO of Advisor Cyber, said these new regulations reflect the SEC's increased focus on cybersecurity. He said the situation has changed dramatically in the 24 years since the first Regulation SP went into effect.
“This will likely be the first of several dominoes to fall as the SEC focuses on cybersecurity and protecting investors from cybersecurity incidents at the companies they most trust to store and manage their savings and investments,” he said.
The notification requirement allows customers to take steps to protect themselves in the event of a data breach, and Kocanower said he believes the 30-day grace period is enough time to conduct an investigation and notify customers as required, but that doesn't make it easy.
“I don't think there's any way that a business, particularly a small business, would have the resources to do this on their own,” he said.
The new regulations require written response policies and customer reporting, but they don't mandate that companies purchase separate cyber insurance. Kocanower said proactively purchasing these policies in addition to E&O can be a vital safeguard in the event of a breach.
“These policies can typically be implemented in a very short period of time with the deployment of significant resources covering everything from technical mitigation measures, investigations, legal counsel, customer notification resources and even the provision of credit monitoring services,” he said.
The SEC’s proposed amendments will become effective 60 days after publication in the Federal Register. Larger entities will have 18 months from the publication date to comply with the proposed amendments, and smaller entities will have 24 months.
