Finance & Banking , Industry Specific , Standards, Regulations & Compliance

US SEC Approves Wall Street Data Breach Reporting Regs

Covered Financial Institutions Have 30 Days to Notify Customers of Data Breaches
US SEC Approves Wall Street Data Breach Reporting Regs
Broker-dealers and other investment firms will have 30 days to notify clients of data breaches under new U.S. regulations. (Image: Shutterstock)

U.S. federal regulators tightened data security regulations on Wall Street, approving on Thursday regulations requiring companies to notify clients within 30 days of detecting a data breach and to ensure they have a program to detect and respond to hackers.

See Also: Software Supply Chain Platform for Financial Services

The Securities and Exchange Commission unanimously voted to approve amendments to Regulation S-P - better known as the safeguards rule - which regulates how broker-dealers and investments advisers oversee and protect consumer data. The updated regulations require covered institutions to provide notice to customers if their information was compromised by an unauthorized user "as soon as practicable" but not later than 30 days after becoming aware of a cyber incident

SEC Chair Gary Gensler said regulators haven't updated the safeguards rules since they took effect in 2000. The new rules will "make critical updates" that "help protect the privacy of customers' financial data."

"Over the last 24 years, the nature, scale and impact of data breaches has transformed substantially," Gensler said.

According to the SEC, the updates aim to "modernize and enhance the rules that govern the treatment of consumers' nonpublic personal information" by covered institutions. The regulations also direct investment companies and advisers to address the growing use of technology "and the risks it imposes" across the financial sector.

The SEC voted in July 2023 to require publicly traded companies to disclose "material cybersecurity incidents" within four days of discovery (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

The latest incident reporting requirements will take effect 60 days after their publication in the Federal Register, and larger entities will have 18 months after that date to ensure compliance. Smaller entities will have 24 months to comply with the new rules.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.