The Securities and Exchange Commission today released three proposed amendments to existing cybersecurity-related rules, including new customer notification requirements for data breaches. First, the SEC proposed to amend Regulation S-P to require brokers and dealers, investment companies and investment advisers registered with the agency to adopt written policies and procedures for incident response programs to address unauthorized access or use of customer information, including procedures for providing timely notification to certain affected individuals.
Second, the SEC proposed a new rule to require certain registrants under the Exchange Act to address cybersecurity risks through policies and procedures, notification and reporting to the commission, public disclosure and record retention. Third, the SEC proposed amendments to Regulation Systems Compliance and Integrity to expand the scope of entities subject to the regulation and to update certain provisions.
The SEC also announced that it would reopen the comment period by an additional 60 days or last year’s proposal for cybersecurity risk management, strategy, governance and incident notification by public companies. Last year, the American Bankers Association and other associations raised concerns about the proposal in a joint letter to the SEC. While they supported the overall policy goals, they said the rules insufficiently took into account other goals, including ensuring the cybersecurity of registrants; protecting the safety and soundness of financial institutions; and identifying and bringing to justice the perpetrators of serious cybercrimes.
