The Securities and Exchange Commission today adopted amendments to Regulation S-P to require brokers and dealers, investment companies and investment advisers registered with the agency to adopt written policies and procedures for cyber incidents, including data breaches. The amendments also require those response programs to include procedures to notify individuals whose sensitive customer information may have been accessed or used without authorization.
The amendments require covered institutions to provide notice as soon as practicable, but not later than 30 days, after becoming aware incidents involving unauthorized access or use of customer information have occurred or is reasonably likely to have occurred, the SEC said in a statement. The notice must include details about the incident, the breached data and how affected individuals can respond to the breach to protect themselves. The amendments will take effect 60 days after publication in the Federal Register, with larger entities having 18 months to comply and smaller entities having 24 months to comply.
The American Bankers Association and other associations last year made several recommendations for improving the amendments. The SEC adopted some of the recommendations, including a more appropriate timeline for complying with the requirements given the time it takes for banks to renegotiate contracts with third-party providers, the expansion of a delay in customer notification when that notice poses a substantial risk to national security or public safety, and alignment with a 72-hour notification mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
