SEC strengthens requirements for response to data breaches

May 17, 2024

Amendments adopted Thursday by the SEC will require certain investment entities to develop an incident-response program for unauthorized use of customer information.

The changes to Regulation S-P call for broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents registered with the SEC to develop, implement, and maintain written policies and procedures designed to detect, respond to, and recover from customer data breaches.

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," SEC Chair Gary Gensler said in a news release. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers' financial data. The basic idea for covered firms is if you've got a breach, then you've got to notify. That's good for investors."

The amendments require a covered institution to provide notice no later than 30 days after becoming aware of an incident. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments; smaller entities will have 24 months.

[Journal of Accountancy]