Representing financial professionals, financial institutions and investors in investment loss, employment and disclosure matters, and in regulatory investigations nationwide.

SEC adopts rule amendments for notifying investors regarding data breaches

On Behalf of | May 28, 2024 | Securities and Compliance

Rule amendments designed to strengthen the protection of customer information and expand disclosure of data breaches have been adopted by the Securities and Exchange Commission, ThinkAdvisor reports.

The SEC announced that it is updating Regulation S-P to modernize the rules governing the treatment of consumers’ nonpublic personal information by certain financial institutions. The amendments will apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.  The action is being taken to address the expanded use of technology and corresponding risks that have emerged since the original adoption of Regulation S-P in 2000.

Under the amendments, the covered institutions will have to implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.

The response program will have to include procedures for firms to provide notice to customers whose sensitive information was accessed or used without authorization.  This notice would have to be provided no later than 30 days after institutions become aware of incidents involving unauthorized access to or use of customer information. The notice must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

The amendments will become effective 60 days after publication in the Federal Register.

The attorneys at Lewitas Hyman include former senior attorneys at the SEC whose legal experience and industry knowledge make them uniquely qualified to provide counsel on securities regulatory, compliance and enforcement matters. If your firm is facing an investigation from a regulatory agency, please contact Lewitas Hyman at (888) 655-6002 or through our online contact form.